Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: application can not be executed. the file *** is infected  (Read 16849 times)

0 Members and 1 Guest are viewing this topic.

john bb

    Topic Starter


    Greenhorn

    application can not be executed. the file *** is infected
    « on: May 05, 2010, 08:24:42 PM »
    I had a major problem today with my computer.  every time i tried to run a program i got a message saying that the application can not be executed the file "file name" is infected.  I read a bunch of posts and managed to get rid of the message by running rkill and then combofix but how do i know my computer is really virus free?

    Dr Jay

    • Malware Removal Specialist


    • Specialist
    • Moderator emeritus
    • Thanked: 119
    • Experience: Guru
    • OS: Windows 10
    Re: application can not be executed. the file *** is infected
    « Reply #1 on: May 05, 2010, 09:43:29 PM »
    Hi. Welcome to Computer Hope!

    Re-run ComboFix and post a log.
    ~Dr Jay

    john bb

      Topic Starter


      Greenhorn

      Re: application can not be executed. the file *** is infected
      « Reply #2 on: May 06, 2010, 05:52:18 AM »
      Here is the ComboFix log



      ComboFix 10-05-05.04 - John 05/05/10  21:25:59.1.2 - x86 MINIMAL
      Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.684 [GMT -4:00]
      Running from: c:\documents and settings\John\Desktop\ComboFix.exe
      AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

      WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
      .

      (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      c:\docume~1\John\LOCALS~1\Temp\lsass.exe
      c:\docume~1\John\LOCALS~1\Temp\taskmgr.exe
      c:\docume~1\John\LOCALS~1\Temp\winlogon.exe
      c:\documents and settings\John\Local Settings\Application Data\ighfntrja
      c:\documents and settings\John\Local Settings\Application Data\ighfntrja\hqiuexatssd.exe
      c:\program files\WindowsUpdate
      c:\windows\system32\driVERs\jcfixc.sys
      c:\windows\system32\morlsfbav6.dll

      .
      (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
      .

      -------\Legacy_jcfixc
      -------\Service_jcfixc


      (((((((((((((((((((((((((   Files Created from 2010-04-06 to 2010-05-06  )))))))))))))))))))))))))))))))
      .

      2010-05-05 23:53 . 2010-05-05 23:53   --------   d--h--w-   c:\windows\system32\GroupPolicy
      2010-05-05 23:42 . 2010-05-05 23:42   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
      2010-05-03 18:28 . 2010-05-03 18:53   --------   d-----w-   C:\DocOnCD
      2010-05-03 16:55 . 2010-05-03 16:55   --------   d-----w-   c:\windows\system32\4PUPSPPPPPfmis
      2010-05-03 16:55 . 2010-05-03 16:55   --------   d-----w-   c:\windows\4PUPSPPPPPfmis
      2010-05-03 13:29 . 2010-05-03 13:29   --------   d-----w-   C:\FLASH
      2010-04-30 15:02 . 2010-04-30 15:02   --------   d-----w-   c:\windows\system32\3PQPQpexYafmis
      2010-04-30 15:02 . 2010-04-30 15:02   --------   d-----w-   c:\windows\3PQPQpexYafmis
      2010-04-30 12:29 . 2010-04-30 12:30   --------   dc-h--w-   c:\windows\ie8
      2010-04-30 03:02 . 2010-04-30 03:02   --------   d-----w-   c:\documents and settings\John\Application Data\PKWARE
      2010-04-30 03:02 . 2010-04-30 03:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\PKWARE
      2010-04-29 22:45 . 2010-04-29 22:45   --------   d-----w-   C:\HWUpdates
      2010-04-29 22:09 . 2010-05-03 16:55   --------   d-----w-   C:\AX NF ZZ
      2010-04-29 20:27 . 2010-04-29 20:27   --------   d-----w-   c:\documents and settings\John\Local Settings\Application Data\SIEMENS AG
      2010-04-29 20:27 . 2010-04-29 20:27   --------   d-----w-   c:\documents and settings\John\Application Data\SIEMENS AG
      2010-04-29 19:53 . 2010-04-29 20:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Siemens AG
      2010-04-29 19:51 . 2010-04-29 19:51   --------   d-----w-   c:\program files\Common Files\OPC Foundation
      2010-04-29 19:51 . 2010-04-29 19:51   --------   d-----w-   c:\program files\Common Files\Data Dynamics
      2010-04-29 19:43 . 2010-04-29 19:46   --------   d-----w-   c:\program files\Microsoft.NET
      2010-04-29 19:41 . 2010-04-29 19:41   --------   d-----w-   c:\program files\MSXML 6.0
      2010-04-29 19:35 . 2010-05-06 01:03   --------   d-----w-   c:\documents and settings\John\My Backup
      2010-04-29 19:10 . 2010-04-29 19:10   --------   d-----w-   c:\program files\PKWARE
      2010-04-29 19:10 . 2010-04-29 19:10   --------   d-----w-   c:\program files\Common Files\PKWARE
      2010-04-29 17:32 . 2010-04-29 17:32   --------   d-----w-   c:\program files\OPC Foundation
      2010-04-29 14:24 . 2010-05-06 01:03   --------   d-----w-   c:\documents and settings\John\Application Data\Dmailer
      2010-04-28 19:31 . 2001-08-18 02:36   8704   -c--a-w-   c:\windows\system32\dllcache\kbdjpn.dll
      2010-04-28 19:31 . 2001-08-18 02:36   8704   ----a-w-   c:\windows\system32\kbdjpn.dll
      2010-04-28 19:31 . 2001-08-18 02:36   8192   -c--a-w-   c:\windows\system32\dllcache\kbdkor.dll
      2010-04-28 19:31 . 2001-08-18 02:36   8192   ----a-w-   c:\windows\system32\kbdkor.dll
      2010-04-28 19:31 . 2001-08-17 18:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101c.dll
      2010-04-28 19:31 . 2001-08-17 18:55   6144   ----a-w-   c:\windows\system32\kbd101c.dll
      2010-04-28 19:31 . 2001-08-17 18:55   5632   -c--a-w-   c:\windows\system32\dllcache\kbd103.dll
      2010-04-28 19:31 . 2001-08-17 18:55   5632   ----a-w-   c:\windows\system32\kbd103.dll
      2010-04-28 19:31 . 2001-08-17 18:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101b.dll
      2010-04-28 19:31 . 2001-08-17 18:55   6144   ----a-w-   c:\windows\system32\kbd101b.dll
      2010-04-28 19:31 . 2008-04-14 09:39   6144   -c--a-w-   c:\windows\system32\dllcache\kbd106.dll
      2010-04-28 19:31 . 2008-04-14 09:39   6144   ----a-w-   c:\windows\system32\kbd106.dll
      2010-04-28 15:55 . 2010-04-28 17:24   --------   d-----w-   C:\PB
      2010-04-25 17:16 . 2010-04-30 13:21   --------   d-----w-   c:\program files\dncSoftware
      2010-04-25 17:14 . 2010-04-30 13:20   --------   d-----w-   c:\program files\ProEZNC
      2010-04-16 14:24 . 2007-06-12 11:20   40960   ----a-r-   c:\windows\system32\drivers\LS8SYS.sys
      2010-04-16 13:58 . 2010-04-16 13:58   --------   d-----w-   c:\windows\PanTherLink
      2010-04-16 13:58 . 2010-04-16 13:58   --------   d-----w-   c:\program files\PanTherLink
      2010-04-15 23:26 . 2010-04-15 23:26   --------   d-----w-   c:\program files\Cricut Software
      2010-04-10 15:49 . 2010-04-10 15:49   --------   d-----w-   c:\documents and settings\John\Application Data\Got Game Entertainment
      2010-04-10 15:48 . 2005-05-26 19:34   2297552   ----a-w-   c:\windows\system32\d3dx9_26.dll
      2010-04-10 15:37 . 2010-04-15 00:28   --------   d-----w-   c:\program files\Wine Tycoon
      2010-04-07 12:37 . 2010-04-07 12:36   737280   ----a-w-   c:\windows\iun6002.exe

