infected :(

F

force123

New Member
Hey guys

my friend accidentally run a hidden exe file on his flash, on my computer.

the file name was sal.xls.exe. It copied itself into the drive letter E:\ (windows drive). I cannot delete it ! I'm sure I'm infected.

I run MalwareByte and it found nothing.

I run combofix, It deletes a file name ufdata2000.log in windows folder. I guess this file is related to this sal.xls.exe . But no matter how much combofix deletes it. It keeps turning back cause I can't delete the source file.

I guess I might have other viruses too !
Thanks for any help!

here's my combofix log :

ComboFix 08-10-16.08 - Alborz 2008-10-17 11:42:24.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.981.1033.18.2891 [GMT 3.5:30]
Running from: F:\Softwares\ComboFix & Friends\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((( Files Created from 2008-09-17 to 2008-10-17 )))))))))))))))))))))))))))))))
.

2008-10-17 11:36 . 2008-10-17 11:36 49,152 ---hs---- E:\sal.xls.exe
2008-10-17 10:33 . 2008-10-17 10:33 49,152 --a------ E:\WINDOWS\system32\msime80.exe
2008-10-17 10:33 . 2008-10-17 10:33 49,152 --a------ E:\WINDOWS\system32\msfir80.exe
2008-10-17 10:33 . 2008-10-17 10:33 49,152 --a------ E:\WINDOWS\system32\algssl.exe
2008-10-15 19:32 . 2008-10-15 19:32 <DIR> d-------- E:\Program Files\Hewlett-Packard
2008-10-15 19:32 . 2008-10-15 19:32 <DIR> d-------- E:\Program Files\Common Files\Hewlett-Packard
2008-10-15 19:30 . 2008-10-15 19:30 <DIR> d-------- E:\Program Files\HP
2008-10-15 19:29 . 2008-10-15 19:32 100,869 --a------ E:\WINDOWS\hpgins17.dat
2008-10-15 19:29 . 2007-01-23 01:25 284 --------- E:\WINDOWS\hpgmdl17.dat
2008-10-15 08:41 . 2007-01-23 12:49 614,400 --------- E:\WINDOWS\system32\hpxpg400.dll
2008-10-15 08:41 . 2007-02-12 19:21 548,864 --------- E:\WINDOWS\system32\hpgtg400.dll
2008-10-15 08:41 . 2007-01-23 12:46 438,272 --------- E:\WINDOWS\system32\hpg400co.dll
2008-10-15 08:41 . 2007-01-23 12:50 253,952 --------- E:\WINDOWS\system32\hpscg400.dll
2008-10-14 23:53 . 2008-10-14 23:53 <DIR> d-------- E:\Program Files\Common Files\Apple
2008-10-14 23:53 . 2008-10-14 23:53 <DIR> d-------- E:\Program Files\Apple Software Update
2008-10-14 23:53 . 2008-10-14 23:53 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Apple
2008-10-14 23:53 . 2008-10-14 23:53 54,156 --ah----- E:\WINDOWS\QTFont.qfn
2008-10-14 23:53 . 2008-10-14 23:53 1,409 --a------ E:\WINDOWS\QTFont.for
2008-10-12 21:43 . 2008-10-12 21:43 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-12 21:43 . 2008-10-12 21:43 <DIR> d-------- E:\Documents and Settings\Alborz\Application Data\Malwarebytes
2008-10-12 21:43 . 2008-09-08 00:11 38,528 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-12 21:43 . 2008-09-08 00:11 17,200 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-10-09 04:17 . 2008-10-09 04:17 42,320 --a------ E:\WINDOWS\system32\xfcodec.dll
2008-09-27 12:46 . 2008-10-08 00:18 28 --a------ E:\WINDOWS\v2d.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-17 08:05 --------- d-----w E:\Documents and Settings\Alborz\Application Data\FileZilla
2008-10-17 07:08 --------- d-----w E:\Documents and Settings\Alborz\Application Data\uTorrent
2008-10-15 16:09 6,162 -csha-w E:\WINDOWS\system32\KGyGaAvL.sys
2008-10-14 08:18 --------- d-----w E:\Documents and Settings\Alborz\Application Data\MySQL
2008-10-14 08:04 --------- d-----w E:\Documents and Settings\Alborz\Application Data\Xfire
2008-10-05 12:11 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-09-12 17:54 34,308 ----a-w E:\WINDOWS\system32\Chip.dll
2008-09-12 17:43 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.23.exe
2008-09-12 17:43 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.22.exe
2008-09-12 17:41 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.21.exe
2008-09-12 17:41 4,096 ----a-w E:\WINDOWS\system32\Setup_ver1.1567.2.exe
2008-09-10 14:04 1,503,948,100 ----a-w E:\Program Files\full_backup.rar
2008-09-08 04:53 --------- d-----w E:\Program Files\Common Files\Corel
2008-07-25 08:34 81,920 ----a-w E:\WINDOWS\system32\dpl100.dll
2008-07-25 08:34 683,520 ----a-w E:\WINDOWS\system32\divx.dll
2008-07-23 16:50 3,596,288 ----a-w E:\WINDOWS\system32\qt-dx331.dll
2007-08-09 07:55 8 --sh--r E:\WINDOWS\system32\85FC424469.sys
2008-05-27 08:27 88 --sh--r E:\WINDOWS\system32\D58D4D8297.sys
.

