Computer Hope
Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: john bb on May 05, 2010, 08:24:42 PM
-
I had a major problem today with my computer. every time i tried to run a program i got a message saying that the application can not be executed the file "file name" is infected. I read a bunch of posts and managed to get rid of the message by running rkill and then combofix but how do i know my computer is really virus free?
-
Hi. Welcome to Computer Hope!
Re-run ComboFix and post a log.
-
Here is the ComboFix log
ComboFix 10-05-05.04 - John 05/05/10 21:25:59.1.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.684 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\John\LOCALS~1\Temp\lsass.exe
c:\docume~1\John\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\John\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\John\Local Settings\Application Data\ighfntrja
c:\documents and settings\John\Local Settings\Application Data\ighfntrja\hqiuexatssd.exe
c:\program files\WindowsUpdate
c:\windows\system32\driVERs\jcfixc.sys
c:\windows\system32\morlsfbav6.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_jcfixc
-------\Service_jcfixc
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.
2010-05-05 23:53 . 2010-05-05 23:53 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-05 23:42 . 2010-05-05 23:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-03 18:28 . 2010-05-03 18:53 -------- d-----w- C:\DocOnCD
2010-05-03 16:55 . 2010-05-03 16:55 -------- d-----w- c:\windows\system32\4PUPSPPPPPfmis
2010-05-03 16:55 . 2010-05-03 16:55 -------- d-----w- c:\windows\4PUPSPPPPPfmis
2010-05-03 13:29 . 2010-05-03 13:29 -------- d-----w- C:\FLASH
2010-04-30 15:02 . 2010-04-30 15:02 -------- d-----w- c:\windows\system32\3PQPQpexYafmis
2010-04-30 15:02 . 2010-04-30 15:02 -------- d-----w- c:\windows\3PQPQpexYafmis
2010-04-30 12:29 . 2010-04-30 12:30 -------- dc-h--w- c:\windows\ie8
2010-04-30 03:02 . 2010-04-30 03:02 -------- d-----w- c:\documents and settings\John\Application Data\PKWARE
2010-04-30 03:02 . 2010-04-30 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2010-04-29 22:45 . 2010-04-29 22:45 -------- d-----w- C:\HWUpdates
2010-04-29 22:09 . 2010-05-03 16:55 -------- d-----w- C:\AX NF ZZ
2010-04-29 20:27 . 2010-04-29 20:27 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\SIEMENS AG
2010-04-29 20:27 . 2010-04-29 20:27 -------- d-----w- c:\documents and settings\John\Application Data\SIEMENS AG
2010-04-29 19:53 . 2010-04-29 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Siemens AG
2010-04-29 19:51 . 2010-04-29 19:51 -------- d-----w- c:\program files\Common Files\OPC Foundation
2010-04-29 19:51 . 2010-04-29 19:51 -------- d-----w- c:\program files\Common Files\Data Dynamics
2010-04-29 19:43 . 2010-04-29 19:46 -------- d-----w- c:\program files\Microsoft.NET
2010-04-29 19:41 . 2010-04-29 19:41 -------- d-----w- c:\program files\MSXML 6.0
2010-04-29 19:35 . 2010-05-06 01:03 -------- d-----w- c:\documents and settings\John\My Backup
2010-04-29 19:10 . 2010-04-29 19:10 -------- d-----w- c:\program files\PKWARE
2010-04-29 19:10 . 2010-04-29 19:10 -------- d-----w- c:\program files\Common Files\PKWARE
2010-04-29 17:32 . 2010-04-29 17:32 -------- d-----w- c:\program files\OPC Foundation
2010-04-29 14:24 . 2010-05-06 01:03 -------- d-----w- c:\documents and settings\John\Application Data\Dmailer
2010-04-28 19:31 . 2001-08-18 02:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-04-28 19:31 . 2001-08-18 02:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-04-28 19:31 . 2001-08-18 02:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-04-28 19:31 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-04-28 19:31 . 2001-08-17 18:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-04-28 19:31 . 2001-08-17 18:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-04-28 19:31 . 2008-04-14 09:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-04-28 19:31 . 2008-04-14 09:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-04-28 15:55 . 2010-04-28 17:24 -------- d-----w- C:\PB
2010-04-25 17:16 . 2010-04-30 13:21 -------- d-----w- c:\program files\dncSoftware
2010-04-25 17:14 . 2010-04-30 13:20 -------- d-----w- c:\program files\ProEZNC
2010-04-16 14:24 . 2007-06-12 11:20 40960 ----a-r- c:\windows\system32\drivers\LS8SYS.sys
2010-04-16 13:58 . 2010-04-16 13:58 -------- d-----w- c:\windows\PanTherLink