      .
      ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      2010-05-05 12:54 . 2009-10-19 17:43   --------   d-----w-   c:\program files\DOConCD
      2010-04-30 20:17 . 2009-10-19 17:35   --------   d-----w-   c:\program files\Common Files\Siemens
      2010-04-30 13:20 . 2010-03-29 19:54   --------   d-----w-   c:\program files\MultiBatch
      2010-04-30 10:19 . 2009-10-19 18:44   136896   ----a-w-   c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
      2010-04-29 20:11 . 2009-10-19 20:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Siemens
      2010-04-29 19:57 . 2009-10-19 16:37   --------   d--h--w-   c:\program files\InstallShield Installation Information
      2010-04-29 19:48 . 2009-10-19 17:35   --------   d-----w-   c:\program files\SIEMENS
      2010-04-29 19:43 . 2009-10-19 23:09   --------   d-----w-   c:\program files\Microsoft SQL Server
      2010-04-29 17:31 . 2009-10-19 17:48   --------   d-----w-   c:\program files\Common Files\Adobe
      2010-04-28 19:03 . 2010-03-11 22:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\WinZip
      2010-04-27 22:36 . 2010-02-09 20:37   664   ----a-w-   c:\windows\system32\d3d9caps.dat
      2010-04-16 13:04 . 2009-10-22 22:29   --------   d-----w-   c:\program files\Google
      2010-04-08 21:44 . 2009-10-22 21:52   --------   d-----w-   c:\documents and settings\John\Application Data\Skype
      2010-04-08 18:29 . 2009-10-22 21:53   --------   d-----w-   c:\documents and settings\John\Application Data\skypePM
      2010-04-08 12:17 . 2010-01-04 17:15   --------   d-----w-   c:\program files\Yahoo!
      2010-04-05 23:05 . 2009-10-29 14:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
      2010-04-05 22:45 . 2009-12-15 17:31   --------   d-----w-   c:\documents and settings\John\Application Data\Yahoo!
      2010-03-30 03:21 . 2009-11-02 22:04   --------   d-----w-   c:\program files\Assembly Vision
      2010-03-30 03:18 . 2010-03-11 13:45   --------   d-----w-   c:\program files\Uniblue
      2010-03-29 23:18 . 2009-11-17 21:59   256   ----a-w-   c:\windows\system32\pool.bin
      2010-03-28 20:32 . 2009-11-17 21:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\Research In Motion
      2010-03-27 16:36 . 2009-11-13 18:20   --------   d-----w-   c:\documents and settings\John\Application Data\ZoomBrowser EX
      2010-03-27 15:17 . 2009-10-19 18:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\ZoomBrowser
      2010-03-11 22:21 . 2009-11-18 23:46   --------   d-----w-   c:\program files\Cinemaware Marquee
      2010-03-11 22:16 . 2010-03-11 22:16   --------   d-----w-   c:\program files\Sinumerik
      2010-03-11 15:57 . 2009-12-28 22:25   --------   d-----w-   c:\program files\Aide PDF to DXF Converter
      2010-03-11 14:01 . 2010-03-11 14:01   --------   d-----w-   c:\program files\Hide My IP 2009
      2010-03-11 14:01 . 2010-02-25 01:18   --------   d-----w-   c:\program files\WhatsRunning
      2010-03-11 14:00 . 2010-03-11 14:00   --------   d-----w-   c:\documents and settings\John\Application Data\U3
      2010-03-11 14:00 . 2010-03-09 15:47   --------   d-----w-   c:\program files\FinalUninstaller
      2010-03-11 13:50 . 2010-03-11 13:45   --------   d-----w-   c:\documents and settings\John\Application Data\Uniblue
      2010-03-09 15:50 . 2010-03-09 15:50   --------   d-----w-   c:\documents and settings\John\Application Data\CheeseSoft
      .