------- Sigcheck -------

2004-09-01 11:30 359040 7b11118b078b88f87183fe69eda43137 E:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-10-12_13.50.10.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-14 20:23:20 27,136 ----a-r E:\WINDOWS\Installer\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}\AppleSoftwareUpdateIco.exe
- 2008-10-12 06:31:35 59,270 ----a-w E:\WINDOWS\system32\perfc009.dat
+ 2008-10-17 08:11:10 59,270 ----a-w E:\WINDOWS\system32\perfc009.dat
- 2008-10-12 06:31:35 392,970 ----a-w E:\WINDOWS\system32\perfh009.dat
+ 2008-10-17 08:11:10 392,970 ----a-w E:\WINDOWS\system32\perfh009.dat
+ 2007-01-23 09:16:48 438,272 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpg400co.dll
+ 2007-02-12 15:51:28 548,864 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpgtg400.dll
+ 2007-01-23 09:20:10 253,952 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpscg400.dll
+ 2007-01-23 09:19:20 614,400 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\hpxpg400.dll
+ 2004-08-03 19:28:46 15,104 ----a-w E:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\usbscan.sys
+ 2006-10-27 09:10:14 12,288 ----a-r E:\WINDOWS\Twunk_16.dll
+ 2006-10-27 09:10:14 12,288 ----a-r E:\WINDOWS\Twunk_32.dll
+ 2006-03-23 07:45:32 96,256 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_6e85597b\ATL80.dll
+ 2006-03-23 07:44:36 479,232 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcm80.dll
+ 2006-03-23 07:44:36 548,864 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcp80.dll
+ 2006-03-23 07:44:36 626,688 ----a-w E:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_0de56c07\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 15360]
"IECheck"="E:\WINDOWS\IECheck.exe" [2005-11-17 108544]
"MsServer"="msfir80.exe" [2008-10-17 E:\WINDOWS\system32\msfir80.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-09-01 208952]
"PHIME2002ASync"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 455168]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 455168]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2008-01-08 8523776]
"RemoteControl"="f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"VirtualCloneDrive"="f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"CloneCDTray"="f:\Program Files\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"ISUSPM Startup"="E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ISUSScheduler"="E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"NeroFilterCheck"="E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2008-01-08 81920]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2008-01-08 E:\WINDOWS\system32\nwiz.exe]
"FmctrlTray"="Fmctrl.EXE" [2001-11-06 E:\WINDOWS\system32\fmctrl.exe]
"IMJPMIG8.2"="msime80.exe" [2008-10-17 E:\WINDOWS\system32\msime80.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 15360]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.l3codec"= l3codecp.acm
"VIDC.XFR1"= xfcodec.dll
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"F:\\Program Files\\wa\\WA.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe"=
"F:\\Program Files\\Yahoo! Messenger\\YServer.exe"=

R1 Cinemsup;Cinemsup;E:\WINDOWS\system32\drivers\Cinemsup.sys [2002-07-19 6656]
R2 Apache2.2;Apache2.2;E:\Program Files\Apache2.2\bin\httpd.exe [2007-09-05 24635]
R2 MySQL5;MySQL5;E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=E:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL5 [ ]
R3 gameport;Genius SM-Live Series PCI Joystick;E:\WINDOWS\system32\DRIVERS\fmjoy.sys [2001-10-31 9728]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;E:\WINDOWS\system32\DRIVERS\SkyNET.SYS [2006-03-14 349184]
R3 wdm_fm801;Genius SM-Live Series PCI Audio (WDM);E:\WINDOWS\system32\drivers\fm801.sys [2001-08-17 320163]
S1 rxp;rxp;E:\WINDOWS\system32\drivers\rxp.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3e0f2a-35e3-11dd-aa6b-00d0d714a718}]
\Shell\Auto\command - sunny.exe
\Shell\AutoRun\command - E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{660b21a9-4989-11dc-a765-00d0d714a718}]
\Shell\AutoRun\command - P:\autorun.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - E:\Documents and Settings\Alborz\Application Data\Mozilla\Firefox\Profiles\a58asg4q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE -
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-17 11:43:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
IMJPMIG8.2 = msime80.exe???.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfir80.exe???l