2010-04-16 13:58 . 2010-04-16 13:58 -------- d-----w- c:\program files\PanTherLink
2010-04-15 23:26 . 2010-04-15 23:26 -------- d-----w- c:\program files\Cricut Software
2010-04-10 15:49 . 2010-04-10 15:49 -------- d-----w- c:\documents and settings\John\Application Data\Got Game Entertainment
2010-04-10 15:48 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-04-10 15:37 . 2010-04-15 00:28 -------- d-----w- c:\program files\Wine Tycoon
2010-04-07 12:37 . 2010-04-07 12:36 737280 ----a-w- c:\windows\iun6002.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 12:54 . 2009-10-19 17:43 -------- d-----w- c:\program files\DOConCD
2010-04-30 20:17 . 2009-10-19 17:35 -------- d-----w- c:\program files\Common Files\Siemens
2010-04-30 13:20 . 2010-03-29 19:54 -------- d-----w- c:\program files\MultiBatch
2010-04-30 10:19 . 2009-10-19 18:44 136896 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 20:11 . 2009-10-19 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Siemens
2010-04-29 19:57 . 2009-10-19 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 19:48 . 2009-10-19 17:35 -------- d-----w- c:\program files\SIEMENS
2010-04-29 19:43 . 2009-10-19 23:09 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-29 17:31 . 2009-10-19 17:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-28 19:03 . 2010-03-11 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-04-27 22:36 . 2010-02-09 20:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 13:04 . 2009-10-22 22:29 -------- d-----w- c:\program files\Google
2010-04-08 21:44 . 2009-10-22 21:52 -------- d-----w- c:\documents and settings\John\Application Data\Skype
2010-04-08 18:29 . 2009-10-22 21:53 -------- d-----w- c:\documents and settings\John\Application Data\skypePM
2010-04-08 12:17 . 2010-01-04 17:15 -------- d-----w- c:\program files\Yahoo!
2010-04-05 23:05 . 2009-10-29 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-05 22:45 . 2009-12-15 17:31 -------- d-----w- c:\documents and settings\John\Application Data\Yahoo!
2010-03-30 03:21 . 2009-11-02 22:04 -------- d-----w- c:\program files\Assembly Vision
2010-03-30 03:18 . 2010-03-11 13:45 -------- d-----w- c:\program files\Uniblue
2010-03-29 23:18 . 2009-11-17 21:59 256 ----a-w- c:\windows\system32\pool.bin
2010-03-28 20:32 . 2009-11-17 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-03-27 16:36 . 2009-11-13 18:20 -------- d-----w- c:\documents and settings\John\Application Data\ZoomBrowser EX
2010-03-27 15:17 . 2009-10-19 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-11 22:21 . 2009-11-18 23:46 -------- d-----w- c:\program files\Cinemaware Marquee
2010-03-11 22:16 . 2010-03-11 22:16 -------- d-----w- c:\program files\Sinumerik
2010-03-11 15:57 . 2009-12-28 22:25 -------- d-----w- c:\program files\Aide PDF to DXF Converter
2010-03-11 14:01 . 2010-03-11 14:01 -------- d-----w- c:\program files\Hide My IP 2009
2010-03-11 14:01 . 2010-02-25 01:18 -------- d-----w- c:\program files\WhatsRunning
2010-03-11 14:00 . 2010-03-11 14:00 -------- d-----w- c:\documents and settings\John\Application Data\U3
2010-03-11 14:00 . 2010-03-09 15:47 -------- d-----w- c:\program files\FinalUninstaller
2010-03-11 13:50 . 2010-03-11 13:45 -------- d-----w- c:\documents and settings\John\Application Data\Uniblue
2010-03-09 15:50 . 2010-03-09 15:50 -------- d-----w- c:\documents and settings\John\Application Data\CheeseSoft
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Dmailer_Backup_Manager.exe"="c:\documents and settings\John\Application Data\Dmailer\Dmailer_Backup_Manager.exe" [2010-03-18 37435576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"DuelTray"="c:\program files\Duel Systems\DuelAdapter\DuelTray.exe" [2007-03-12 69632]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-10-19 177392]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-10-19 14088]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-02 230664]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2009-02-25 114688]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\s7otbxsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\HmiES.exe"=
"c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\TraceServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\MiniWeb.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\sws\almsrv\almsrvx.exe [01/22/09 01:19 1200128]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [06/25/07 15:46 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [06/25/07 15:47 28363]