      (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
      .
      .
      *Note* empty entries & legit default entries are not shown
      REGEDIT4

      [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
      "Dmailer_Backup_Manager.exe"="c:\documents and settings\John\Application Data\Dmailer\Dmailer_Backup_Manager.exe" [2010-03-18 37435576]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
      "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
      "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
      "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
      "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
      "HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
      "DuelTray"="c:\program files\Duel Systems\DuelAdapter\DuelTray.exe" [2007-03-12 69632]
      "cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-10-19 177392]
      "QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-10-19 14088]
      "CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-02 230664]
      "S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
      "WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2009-02-25 114688]

      c:\documents and settings\All Users\Start Menu\Programs\Startup\
      Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

      [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
      "DisableMonitoring"=dword:00000001

      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
      "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
      "%windir%\\system32\\sessmgr.exe"=
      "c:\\WINDOWS\\system32\\s7otbxsx.exe"=
      "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
      "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
      "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
      "c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\HmiES.exe"=
      "c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\TraceServer.exe"=
      "c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\MiniWeb.exe"=
      "c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
      "c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=

      R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\sws\almsrv\almsrvx.exe [01/22/09 01:19 1200128]
      R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [06/25/07 15:46 266240]
      R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [06/25/07 15:47 28363]
      R2 DuelService;DuelAdapter Support Service;c:\program files\Duel Systems\DuelAdapter\DuelService.exe [03/11/07 22:09 106496]
      R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [02/10/07 09:29 29178224]
      R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [05/04/05 00:04 9150464]
      R2 s7asysvx;S7 Global Services;c:\program files\SIEMENS\Step7\S7BIN\s7asysvx.exe [07/14/08 19:02 69685]
      R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [01/22/09 15:44 77312]
      R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [01/22/09 15:56 1576008]
      R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [01/22/09 15:45 31232]
      R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [07/30/07 11:06 71168]
      R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [01/22/09 15:56 240712]
      R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [10/16/08 13:09 339968]
      R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/05/07 11:31 115654]
      R3 cpuz126;cpuz126;c:\program files\Duel Systems\DuelAdapter\cpuz.sys [12/14/06 14:00 7808]
      R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [02/24/09 21:37 6656]
      R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [08/16/07 21:10 189704]
      S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/22/09 18:29 133104]
      S3 <NtDriverName>;<NtDriverName>;c:\windows\system32\Drivers\<NtDriverName>.sys --> c:\windows\system32\Drivers\<NtDriverName>.sys [?]
      S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [07/04/05 15:04 68280]
      S3 LS8SYS;Firmware Upgrade;c:\windows\system32\drivers\LS8SYS.sys [04/16/10 10:24 40960]
      S3 S7o5512x;SIMATIC CP 5512;c:\windows\system32\drivers\S7o5512x.sys [11/07/07 18:33 209480]
      S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/02 02:34 30512]
      S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [05/03/05 21:42 323584]

      [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
      getPlusHelper   REG_MULTI_SZ      getPlusHelper
      .
      Contents of the 'Scheduled Tasks' folder

      2010-04-17 c:\windows\Tasks\CAAntiSpywareScan_Daily as John at 6 57 PM.job
      - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]

      2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]

      2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
      - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]
      .
      .
      ------- Supplementary Scan -------
      .
      uInternet Settings,ProxyServer = http=127.0.0.1:5555
      uInternet Settings,ProxyOverride = <local>
      DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
      .
      .
      ------- File Associations -------
      .
      .scr=AutoCADLTScriptFile
      .
      - - - - ORPHANS REMOVED - - - -

      Toolbar-Locked - (no file)
      HKCU-Run-pqycjplf - c:\documents and settings\John\Local Settings\Application Data\ighfntrja\hqiuexatssd.exe
      HKLM-Run-pqycjplf - c:\documents and settings\John\Local Settings\Application Data\ighfntrja\hqiuexatssd.exe



      **************************************************************************

      catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
      Rootkit scan 2010-05-05 21:54
      Windows 5.1.2600 Service Pack 3 NTFS

      scanning hidden processes ... 

      scanning hidden autostart entries ...

      scanning hidden files ... 

      scan completed successfully
      hidden files: 0

      **************************************************************************
      .
      --------------------- LOCKED REGISTRY KEYS ---------------------

      [HKEY_USERS\S-1-5-21-1659004503-1606980848-1417001333-1003\Software\SecuROM\License information*]
      "datasecu"=hex:8f,e9,ff,59,1d,b8,d8,c1,43,5a,63,9f,7a,fd,29,55,f2,8e,d5,40,65,
         67,03,e1,79,5e,5e,e6,65,cc,4a,79,64,6d,6e,71,86,ee,84,8f,72,ed,eb,b3,c1,33,\
      "rkeysecu"=hex:f8,4e,d7,4b,b7,4c,6b,28,98,83,7c,12,c3,89,1b,65
      .
      --------------------- DLLs Loaded Under Running Processes ---------------------

      - - - - - - - > 'winlogon.exe'(1620)
      c:\windows\system32\Ati2evxx.dll
      c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
      c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
      c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
      c:\windows\system32\netprovcredman.dll

      - - - - - - - > 'explorer.exe'(4976)
      c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
      c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
      c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
      c:\windows\system32\ieframe.dll
      c:\windows\system32\OneX.DLL
      c:\windows\system32\eappprxy.dll
      c:\windows\system32\webcheck.dll
      c:\windows\system32\netprovcredman.dll
      .
      ------------------------ Other Running Processes ------------------------
      .
      c:\windows\system32\Ati2evxx.exe
      c:\program files\Intel\Wireless\Bin\S24EvMon.exe
      c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
      c:\program files\Intel\Wireless\Bin\EvtEng.exe
      c:\program files\Common Files\Siemens\ALMPanelPlugin\ALMPanelPlugin.exe
      c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
      c:\program files\Java\jre6\bin\jqs.exe
      c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
      c:\program files\Intel\Wireless\Bin\RegSrvc.exe
      c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
      c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
      c:\windows\system32\wdfmgr.exe
      c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
      c:\program files\Intel\Wireless\Bin\WLKeeper.exe
      c:\program files\Canon\CAL\CALMAIN.exe
      c:\windows\system32\Ati2evxx.exe
      c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
      c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiES.exe
      c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
      c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
      c:\program files\Common Files\Siemens\Sqlany\dbsrv9.exe
      c:\program files\Common Files\Siemens\SWS\almsrv\almsrvbubblex.exe
      .
      **************************************************************************
      .
      Completion time: 2010-05-05  22:11:23 - machine was rebooted
      ComboFix-quarantined-files.txt  2010-05-06 02:09