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySql]
"ImagePath"="E:/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MySQL5]
"ImagePath"="\"E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"E:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
Completion time: 2008-10-17 11:45:28
ComboFix-quarantined-files.txt 2008-10-17 08:14:26
ComboFix2.txt 2008-10-17 07:28:06
ComboFix3.txt 2008-10-17 07:15:41
ComboFix4.txt 2008-10-12 17:48:38
ComboFix5.txt 2008-10-17 08:04:32

Pre-Run: 61,654,745,088 bytes free
Post-Run: 61,643,104,256 bytes free

178
 
And here's hijackthis AFTER the combfix :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55, on 2008-10-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\system32\Fmctrl.EXE
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\algssl.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PSIService.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\wscntfy.exe
F:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - f:\Program Files\FLV Downloader\MoyeaCth.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - f:\PROGRA~1\LONGMA~1\LAD001PE\setup\qf\IEHelp.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "f:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECheck] E:\WINDOWS\IECheck.exe
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33DECB99-D7B7-4170-B79D-8D7848592871}: NameServer = 81.12.74.3 62.220.100.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE40051E-E6D6-4EA2-B283-08CDF7E28DB4}: NameServer = 217.218.127.104,4.2.2.4
O23 - Service: Apache2.2 - Apache Software Foundation - E:\Program Files\Apache2.2\bin\httpd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - E:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - E:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - E:\WINDOWS\system32\PSIService.exe

--
End of file - 7664 bytes
 
Hello.

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
E:\WINDOWS\QTFont.qfn
E:\WINDOWS\QTFont.for
E:\sal.xls.exe
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.
 
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at E:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "E:\WINDOWS\QTFont.qfn" deleted successfully.
File "E:\WINDOWS\QTFont.for" deleted successfully.
File "E:\sal.xls.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




the sal.xls.exe is still in e:\ and one in f:\ .
it is being copied again!
 
Hello, let's try this:

Download Avenger, and unzip it to your desktop or somewhere you can find it. (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

  • Open a Notepad file by clicking Start > Run and typing Notepad.exe in the box, click OK.
  • Click Format, and ensure Word Wrap is unchecked.
  • Copy and Paste the text in the box below into Notepad.
  • Now save the file as RemoveFiles.txt in a location where you can find it.

Files to delete:
E:\sal.xls.exe
F:\sal.xls.exe
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.
  • Check Load script from file:
  • Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
  • Double click it to enter it into Avenger.
  • Click the green traffic light symbol.
  • You will be asked if you want to execute the script, answer Yes.
  • At this point you may get prompts from your protection systems, allow them please.
  • Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
  • Answer Yes, and allow your computer to re-boot.
  • Upon re-boot a command window will briefly appear on screen (this is normal).
  • A Notepad text file will be created C:\avenger.txt.
  • Copy and Paste it into your next post please.


Step Two:


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Please post both logs in your next reply.
 
Before read your post I managed to delete that file so that it didn't came back.

so I skip the avenger part.

here's the 2 other logs :


SDFix: Version 1.236
Run by Administrator on Sun 10/19/2008 at 12:02 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

E:\WINDOWS\system32\Setup_ver1.1567.2.exe - Deleted
E:\WINDOWS\system32\Setup_ver1.1567.21.exe - Deleted
E:\WINDOWS\system32\Setup_ver1.1567.22.exe - Deleted
E:\WINDOWS\system32\Setup_ver1.1567.23.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-19 00:10:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:990267d2
"s1"=dword:6d4bddb0
"s2"=dword:af41b803
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:39,48,42,26,c2,1d,2d,74,54,e6,25,5d,db,a6,96,57,c1,40,3e,5d,b4,..
"p0"="f:\Program Files\Alcohol Soft\Alcohol 120\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"h0"=dword:00000000
"ujdew"=hex:39,48,42,26,c2,1d,2d,74,54,e6,25,5d,db,a6,96,57,c1,40,3e,5d,b4,..
"p0"="f:\Program Files\Alcohol Soft\Alcohol 120\"