R2 DuelService;DuelAdapter Support Service;c:\program files\Duel Systems\DuelAdapter\DuelService.exe [03/11/07 22:09 106496]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [02/10/07 09:29 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [05/04/05 00:04 9150464]
R2 s7asysvx;S7 Global Services;c:\program files\SIEMENS\Step7\S7BIN\s7asysvx.exe [07/14/08 19:02 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [01/22/09 15:44 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [01/22/09 15:56 1576008]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [01/22/09 15:45 31232]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [07/30/07 11:06 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [01/22/09 15:56 240712]
R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [10/16/08 13:09 339968]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/05/07 11:31 115654]
R3 cpuz126;cpuz126;c:\program files\Duel Systems\DuelAdapter\cpuz.sys [12/14/06 14:00 7808]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [02/24/09 21:37 6656]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [08/16/07 21:10 189704]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/22/09 18:29 133104]
S3 <NtDriverName>;<NtDriverName>;c:\windows\system32\Drivers\<NtDriverName>.sys --> c:\windows\system32\Drivers\<NtDriverName>.sys [?]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [07/04/05 15:04 68280]
S3 LS8SYS;Firmware Upgrade;c:\windows\system32\drivers\LS8SYS.sys [04/16/10 10:24 40960]
S3 S7o5512x;SIMATIC CP 5512;c:\windows\system32\drivers\S7o5512x.sys [11/07/07 18:33 209480]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/02 02:34 30512]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [05/03/05 21:42 323584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-17 c:\windows\Tasks\CAAntiSpywareScan_Daily as John at 6 57 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKCU-Run-pqycjplf - c:\documents and settings\John\Local Settings\Application Data\ighfntrja\hqiuexatssd.exe
HKLM-Run-pqycjplf - c:\documents and settings\John\Local Settings\Application Data\ighfntrja\hqiuexatssd.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-05 21:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1659004503-1606980848-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:8f,e9,ff,59,1d,b8,d8,c1,43,5a,63,9f,7a,fd,29,55,f2,8e,d5,40,65,
67,03,e1,79,5e,5e,e6,65,cc,4a,79,64,6d,6e,71,86,ee,84,8f,72,ed,eb,b3,c1,33,\
"rkeysecu"=hex:f8,4e,d7,4b,b7,4c,6b,28,98,83,7c,12,c3,89,1b,65
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1620)
c:\windows\system32\Ati2evxx.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\netprovcredman.dll
- - - - - - - > 'explorer.exe'(4976)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Siemens\ALMPanelPlugin\ALMPanelPlugin.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiES.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Siemens\Sqlany\dbsrv9.exe
c:\program files\Common Files\Siemens\SWS\almsrv\almsrvbubblex.exe
.
**************************************************************************
.
Completion time: 2010-05-05 22:11:23 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-06 02:09
Pre-Run: 105,157,640,192 bytes free
Post-Run: 105,376,329,728 bytes free
- - End Of File - - 3FE9D895161A8E269A83EA697190F279
-
Re-running ComboFix to remove infections:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
DirLook::
c:\windows\system32\4PUPSPPPPPfmis
c:\windows\4PUPSPPPPPfmis
c:\windows\system32\3PQPQpexYafmis
c:\windows\3PQPQpexYafmis
C:\FLASH
C:\AX NF ZZ
NetSvc::
<NtDriverName>
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
- Save this as CFScript.txt, in the same location as ComboFix.exe
(http://i35.tinypic.com/2v3rg44.jpg)
- Referring to the picture above, drag CFScript into ComboFix.exe
- When finished, it shall produce a log for you at C:\ComboFix.txt
- Please post the contents of the log in your next reply.
===========================
- Please go to VirSCAN.org FREE on-line scan service (http://virscan.org/)
- Browse for the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\drivers\fwkbdrtm.sys
- Click on the Upload button
- If a pop-up appears saying the file has been scanned already, please select the ReScan button.
- Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
- Paste the contents of the Clipboard in your next reply along with the ComboFix log.
-
DragonMaster Jay,
Here are the reports
VirSCAN.org Scanned Report :
Scanned time : 2010/05/06 13:51:30 (EDT)
Scanner results: Scanners did not find malware!
File Name : fwkbdrtm.sys
File Size : 6656 byte
File Type : PE32 executable for MS Windows (DLL) (native) Intel 80386 32
MD5 : 1587bd21f05076687d2896396fcbab7d
SHA1 : 0f64f822c4fdc8be9951d20f2a052305207a454 e
Online report : http://virscan.org/report/4e92e2753ffd22a5a59936743a731a8d.html
Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100506053122 2010-05-06 4.90 -
AhnLab V3 2010.05.06.00 2010.05.06 2010-05-06 1.08 -
AntiVir 8.2.1.236 7.10.7.61 2010-05-06 0.25 -
Antiy 2.0.18 20100506.4329166 2010-05-06 0.12 -
Arcavir 2009 201005060323 2010-05-06 0.02 -
Authentium 5.1.1 201005060945 2010-05-06 1.33 -
AVAST! 4.7.4 100506-1 2010-05-06 0.00 -
AVG 8.5.793 271.1.1/2857 2010-05-06 0.23 -
BitDefender 7.81008.5802338 7.31534 2010-05-06 3.69 -
ClamAV 0.95.3 10933 2010-05-06 0.01 -
Comodo 3.13.579 4780 2010-05-06 1.02 -
CP Secure 1.3.0.5 2010.05.06 2010-05-06 0.03 -
Dr.Web 5.0.2.3300 2010.05.07 2010-05-07 6.94 -
F-Prot 4.4.4.56 20100506 2010-05-06 1.27 -
F-Secure 7.02.73807 2010.05.06.05 2010-05-06 0.12 -
Fortinet 4.0.14 11.778 2010-05-05 0.22 -
GData 21.103/21.36 20100506 2010-05-06 6.02 -
ViRobot 20100506 2010.05.06 2010-05-06 0.46 -
Ikarus T3.1.01.84 2010.05.06.75795 2010-05-06 6.08 -
JiangMin 13.0.900 2010.05.06 2010-05-06 1.26 -
Kaspersky 5.5.10 2010.05.06 2010-05-06 0.08 -
KingSoft 2009.2.5.15 2010.5.6.17 2010-05-06 0.81 -
McAfee 5400.1158 5973 2010-05-05 0.02 -
Microsoft 1.5703 2010.05.06 2010-05-06 7.34 -
Norman 6.04.12 6.04.00 2010-05-05 4.01 -
Panda 9.05.01 2010.05.06 2010-05-06 2.30 -
Trend Micro 9.120-1004 7.150.13 2010-05-06 0.03 -
Quick Heal 10.00 2010.05.03 2010-05-03 1.54 -
Rising 20.0 22.46.03.04 2010-05-06 1.19 -
Sophos 3.07.1 4.53 2010-05-07 3.28 -
Sunbelt 3.9.2421.2 6267 2010-05-06 10.54 -
Symantec 1.3.0.24 20100505.004 2010-05-05 0.22 -
nProtect 20100506.01 8111082 2010-05-06 9.33 -
The Hacker 6.5.2.0 v00276 2010-05-05 0.38 -
VBA32 3.12.12.4 20100506.1333 2010-05-06 2.50 -
VirusBuster 4.5.11.10 10.126.16/2005537 2010-05-06 2.30 -
Combofix
ComboFix 10-05-05.0D - John 05/06/10 13:34:40.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.601 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\John\Desktop\cfscript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.