      Pre-Run: 105,157,640,192 bytes free
      Post-Run: 105,376,329,728 bytes free

      - - End Of File - - 3FE9D895161A8E269A83EA697190F279

      Dr Jay

      • Malware Removal Specialist


      • Specialist
      • Moderator emeritus
      • Thanked: 119
      • Experience: Guru
      • OS: Windows 10
      Re: application can not be executed. the file *** is infected
      « Reply #3 on: May 06, 2010, 07:45:23 AM »
      Re-running ComboFix to remove infections:

      • Close any open browsers.
      • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Open notepad and copy/paste the text in the quotebox below into it:
        Quote
        DirLook::
        c:\windows\system32\4PUPSPPPPPfmis
        c:\windows\4PUPSPPPPPfmis
        c:\windows\system32\3PQPQpexYafmis
        c:\windows\3PQPQpexYafmis
        C:\FLASH
        C:\AX NF ZZ

        NetSvc::
        <NtDriverName>

        DDS::
        uInternet Settings,ProxyServer = http=127.0.0.1:5555
        uInternet Settings,ProxyOverride = <local>
      • Save this as CFScript.txt, in the same location as ComboFix.exe



      • Referring to the picture above, drag CFScript into ComboFix.exe
      • When finished, it shall produce a log for you at C:\ComboFix.txt
      • Please post the contents of the log in your next reply.
      ===========================

      • Please go to VirSCAN.org FREE on-line scan service
      • Browse for the following file path into  the  "Suspicious files to scan" box on the top of the page:
        • c:\windows\system32\drivers\fwkbdrtm.sys
      • Click on the Upload button
      • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
      • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
      • Paste the contents of the Clipboard in your next reply along with the ComboFix log.
      ~Dr Jay

      john bb

        Topic Starter


        Greenhorn

        Re: application can not be executed. the file *** is infected
        « Reply #4 on: May 06, 2010, 11:55:50 AM »
        DragonMaster Jay,

        Here are the reports

        VirSCAN.org Scanned Report :
        Scanned time   : 2010/05/06 13:51:30 (EDT)
        Scanner results: Scanners did not find malware!
        File Name      : fwkbdrtm.sys
        File Size      : 6656 byte
        File Type      : PE32 executable for MS Windows (DLL) (native) Intel 80386 32
        MD5            : 1587bd21f05076687d2896396fcbab7d
        SHA1           : 0f64f822c4fdc8be9951d20f2a052305207a454 e
        Online report  : http://virscan.org/report/4e92e2753ffd22a5a59936743a731a8d.html

        Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
        a-squared      4.5.0.8         20100506053122    2010-05-06  4.90   -
        AhnLab V3      2010.05.06.00   2010.05.06        2010-05-06  1.08   -
        AntiVir        8.2.1.236       7.10.7.61         2010-05-06  0.25   -
        Antiy          2.0.18          20100506.4329166  2010-05-06  0.12   -
        Arcavir        2009            201005060323      2010-05-06  0.02   -
        Authentium     5.1.1           201005060945      2010-05-06  1.33   -
        AVAST!         4.7.4           100506-1          2010-05-06  0.00   -
        AVG            8.5.793         271.1.1/2857      2010-05-06  0.23   -
        BitDefender    7.81008.5802338 7.31534           2010-05-06  3.69   -
        ClamAV         0.95.3          10933             2010-05-06  0.01   -
        Comodo         3.13.579        4780              2010-05-06  1.02   -
        CP Secure      1.3.0.5         2010.05.06        2010-05-06  0.03   -
        Dr.Web         5.0.2.3300      2010.05.07        2010-05-07  6.94   -
        F-Prot         4.4.4.56        20100506          2010-05-06  1.27   -
        F-Secure       7.02.73807      2010.05.06.05     2010-05-06  0.12   -
        Fortinet       4.0.14          11.778            2010-05-05  0.22   -
        GData          21.103/21.36    20100506          2010-05-06  6.02   -
        ViRobot        20100506        2010.05.06        2010-05-06  0.46   -
        Ikarus         T3.1.01.84      2010.05.06.75795  2010-05-06  6.08   -
        JiangMin       13.0.900        2010.05.06        2010-05-06  1.26   -
        Kaspersky      5.5.10          2010.05.06        2010-05-06  0.08   -
        KingSoft       2009.2.5.15     2010.5.6.17       2010-05-06  0.81   -
        McAfee         5400.1158       5973              2010-05-05  0.02   -
        Microsoft      1.5703          2010.05.06        2010-05-06  7.34   -
        Norman         6.04.12         6.04.00           2010-05-05  4.01   -
        Panda          9.05.01         2010.05.06        2010-05-06  2.30   -
        Trend Micro    9.120-1004      7.150.13          2010-05-06  0.03   -
        Quick Heal     10.00           2010.05.03        2010-05-03  1.54   -
        Rising         20.0            22.46.03.04       2010-05-06  1.19   -
        Sophos         3.07.1          4.53              2010-05-07  3.28   -
        Sunbelt        3.9.2421.2      6267              2010-05-06  10.54  -
        Symantec       1.3.0.24        20100505.004      2010-05-05  0.22   -
        nProtect       20100506.01     8111082           2010-05-06  9.33   -
        The Hacker     6.5.2.0         v00276            2010-05-05  0.38   -
        VBA32          3.12.12.4       20100506.1333     2010-05-06  2.50   -
        VirusBuster    4.5.11.10       10.126.16/2005537 2010-05-06  2.30   -


        Combofix

        ComboFix 10-05-05.0D - John 05/06/10  13:34:40.2.2 - x86
        Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.601 [GMT -4:00]
        Running from: c:\documents and settings\John\Desktop\ComboFix.exe
        Command switches used :: c:\documents and settings\John\Desktop\cfscript.txt
        AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
        .

        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        E:\Autorun.inf

        .
        (((((((((((((((((((((((((   Files Created from 2010-04-06 to 2010-05-06  )))))))))))))))))))))))))))))))
        .