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="E:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"E:\\Program Files\\uTorrent\\uTorrent.exe"="E:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"F:\\Program Files\\wa\\WA.exe"="F:\\Program Files\\wa\\WA.exe:*:Enabled:Worms Armageddon"
"F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe"="F:\\Program Files\\Yahoo! Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"F:\\Program Files\\Yahoo! Messenger\\YServer.exe"="F:\\Program Files\\Yahoo! Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="E:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"E:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="E:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 9 Aug 2007 8 ..SHR --- E:\WINDOWS\SYSTEM32\85FC42~1.SYS
Tue 27 May 2008 88 ..SHR --- E:\WINDOWS\SYSTEM32\D58D4D~1.SYS
Sat 18 Oct 2008 6,110 A.SH. --- E:\WINDOWS\SYSTEM32\KGYGAAVL.SYS
Wed 15 Aug 2007 4,348 A.SH. --- E:\DOCUME~1\ALLUSE~1\DRM\DRMV1.BAK
Sat 23 Aug 2008 164,880 A..H. --- E:\DOCUME~1\ALBORZ\APPLIC~1\MICROS~1\VIRTUA~1\VPCKEY~1.DLL
Fri 17 Oct 2008 444 ...HR --- E:\DOCUME~1\ALBORZ\APPLIC~1\SECUROM\USERDATA\SECURO~1.BAK

Finished!


Hijackthis :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:14, on 2008-10-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Apache2.2\bin\httpd.exe
E:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PSIService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\notepad.exe
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\system32\Fmctrl.EXE
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - f:\Program Files\FLV Downloader\MoyeaCth.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - f:\PROGRA~1\LONGMA~1\LAD001PE\setup\qf\IEHelp.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "f:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECheck] E:\WINDOWS\IECheck.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE40051E-E6D6-4EA2-B283-08CDF7E28DB4}: NameServer = 217.218.127.104,4.2.2.4
O23 - Service: Apache2.2 - Apache Software Foundation - E:\Program Files\Apache2.2\bin\httpd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - E:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - E:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - E:\WINDOWS\system32\PSIService.exe

--
End of file - 7470 bytes
 
Let's have a closer look:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
 
it didn't give me the extra.txt, only main.txt :

Deckard's System Scanner v20071014.68
Run by Alborz on 2008-10-20 09:22:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Alborz.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22, on 2008-10-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
F:\Program Files\VirtualCloneDrive\VCDDaemon.exe
E:\WINDOWS\system32\Fmctrl.EXE
F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
E:\Program Files\Apache2.2\bin\httpd.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\PnkBstrA.exe
E:\WINDOWS\system32\PSIService.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
F:\Softwares\ComboFix & Friends\dss.exe
F:\PROGRA~1\HIJACK~1\Alborz.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - f:\Program Files\FLV Downloader\MoyeaCth.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - f:\PROGRA~1\LONGMA~1\LAD001PE\setup\qf\IEHelp.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - E:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [CloneCDTray] "f:\Program Files\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ISUSPM Startup] "E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [FmctrlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IECheck] E:\WINDOWS\IECheck.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - F:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - f:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - f:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{33DECB99-D7B7-4170-B79D-8D7848592871}: NameServer = 81.12.74.3 62.220.100.201
O17 - HKLM\System\CCS\Services\Tcpip\..\{BE40051E-E6D6-4EA2-B283-08CDF7E28DB4}: NameServer = 217.218.127.104,4.2.2.4
O23 - Service: Apache2.2 - Apache Software Foundation - E:\Program Files\Apache2.2\bin\httpd.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - F:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - E:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - E:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: MySQL5 - Unknown owner - E:\Program.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - E:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ProtexisLicensing - Unknown owner - E:\WINDOWS\system32\PSIService.exe