2010-05-06 12:30 . 2010-05-06 12:30 -------- d-----w- c:\documents and settings\John\Application Data\Malwarebytes
2010-05-06 12:30 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-06 12:30 . 2010-05-06 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-06 12:30 . 2010-05-06 12:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 12:30 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-06 02:49 . 2010-05-06 02:49 63488 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-06 02:49 . 2010-05-06 02:49 52224 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-06 02:49 . 2010-05-06 02:49 117760 ----a-w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-06 02:48 . 2010-05-06 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-06 02:48 . 2010-05-06 02:48 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-06 02:48 . 2010-05-06 02:48 -------- d-----w- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com
2010-05-06 02:48 . 2010-05-06 02:48 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-05 23:53 . 2010-05-05 23:53 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-05 23:42 . 2010-05-05 23:42 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-05-03 18:28 . 2010-05-03 18:53 -------- d-----w- C:\DocOnCD
2010-05-03 16:55 . 2010-05-03 16:55 -------- d-----w- c:\windows\system32\4PUPSPPPPPfmis
2010-05-03 16:55 . 2010-05-03 16:55 -------- d-----w- c:\windows\4PUPSPPPPPfmis
2010-05-03 13:29 . 2010-05-03 13:29 -------- d-----w- C:\FLASH
2010-04-30 15:02 . 2010-04-30 15:02 -------- d-----w- c:\windows\system32\3PQPQpexYafmis
2010-04-30 15:02 . 2010-04-30 15:02 -------- d-----w- c:\windows\3PQPQpexYafmis
2010-04-30 12:29 . 2010-04-30 12:30 -------- dc-h--w- c:\windows\ie8
2010-04-30 03:02 . 2010-04-30 03:02 -------- d-----w- c:\documents and settings\John\Application Data\PKWARE
2010-04-30 03:02 . 2010-04-30 03:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2010-04-29 22:45 . 2010-04-29 22:45 -------- d-----w- C:\HWUpdates
2010-04-29 22:09 . 2010-05-03 16:55 -------- d-----w- C:\AX NF ZZ
2010-04-29 20:27 . 2010-04-29 20:27 -------- d-----w- c:\documents and settings\John\Local Settings\Application Data\SIEMENS AG
2010-04-29 20:27 . 2010-04-29 20:27 -------- d-----w- c:\documents and settings\John\Application Data\SIEMENS AG
2010-04-29 19:53 . 2010-04-29 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Siemens AG
2010-04-29 19:51 . 2010-04-29 19:51 -------- d-----w- c:\program files\Common Files\OPC Foundation
2010-04-29 19:51 . 2010-04-29 19:51 -------- d-----w- c:\program files\Common Files\Data Dynamics
2010-04-29 19:43 . 2010-04-29 19:46 -------- d-----w- c:\program files\Microsoft.NET
2010-04-29 19:41 . 2010-04-29 19:41 -------- d-----w- c:\program files\MSXML 6.0
2010-04-29 19:35 . 2010-05-06 01:03 -------- d-----w- c:\documents and settings\John\My Backup
2010-04-29 19:10 . 2010-04-29 19:10 -------- d-----w- c:\program files\PKWARE
2010-04-29 19:10 . 2010-04-29 19:10 -------- d-----w- c:\program files\Common Files\PKWARE
2010-04-29 17:32 . 2010-04-29 17:32 -------- d-----w- c:\program files\OPC Foundation
2010-04-29 14:24 . 2010-05-06 01:03 -------- d-----w- c:\documents and settings\John\Application Data\Dmailer
2010-04-29 14:22 . 2010-03-18 20:48 37435576 ----a-w- c:\documents and settings\John\Application Data\Dmailer\Dmailer_Backup_Manager.exe
2010-04-28 19:31 . 2001-08-18 02:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2010-04-28 19:31 . 2001-08-18 02:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2010-04-28 19:31 . 2001-08-18 02:36 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll
2010-04-28 19:31 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2010-04-28 19:31 . 2001-08-17 18:55 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll
2010-04-28 19:31 . 2001-08-17 18:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll
2010-04-28 19:31 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2010-04-28 19:31 . 2008-04-14 09:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-04-28 19:31 . 2008-04-14 09:39 6144 ----a-w- c:\windows\system32\kbd106.dll
2010-04-28 16:00 . 2010-04-28 16:00 2238 ----a-r- c:\documents and settings\John\Application Data\Microsoft\Installer\{17F75A0A-BBD7-442C-9FE4-A9BC9B5ED099}\ARPPRODUCTICON.exe
2010-04-28 15:55 . 2010-04-28 17:24 -------- d-----w- C:\PB
2010-04-25 17:16 . 2010-04-30 13:21 -------- d-----w- c:\program files\dncSoftware
2010-04-25 17:14 . 2010-04-30 13:20 -------- d-----w- c:\program files\ProEZNC
2010-04-16 14:24 . 2007-06-12 11:20 40960 ----a-r- c:\windows\system32\drivers\LS8SYS.sys
2010-04-16 13:58 . 2010-04-16 13:58 -------- d-----w- c:\windows\PanTherLink
2010-04-16 13:58 . 2010-04-16 13:58 -------- d-----w- c:\program files\PanTherLink
2010-04-15 23:26 . 2010-04-15 23:26 -------- d-----w- c:\program files\Cricut Software
2010-04-10 15:49 . 2010-04-10 15:49 -------- d-----w- c:\documents and settings\John\Application Data\Got Game Entertainment
2010-04-10 15:48 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2010-04-10 15:37 . 2010-04-15 00:28 -------- d-----w- c:\program files\Wine Tycoon
2010-04-07 12:37 . 2010-04-07 12:36 737280 ----a-w- c:\windows\iun6002.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-05 12:54 . 2009-10-19 17:43 -------- d-----w- c:\program files\DOConCD
2010-04-30 20:17 . 2009-10-19 17:35 -------- d-----w- c:\program files\Common Files\Siemens
2010-04-30 13:20 . 2010-03-29 19:54 -------- d-----w- c:\program files\MultiBatch
2010-04-30 10:19 . 2009-10-19 18:44 136896 ----a-w- c:\documents and settings\John\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 20:11 . 2009-10-19 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Siemens
2010-04-29 19:57 . 2009-10-19 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-29 19:48 . 2009-10-19 17:35 -------- d-----w- c:\program files\SIEMENS
2010-04-29 19:43 . 2009-10-19 23:09 -------- d-----w- c:\program files\Microsoft SQL Server
2010-04-29 17:31 . 2009-10-19 17:48 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-28 19:03 . 2010-03-11 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-04-27 22:36 . 2010-02-09 20:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-16 13:04 . 2009-10-22 22:29 -------- d-----w- c:\program files\Google
2010-04-08 21:44 . 2009-10-22 21:52 -------- d-----w- c:\documents and settings\John\Application Data\Skype
2010-04-08 18:29 . 2009-10-22 21:53 -------- d-----w- c:\documents and settings\John\Application Data\skypePM
2010-04-08 12:17 . 2010-01-04 17:15 -------- d-----w- c:\program files\Yahoo!
2010-04-05 23:05 . 2009-10-29 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-04-05 22:45 . 2009-12-15 17:31 -------- d-----w- c:\documents and settings\John\Application Data\Yahoo!
2010-03-30 03:21 . 2009-11-02 22:04 -------- d-----w- c:\program files\Assembly Vision
2010-03-30 03:18 . 2010-03-11 13:45 -------- d-----w- c:\program files\Uniblue
2010-03-29 23:18 . 2009-11-17 21:59 256 ----a-w- c:\windows\system32\pool.bin
2010-03-28 20:32 . 2009-11-17 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-03-27 16:36 . 2009-11-13 18:20 -------- d-----w- c:\documents and settings\John\Application Data\ZoomBrowser EX
2010-03-27 15:17 . 2009-10-19 18:53 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-03-18 15:47 . 2010-03-18 15:46 9793720 ----a-w- c:\documents and settings\John\Application Data\Dmailer\My Backup\dmBackup.dll
2010-03-18 15:47 . 2010-03-18 15:46 7925944 ----a-w- c:\documents and settings\John\Application Data\Dmailer\My Backup\dmEngineAPP.dll
2010-03-18 15:47 . 2010-03-18 15:46 10617528 ----a-w- c:\documents and settings\John\Application Data\Dmailer\My Backup\dmSync.dll
2010-03-18 15:08 . 2010-03-18 15:46 1703424 ----a-w- c:\documents and settings\John\Application Data\Dmailer\My Backup\OnlineBackupFacade.dll