        2010-05-06 12:30 . 2010-05-06 12:30   --------   d-----w-   c:\documents and settings\John\Application Data\Malwarebytes
        2010-05-06 12:30 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
        2010-05-06 12:30 . 2010-05-06 12:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
        2010-05-06 12:30 . 2010-05-06 12:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
        2010-05-06 12:30 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
        2010-05-06 02:49 . 2010-05-06 02:49   63488   ----a-w-   c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
        2010-05-06 02:49 . 2010-05-06 02:49   52224   ----a-w-   c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
        2010-05-06 02:49 . 2010-05-06 02:49   117760   ----a-w-   c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
        2010-05-06 02:48 . 2010-05-06 02:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
        2010-05-06 02:48 . 2010-05-06 02:48   --------   d-----w-   c:\program files\SUPERAntiSpyware
        2010-05-06 02:48 . 2010-05-06 02:48   --------   d-----w-   c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
        2010-05-06 02:48 . 2010-05-06 02:48   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
        2010-05-05 23:53 . 2010-05-05 23:53   --------   d--h--w-   c:\windows\system32\GroupPolicy
        2010-05-05 23:42 . 2010-05-05 23:42   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
        2010-05-03 18:28 . 2010-05-03 18:53   --------   d-----w-   C:\DocOnCD
        2010-05-03 16:55 . 2010-05-03 16:55   --------   d-----w-   c:\windows\system32\4PUPSPPPPPfmis
        2010-05-03 16:55 . 2010-05-03 16:55   --------   d-----w-   c:\windows\4PUPSPPPPPfmis
        2010-05-03 13:29 . 2010-05-03 13:29   --------   d-----w-   C:\FLASH
        2010-04-30 15:02 . 2010-04-30 15:02   --------   d-----w-   c:\windows\system32\3PQPQpexYafmis
        2010-04-30 15:02 . 2010-04-30 15:02   --------   d-----w-   c:\windows\3PQPQpexYafmis
        2010-04-30 12:29 . 2010-04-30 12:30   --------   dc-h--w-   c:\windows\ie8
        2010-04-30 03:02 . 2010-04-30 03:02   --------   d-----w-   c:\documents and settings\John\Application Data\PKWARE
        2010-04-30 03:02 . 2010-04-30 03:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\PKWARE
        2010-04-29 22:45 . 2010-04-29 22:45   --------   d-----w-   C:\HWUpdates
        2010-04-29 22:09 . 2010-05-03 16:55   --------   d-----w-   C:\AX NF ZZ
        2010-04-29 20:27 . 2010-04-29 20:27   --------   d-----w-   c:\documents and settings\John\Local Settings\Application Data\SIEMENS AG
        2010-04-29 20:27 . 2010-04-29 20:27   --------   d-----w-   c:\documents and settings\John\Application Data\SIEMENS AG
        2010-04-29 19:53 . 2010-04-29 20:09   --------   d-----w-   c:\documents and settings\All Users\Application Data\Siemens AG
        2010-04-29 19:51 . 2010-04-29 19:51   --------   d-----w-   c:\program files\Common Files\OPC Foundation
        2010-04-29 19:51 . 2010-04-29 19:51   --------   d-----w-   c:\program files\Common Files\Data Dynamics
        2010-04-29 19:43 . 2010-04-29 19:46   --------   d-----w-   c:\program files\Microsoft.NET
        2010-04-29 19:41 . 2010-04-29 19:41   --------   d-----w-   c:\program files\MSXML 6.0
        2010-04-29 19:35 . 2010-05-06 01:03   --------   d-----w-   c:\documents and settings\John\My Backup
        2010-04-29 19:10 . 2010-04-29 19:10   --------   d-----w-   c:\program files\PKWARE
        2010-04-29 19:10 . 2010-04-29 19:10   --------   d-----w-   c:\program files\Common Files\PKWARE
        2010-04-29 17:32 . 2010-04-29 17:32   --------   d-----w-   c:\program files\OPC Foundation
        2010-04-29 14:24 . 2010-05-06 01:03   --------   d-----w-   c:\documents and settings\John\Application Data\Dmailer
        2010-04-29 14:22 . 2010-03-18 20:48   37435576   ----a-w-   c:\documents and settings\John\Application Data\Dmailer\Dmailer_Backup_Manager.exe
        2010-04-28 19:31 . 2001-08-18 02:36   8704   -c--a-w-   c:\windows\system32\dllcache\kbdjpn.dll
        2010-04-28 19:31 . 2001-08-18 02:36   8704   ----a-w-   c:\windows\system32\kbdjpn.dll
        2010-04-28 19:31 . 2001-08-18 02:36   8192   -c--a-w-   c:\windows\system32\dllcache\kbdkor.dll
        2010-04-28 19:31 . 2001-08-18 02:36   8192   ----a-w-   c:\windows\system32\kbdkor.dll
        2010-04-28 19:31 . 2001-08-17 18:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101c.dll
        2010-04-28 19:31 . 2001-08-17 18:55   6144   ----a-w-   c:\windows\system32\kbd101c.dll
        2010-04-28 19:31 . 2001-08-17 18:55   5632   -c--a-w-   c:\windows\system32\dllcache\kbd103.dll
        2010-04-28 19:31 . 2001-08-17 18:55   5632   ----a-w-   c:\windows\system32\kbd103.dll
        2010-04-28 19:31 . 2001-08-17 18:55   6144   -c--a-w-   c:\windows\system32\dllcache\kbd101b.dll
        2010-04-28 19:31 . 2001-08-17 18:55   6144   ----a-w-   c:\windows\system32\kbd101b.dll
        2010-04-28 19:31 . 2008-04-14 09:39   6144   -c--a-w-   c:\windows\system32\dllcache\kbd106.dll
        2010-04-28 19:31 . 2008-04-14 09:39   6144   ----a-w-   c:\windows\system32\kbd106.dll
        2010-04-28 16:00 . 2010-04-28 16:00   2238   ----a-r-   c:\documents and settings\John\Application Data\Microsoft\Installer\{17F75A0A-BBD7-442C-9FE4-A9BC9B5ED099}\ARPPRODUCTICON.exe
        2010-04-28 15:55 . 2010-04-28 17:24   --------   d-----w-   C:\PB
        2010-04-25 17:16 . 2010-04-30 13:21   --------   d-----w-   c:\program files\dncSoftware
        2010-04-25 17:14 . 2010-04-30 13:20   --------   d-----w-   c:\program files\ProEZNC
        2010-04-16 14:24 . 2007-06-12 11:20   40960   ----a-r-   c:\windows\system32\drivers\LS8SYS.sys
        2010-04-16 13:58 . 2010-04-16 13:58   --------   d-----w-   c:\windows\PanTherLink
        2010-04-16 13:58 . 2010-04-16 13:58   --------   d-----w-   c:\program files\PanTherLink
        2010-04-15 23:26 . 2010-04-15 23:26   --------   d-----w-   c:\program files\Cricut Software
        2010-04-10 15:49 . 2010-04-10 15:49   --------   d-----w-   c:\documents and settings\John\Application Data\Got Game Entertainment
        2010-04-10 15:48 . 2005-05-26 19:34   2297552   ----a-w-   c:\windows\system32\d3dx9_26.dll
        2010-04-10 15:37 . 2010-04-15 00:28   --------   d-----w-   c:\program files\Wine Tycoon
        2010-04-07 12:37 . 2010-04-07 12:36   737280   ----a-w-   c:\windows\iun6002.exe