--
End of file - 7530 bytes

-- Files created between 2008-09-20 and 2008-10-20 -----------------------------

2008-10-17 10:33:46 49152 --a------ E:\WINDOWS\system32\algssl.exe <Not Verified; Microsoft Corp.; FireWall Files>
2008-10-15 19:32:09 0 d-------- E:\Program Files\Common Files\Hewlett-Packard
2008-10-15 19:32:08 0 d-------- E:\Program Files\Hewlett-Packard
2008-10-15 19:30:53 0 d-------- E:\Program Files\HP
2008-10-15 19:29:54 284 -----n--- E:\WINDOWS\hpgmdl17.dat
2008-10-15 19:29:54 100869 --a------ E:\WINDOWS\hpgins17.dat
2008-10-14 23:53:40 0 d-------- E:\Program Files\Common Files\Apple
2008-10-14 23:53:18 0 d-------- E:\Program Files\Apple Software Update
2008-10-14 23:53:18 0 d-------- E:\Documents and Settings\All Users\Application Data\Apple
2008-10-12 21:43:21 0 d-------- E:\Documents and Settings\Alborz\Application Data\Malwarebytes
2008-10-12 21:43:19 0 d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-09 10:37:44 1763 --a------ E:\Documents and Settings\All Users\Application Data\QTSBandwidthCache


-- Find3M Report ---------------------------------------------------------------

2008-10-20 00:33:18 0 d-------- E:\Documents and Settings\Alborz\Application Data\FileZilla
2008-10-19 22:08:09 6110 --ahs--c- E:\WINDOWS\system32\KGyGaAvL.sys
2008-10-19 18:33:41 0 d-------- E:\Documents and Settings\Alborz\Application Data\MySQL
2008-10-18 18:17:11 0 d-------- E:\Program Files\Common Files
2008-10-17 13:15:09 0 d-------- E:\Documents and Settings\Alborz\Application Data\uTorrent
2008-10-14 11:34:24 0 d-------- E:\Documents and Settings\Alborz\Application Data\Xfire
2008-09-26 10:36:41 7228 --a------ E:\Documents and Settings\Alborz\Application Data\Cabos.plist
2008-09-12 21:24:28 34308 --a------ E:\WINDOWS\system32\Chip.dll
2008-09-10 17:34:28 1503948100 --a------ E:\Program Files\full_backup.rar
2008-09-08 08:23:09 0 d-------- E:\Program Files\Common Files\Corel
2008-09-04 22:18:15 0 d-------- E:\Documents and Settings\Alborz\Application Data\WinRAR
2008-07-25 12:04:54 81920 --a------ E:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-07-25 12:04:36 683520 --a------ E:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2008-07-23 20:20:52 3596288 --a------ E:\WINDOWS\system32\qt-dx331.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="E:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-09-01 11:30]
"PHIME2002ASync"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-01 11:30]
"PHIME2002A"="E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-09-01 11:30]
"NvCplDaemon"="E:\WINDOWS\system32\NvCpl.dll" [2008-01-08 21:23]
"nwiz"="nwiz.exe" [2008-01-08 21:23 E:\WINDOWS\system32\nwiz.exe]
"RemoteControl"="f:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 19:24]
"VirtualCloneDrive"="f:\Program Files\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 16:51]
"CloneCDTray"="f:\Program Files\CloneCD\CloneCDTray.exe" [2005-05-19 17:17]
"ISUSPM Startup"="E:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 15:30]
"ISUSScheduler"="E:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30]
"FmctrlTray"="Fmctrl.EXE" [2001-11-06 15:57 E:\WINDOWS\system32\fmctrl.exe]
"NeroFilterCheck"="E:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57]
"NBKeyScan"="E:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 09:51]
"SunJavaUpdateSched"="F:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25]
"NvMediaCenter"="E:\WINDOWS\system32\NvMcTray.dll" [2008-01-08 21:23]
"QuickTime Task"="F:\Program Files\QuickTime\qttask.exe" [2008-09-06 15:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-09-01 11:30]
"IECheck"="E:\WINDOWS\IECheck.exe" [2005-11-17 19:40]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 02:38:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5b3e0f2a-35e3-11dd-aa6b-00d0d714a718}]
Auto\command- sunny.exe
AutoRun\command- E:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sunny.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{660b21a9-4989-11dc-a765-00d0d714a718}]
AutoRun\command- P:\autorun.exe




-- End of Deckard's System Scanner: finished at 2008-10-20 09:23:02 ------------


my pc is working much better after SDfix .

Do you know what is this file : KGyGaAvL.sys ?
No program detect it as trojan. but the name is like a trojan to me.
 
Glad it's all sorted.

I recommend you delete the programs we used, they are not to be used lightly, they can harm your computer if not used correctly.

Also may I advise you stop illegal downloading? That's 90% of the time the reason you got infected.

Have a nice surf online :)
Punk
 
You must log in or register to reply here.
Back
Top