2010-03-18 15:08 . 2010-03-18 15:46 2081280 ----a-w- c:\documents and settings\John\Application Data\Dmailer\My Backup\OnlineCrawler.exe
2010-03-11 22:21 . 2009-11-18 23:46 -------- d-----w- c:\program files\Cinemaware Marquee
2010-03-11 22:16 . 2010-03-11 22:16 -------- d-----w- c:\program files\Sinumerik
2010-03-11 15:57 . 2009-12-28 22:25 -------- d-----w- c:\program files\Aide PDF to DXF Converter
2010-03-11 14:01 . 2010-03-11 14:01 -------- d-----w- c:\program files\Hide My IP 2009
2010-03-11 14:01 . 2010-02-25 01:18 -------- d-----w- c:\program files\WhatsRunning
2010-03-11 14:00 . 2010-03-11 14:00 -------- d-----w- c:\documents and settings\John\Application Data\U3
2010-03-11 14:00 . 2010-03-09 15:47 -------- d-----w- c:\program files\FinalUninstaller
2010-03-11 13:50 . 2010-03-11 13:45 -------- d-----w- c:\documents and settings\John\Application Data\Uniblue
2010-03-09 15:50 . 2010-03-09 15:50 -------- d-----w- c:\documents and settings\John\Application Data\CheeseSoft
2010-02-07 18:30 . 2010-02-07 18:30 3299512 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockNY.exe
2010-02-07 18:17 . 2010-02-07 18:16 16832384 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026001xupd.exe
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\AX NF ZZ ----
2010-05-06 11:32 . 2010-05-06 11:32 2560 --sha-w- c:\ax nf zz\SIFLA9XEP10103.ekb
2010-05-04 14:50 . 2010-05-04 19:02 2560 --sha-w- c:\ax nf zz\SIFLS7PROF0504.ekb
2010-04-29 22:09 . 2010-04-29 22:09 2560 --sha-w- c:\ax nf zz\SIFLSINUTR0603.ekb
---- Directory of C:\FLASH ----
2010-05-03 13:29 . 2010-05-03 13:42 76 ----a-w- c:\flash\RECIPES\PTRCP_Orange_1.dat
2010-05-03 13:29 . 2010-05-03 13:42 40 ----a-w- c:\flash\RECIPES\PTRCP_Orange_1.rdf
2010-05-03 13:29 . 2010-05-03 13:29 57 ----a-w- c:\flash\RECIPES\PTRCP_Orange_1.vdf
---- Directory of c:\windows\3PQPQpexYafmis ----
2010-04-30 15:02 . 2010-04-30 15:02 1280 ----a-w- c:\windows\3PQPQpexYafmis\00000000000000000000.DLL
---- Directory of c:\windows\4PUPSPPPPPfmis ----
2010-05-03 16:55 . 2010-05-03 16:55 1280 ----a-w- c:\windows\4PUPSPPPPPfmis\00000000000000000000.DLL
---- Directory of c:\windows\system32\3PQPQpexYafmis ----
2010-04-30 15:02 . 2010-04-30 15:02 1280 ----a-w- c:\windows\system32\3PQPQpexYafmis\00000000000000000000.DLL
---- Directory of c:\windows\system32\4PUPSPPPPPfmis ----
2010-05-03 16:55 . 2010-05-03 16:55 1280 ----a-w- c:\windows\system32\4PUPSPPPPPfmis\00000000000000000000.DLL
((((((((((((((((((((((((((((( SnapShot@2010-05-06_01.51.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-06 11:29 . 2010-05-06 11:29 16384 c:\windows\temp\Perflib_Perfdata_464.dat
+ 2010-05-06 11:29 . 2010-05-06 11:29 16384 c:\windows\temp\Perflib_Perfdata_3b8.dat
+ 2010-05-06 11:29 . 2010-05-06 11:29 16384 c:\windows\temp\Perflib_Perfdata_1f0.dat
+ 2003-03-31 12:00 . 2010-05-06 11:36 95718 c:\windows\system32\perfc009.dat
- 2003-03-31 12:00 . 2010-05-06 01:48 95718 c:\windows\system32\perfc009.dat
+ 2010-05-06 02:48 . 2010-05-06 02:48 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2010-05-06 02:48 . 2010-05-06 02:48 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2010-05-06 02:48 . 2010-05-06 02:48 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
+ 2003-03-31 12:00 . 2010-05-06 11:36 483560 c:\windows\system32\perfh009.dat
- 2003-03-31 12:00 . 2010-05-06 01:48 483560 c:\windows\system32\perfh009.dat
+ 2010-05-06 02:48 . 2010-05-06 02:48 1583616 c:\windows\Installer\3d212e.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Dmailer_Backup_Manager.exe"="c:\documents and settings\John\Application Data\Dmailer\Dmailer_Backup_Manager.exe" [2010-03-18 37435576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]
"DuelTray"="c:\program files\Duel Systems\DuelAdapter\DuelTray.exe" [2007-03-12 69632]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-10-19 177392]