        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2010-05-05 12:54 . 2009-10-19 17:43   --------   d-----w-   c:\program files\DOConCD
        2010-04-30 20:17 . 2009-10-19 17:35   --------   d-----w-   c:\program files\Common Files\Siemens
        2010-04-30 13:20 . 2010-03-29 19:54   --------   d-----w-   c:\program files\MultiBatch
        2010-04-30 10:19 . 2009-10-19 18:44   136896   ----a-w-   c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
        2010-04-29 20:11 . 2009-10-19 20:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Siemens
        2010-04-29 19:57 . 2009-10-19 16:37   --------   d--h--w-   c:\program files\InstallShield Installation Information
        2010-04-29 19:48 . 2009-10-19 17:35   --------   d-----w-   c:\program files\SIEMENS
        2010-04-29 19:43 . 2009-10-19 23:09   --------   d-----w-   c:\program files\Microsoft SQL Server
        2010-04-29 17:31 . 2009-10-19 17:48   --------   d-----w-   c:\program files\Common Files\Adobe
        2010-04-28 19:03 . 2010-03-11 22:02   --------   d-----w-   c:\documents and settings\All Users\Application Data\WinZip
        2010-04-27 22:36 . 2010-02-09 20:37   664   ----a-w-   c:\windows\system32\d3d9caps.dat
        2010-04-16 13:04 . 2009-10-22 22:29   --------   d-----w-   c:\program files\Google
        2010-04-08 21:44 . 2009-10-22 21:52   --------   d-----w-   c:\documents and settings\John\Application Data\Skype
        2010-04-08 18:29 . 2009-10-22 21:53   --------   d-----w-   c:\documents and settings\John\Application Data\skypePM
        2010-04-08 12:17 . 2010-01-04 17:15   --------   d-----w-   c:\program files\Yahoo!
        2010-04-05 23:05 . 2009-10-29 14:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
        2010-04-05 22:45 . 2009-12-15 17:31   --------   d-----w-   c:\documents and settings\John\Application Data\Yahoo!
        2010-03-30 03:21 . 2009-11-02 22:04   --------   d-----w-   c:\program files\Assembly Vision
        2010-03-30 03:18 . 2010-03-11 13:45   --------   d-----w-   c:\program files\Uniblue
        2010-03-29 23:18 . 2009-11-17 21:59   256   ----a-w-   c:\windows\system32\pool.bin
        2010-03-28 20:32 . 2009-11-17 21:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\Research In Motion
        2010-03-27 16:36 . 2009-11-13 18:20   --------   d-----w-   c:\documents and settings\John\Application Data\ZoomBrowser EX
        2010-03-27 15:17 . 2009-10-19 18:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\ZoomBrowser
        2010-03-18 15:47 . 2010-03-18 15:46   9793720   ----a-w-   c:\documents and settings\John\Application Data\Dmailer\My Backup\dmBackup.dll
        2010-03-18 15:47 . 2010-03-18 15:46   7925944   ----a-w-   c:\documents and settings\John\Application Data\Dmailer\My Backup\dmEngineAPP.dll
        2010-03-18 15:47 . 2010-03-18 15:46   10617528   ----a-w-   c:\documents and settings\John\Application Data\Dmailer\My Backup\dmSync.dll
        2010-03-18 15:08 . 2010-03-18 15:46   1703424   ----a-w-   c:\documents and settings\John\Application Data\Dmailer\My Backup\OnlineBackupFacade.dll
        2010-03-18 15:08 . 2010-03-18 15:46   2081280   ----a-w-   c:\documents and settings\John\Application Data\Dmailer\My Backup\OnlineCrawler.exe
        2010-03-11 22:21 . 2009-11-18 23:46   --------   d-----w-   c:\program files\Cinemaware Marquee
        2010-03-11 22:16 . 2010-03-11 22:16   --------   d-----w-   c:\program files\Sinumerik
        2010-03-11 15:57 . 2009-12-28 22:25   --------   d-----w-   c:\program files\Aide PDF to DXF Converter
        2010-03-11 14:01 . 2010-03-11 14:01   --------   d-----w-   c:\program files\Hide My IP 2009
        2010-03-11 14:01 . 2010-02-25 01:18   --------   d-----w-   c:\program files\WhatsRunning
        2010-03-11 14:00 . 2010-03-11 14:00   --------   d-----w-   c:\documents and settings\John\Application Data\U3
        2010-03-11 14:00 . 2010-03-09 15:47   --------   d-----w-   c:\program files\FinalUninstaller
        2010-03-11 13:50 . 2010-03-11 13:45   --------   d-----w-   c:\documents and settings\John\Application Data\Uniblue
        2010-03-09 15:50 . 2010-03-09 15:50   --------   d-----w-   c:\documents and settings\John\Application Data\CheeseSoft
        2010-02-07 18:30 . 2010-02-07 18:30   3299512   ----a-w-   c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockNY.exe
        2010-02-07 18:17 . 2010-02-07 18:16   16832384   ----a-w-   c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026001xupd.exe
        .

        ((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        ---- Directory of C:\AX NF ZZ ----

        2010-05-06 11:32 . 2010-05-06 11:32   2560   --sha-w-   c:\ax nf zz\SIFLA9XEP10103.ekb
        2010-05-04 14:50 . 2010-05-04 19:02   2560   --sha-w-   c:\ax nf zz\SIFLS7PROF0504.ekb
        2010-04-29 22:09 . 2010-04-29 22:09   2560   --sha-w-   c:\ax nf zz\SIFLSINUTR0603.ekb

        ---- Directory of C:\FLASH ----

        2010-05-03 13:29 . 2010-05-03 13:42   76   ----a-w-   c:\flash\RECIPES\PTRCP_Orange_1.dat
        2010-05-03 13:29 . 2010-05-03 13:42   40   ----a-w-   c:\flash\RECIPES\PTRCP_Orange_1.rdf
        2010-05-03 13:29 . 2010-05-03 13:29   57   ----a-w-   c:\flash\RECIPES\PTRCP_Orange_1.vdf

        ---- Directory of c:\windows\3PQPQpexYafmis ----

        2010-04-30 15:02 . 2010-04-30 15:02   1280   ----a-w-   c:\windows\3PQPQpexYafmis\00000000000000000000.DLL

        ---- Directory of c:\windows\4PUPSPPPPPfmis ----

        2010-05-03 16:55 . 2010-05-03 16:55   1280   ----a-w-   c:\windows\4PUPSPPPPPfmis\00000000000000000000.DLL

        ---- Directory of c:\windows\system32\3PQPQpexYafmis ----

        2010-04-30 15:02 . 2010-04-30 15:02   1280   ----a-w-   c:\windows\system32\3PQPQpexYafmis\00000000000000000000.DLL

        ---- Directory of c:\windows\system32\4PUPSPPPPPfmis ----

        2010-05-03 16:55 . 2010-05-03 16:55   1280   ----a-w-   c:\windows\system32\4PUPSPPPPPfmis\00000000000000000000.DLL


        (((((((((((((((((((((((((((((   SnapShot@2010-05-06_01.51.08   )))))))))))))))))))))))))))))))))))))))))
        .
        + 2010-05-06 11:29 . 2010-05-06 11:29   16384              c:\windows\temp\Perflib_Perfdata_464.dat
        + 2010-05-06 11:29 . 2010-05-06 11:29   16384              c:\windows\temp\Perflib_Perfdata_3b8.dat
        + 2010-05-06 11:29 . 2010-05-06 11:29   16384              c:\windows\temp\Perflib_Perfdata_1f0.dat
        + 2003-03-31 12:00 . 2010-05-06 11:36   95718              c:\windows\system32\perfc009.dat
        - 2003-03-31 12:00 . 2010-05-06 01:48   95718              c:\windows\system32\perfc009.dat
        + 2010-05-06 02:48 . 2010-05-06 02:48   65024              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
        + 2010-05-06 02:48 . 2010-05-06 02:48   18944              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
        + 2010-05-06 02:48 . 2010-05-06 02:48   5120              c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
        + 2003-03-31 12:00 . 2010-05-06 11:36   483560              c:\windows\system32\perfh009.dat
        - 2003-03-31 12:00 . 2010-05-06 01:48   483560              c:\windows\system32\perfh009.dat
        + 2010-05-06 02:48 . 2010-05-06 02:48   1583616              c:\windows\Installer\3d212e.msi
        .
        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
        "Dmailer_Backup_Manager.exe"="c:\documents and settings\John\Application Data\Dmailer\Dmailer_Backup_Manager.exe" [2010-03-18 37435576]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
        "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
        "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
        "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
        "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
        "HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
        "DuelTray"="c:\program files\Duel Systems\DuelAdapter\DuelTray.exe" [2007-03-12 69632]
        "cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-10-19 177392]
        "QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-10-19 14088]
        "CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-02 230664]
        "S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
        "WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2009-02-25 114688]

        c:\documents and settings\All Users\Start Menu\Programs\Startup\
        Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
        2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
        "DisableMonitoring"=dword:00000001

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
        "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
        "%windir%\\system32\\sessmgr.exe"=
        "c:\\WINDOWS\\system32\\s7otbxsx.exe"=
        "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
        "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
        "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
        "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
        "c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\HmiES.exe"=
        "c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\TraceServer.exe"=
        "c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\MiniWeb.exe"=
        "c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
        "c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=

        R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 12872]
        R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/27/10 17:30 61440]
        R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\sws\almsrv\almsrvx.exe [01/22/09 01:19 1200128]
        R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [06/25/07 15:46 266240]
        R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [06/25/07 15:47 28363]
        R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [02/10/07 09:29 29178224]
        R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [05/04/05 00:04 9150464]
        R2 s7asysvx;S7 Global Services;c:\program files\SIEMENS\Step7\S7BIN\s7asysvx.exe [07/14/08 19:02 69685]
        R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [01/22/09 15:44 77312]
        R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [01/22/09 15:56 1576008]
        R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [01/22/09 15:45 31232]
        R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [07/30/07 11:06 71168]
        R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [01/22/09 15:56 240712]
        R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [10/16/08 13:09 339968]
        R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/05/07 11:31 115654]
        R3 cpuz126;cpuz126;c:\program files\Duel Systems\DuelAdapter\cpuz.sys [12/14/06 14:00 7808]
        R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [02/24/09 21:37 6656]
        R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [08/16/07 21:10 189704]
        S2 DuelService;DuelAdapter Support Service;c:\program files\Duel Systems\DuelAdapter\DuelService.exe [03/11/07 22:09 106496]
        S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/22/09 18:29 133104]
        S3 <NtDriverName>;<NtDriverName>;c:\windows\system32\Drivers\<NtDriverName>.sys --> c:\windows\system32\Drivers\<NtDriverName>.sys [?]
        S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [07/04/05 15:04 68280]
        S3 LS8SYS;Firmware Upgrade;c:\windows\system32\drivers\LS8SYS.sys [04/16/10 10:24 40960]
        S3 S7o5512x;SIMATIC CP 5512;c:\windows\system32\drivers\S7o5512x.sys [11/07/07 18:33 209480]
        S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/02 02:34 30512]
        S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [05/03/05 21:42 323584]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
        getPlusHelper   REG_MULTI_SZ      getPlusHelper
        .
        Contents of the 'Scheduled Tasks' folder

        2010-04-17 c:\windows\Tasks\CAAntiSpywareScan_Daily as John at 6 57 PM.job
        - c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]

        2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]

        2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
        - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]
        .
        .
        ------- Supplementary Scan -------
        .
        DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
        .

        **************************************************************************
        scanning hidden processes ... 

        scanning hidden autostart entries ...

        scanning hidden files ... 

        scan completed successfully
        hidden files:

        **************************************************************************
        .
        --------------------- LOCKED REGISTRY KEYS ---------------------

        [HKEY_USERS\S-1-5-21-1659004503-1606980848-1417001333-1003\Software\SecuROM\License information*]
        "datasecu"=hex:8f,e9,ff,59,1d,b8,d8,c1,43,5a,63,9f,7a,fd,29,55,f2,8e,d5,40,65,
           67,03,e1,79,5e,5e,e6,65,cc,4a,79,64,6d,6e,71,86,ee,84,8f,72,ed,eb,b3,c1,33,\
        "rkeysecu"=hex:f8,4e,d7,4b,b7,4c,6b,28,98,83,7c,12,c3,89,1b,65
        .
        --------------------- DLLs Loaded Under Running Processes ---------------------

        - - - - - - - > 'winlogon.exe'(1380)
        c:\program files\SUPERAntiSpyware\SASWINLO.dll
        c:\windows\system32\Ati2evxx.dll
        c:\windows\system32\netprovcredman.dll
        c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
        c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
        c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
        .
        Completion time: 2010-05-06  13:41:32
        ComboFix-quarantined-files.txt  2010-05-06 17:41
        ComboFix2.txt  2010-05-06 02:11

        Pre-Run: 105,228,808,192 bytes free
        Post-Run: 105,224,200,192 bytes free

        WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
        [boot loader]
        timeout=2
        default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
        [operating systems]
        c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
        multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

        - - End Of File - - 8D9CF57D7AF6643CF5180BA02703B81C

        Dr Jay

        • Malware Removal Specialist


        • Specialist
        • Moderator emeritus
        • Thanked: 119
        • Experience: Guru
        • OS: Windows 10
        Re: application can not be executed. the file *** is infected
        « Reply #5 on: May 06, 2010, 06:01:59 PM »
        Do you know any of these files:

        ---- Directory of C:\AX NF ZZ ----

        2010-05-06 11:32 . 2010-05-06 11:32   2560   --sha-w-   c:\ax nf zz\SIFLA9XEP10103.ekb
        2010-05-04 14:50 . 2010-05-04 19:02   2560   --sha-w-   c:\ax nf zz\SIFLS7PROF0504.ekb
        2010-04-29 22:09 . 2010-04-29 22:09   2560   --sha-w-   c:\ax nf zz\SIFLSINUTR0603.ekb

        ---- Directory of C:\FLASH ----

        2010-05-03 13:29 . 2010-05-03 13:42   76   ----a-w-   c:\flash\RECIPES\PTRCP_Orange_1.dat
        2010-05-03 13:29 . 2010-05-03 13:42   40   ----a-w-   c:\flash\RECIPES\PTRCP_Orange_1.rdf
        2010-05-03 13:29 . 2010-05-03 13:29   57   ----a-w-   c:\flash\RECIPES\PTRCP_Orange_1.vdf

        ---- Directory of c:\windows\3PQPQpexYafmis ----

        2010-04-30 15:02 . 2010-04-30 15:02   1280   ----a-w-   c:\windows\3PQPQpexYafmis\00000000000000000000.DLL

        ---- Directory of c:\windows\4PUPSPPPPPfmis ----

        2010-05-03 16:55 . 2010-05-03 16:55   1280   ----a-w-   c:\windows\4PUPSPPPPPfmis\00000000000000000000.DLL

        ---- Directory of c:\windows\system32\3PQPQpexYafmis ----

        2010-04-30 15:02 . 2010-04-30 15:02   1280   ----a-w-   c:\windows\system32\3PQPQpexYafmis\00000000000000000000.DLL

        ---- Directory of c:\windows\system32\4PUPSPPPPPfmis ----

        2010-05-03 16:55 . 2010-05-03 16:55   1280   ----a-w-   c:\windows\system32\4PUPSPPPPPfmis\00000000000000000000.DLL
        ~Dr Jay

        john bb

          Topic Starter


          Greenhorn

          Re: application can not be executed. the file *** is infected
          « Reply #6 on: May 07, 2010, 09:35:34 AM »
          the ones in the Flash directory i do.  The others in not sure of.  I use alot of Siemns PLC/HMI development software and some of it may be assocated with that.  I just started having trouble with the some of the Siemens .dll's missing so i'm going to unistall all the software and reinstall.  Before i do the reinstall i can run Combofix again and attach a report.

          john bb

            Topic Starter


            Greenhorn

            Re: application can not be executed. the file *** is infected
            « Reply #7 on: May 07, 2010, 09:43:43 AM »
            DragonMaster Jay,

            the files in the AX NF ZZ directory are also related to the siemens software.  They are the license key files for the installed software.  i just uninstalled the 3 keys back to a USB drive and those files and the directory disapperared.

            I'm not sure about the last directory of files

            Dr Jay

            • Malware Removal Specialist


            • Specialist
            • Moderator emeritus
            • Thanked: 119
            • Experience: Guru
            • OS: Windows 10
            Re: application can not be executed. the file *** is infected
            « Reply #8 on: May 07, 2010, 05:24:00 PM »
            Oh I see.

            Please run a free online scan with the ESET Online Scanner
            • Tick the box next to YES, I accept the Terms of Use
            • Click Start
            • When asked, allow the ActiveX control to install
            • Click Start
            • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
            • Click Scan (This scan can take several hours, so please be patient)
            • Once the scan is completed, you may close the window
            • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
            • Copy and paste that log as a reply to this topic
            ~Dr Jay