"QOELOADER"="c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2009-10-19 14088]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2009-12-02 230664]
"S7UB Start"="c:\program files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2008-07-15 102453]
"WinCC flexible Smart Start"="c:\program files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2008\HmiSmartStart.exe" [2009-02-25 114688]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\s7otbxsx.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\HmiES.exe"=
"c:\\Program Files\\SIEMENS\\SIMATIC WinCC flexible\\WinCC flexible 2008\\TraceServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\MiniWeb.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\SmartServer.exe"=
"c:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2008 Runtime\\HmiLoad.exe"=
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/10 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/27/10 17:30 61440]
R2 almservice;Automation License Manager Service;c:\program files\Common Files\Siemens\sws\almsrv\almsrvx.exe [01/22/09 01:19 1200128]
R2 dpmconv;dpmconv;c:\windows\system32\drivers\dpmconv.sys [06/25/07 15:46 266240]
R2 Dpmtrcdd;Dpmtrcdd;c:\windows\system32\drivers\dpmtrcdd.sys [06/25/07 15:47 28363]
R2 MSSQL$WINCCFLEXEXPRESS;SQL Server (WINCCFLEXEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [02/10/07 09:29 29178224]
R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe [05/04/05 00:04 9150464]
R2 s7asysvx;S7 Global Services;c:\program files\SIEMENS\Step7\S7BIN\s7asysvx.exe [07/14/08 19:02 69685]
R2 s7odpx2x;SIMATIC MPI/PROFIBUS DPX2 Driver;c:\windows\system32\drivers\s7odpx2x.sys [01/22/09 15:44 77312]
R2 s7oiehsx;SIMATIC IEPG Help Service;c:\program files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [01/22/09 15:56 1576008]
R2 S7opcsrtx;PROFINET IO RT-Protocol (LLDP);c:\windows\system32\drivers\s7opcsrtx.sys [01/22/09 15:45 31232]
R2 s7snsrtx;PROFINET IO RT-Protocol;c:\windows\system32\drivers\s7snsrtx.sys [07/30/07 11:06 71168]
R2 S7TraceServiceX;S7TraceServiceX;c:\program files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [01/22/09 15:56 240712]
R2 SSCService;SIMATIC Security Control Service;c:\program files\Common Files\Siemens\SimaticSecurityControl\ssc_service_x.exe [10/16/08 13:09 339968]
R2 vsnl2ada;SIMATIC MPI/PROFIBUS FDL Transport Driver;c:\windows\system32\drivers\vsnl2ada.sys [11/05/07 11:31 115654]
R3 cpuz126;cpuz126;c:\program files\Duel Systems\DuelAdapter\cpuz.sys [12/14/06 14:00 7808]
R3 fwkbdrtm;fwkbdrtm;c:\windows\system32\drivers\fwkbdrtm.sys [02/24/09 21:37 6656]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [08/16/07 21:10 189704]
S2 DuelService;DuelAdapter Support Service;c:\program files\Duel Systems\DuelAdapter\DuelService.exe [03/11/07 22:09 106496]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/22/09 18:29 133104]
S3 <NtDriverName>;<NtDriverName>;c:\windows\system32\Drivers\<NtDriverName>.sys --> c:\windows\system32\Drivers\<NtDriverName>.sys [?]
S3 dpmcslv;dpmcslv;c:\windows\system32\drivers\dpmcslv.sys [07/04/05 15:04 68280]
S3 LS8SYS;Firmware Upgrade;c:\windows\system32\drivers\LS8SYS.sys [04/16/10 10:24 40960]
S3 S7o5512x;SIMATIC CP 5512;c:\windows\system32\drivers\S7o5512x.sys [11/07/07 18:33 209480]
S3 s7oefs_x;SIMATIC MPI/EFS Driver;c:\windows\system32\drivers\s7oefs_x.sys [10/18/02 02:34 30512]
S3 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;c:\program files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE [05/03/05 21:42 323584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-04-17 c:\windows\Tasks\CAAntiSpywareScan_Daily as John at 6 57 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]
2010-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-22 22:29]
.
.
------- Supplementary Scan -------
.
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1659004503-1606980848-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:8f,e9,ff,59,1d,b8,d8,c1,43,5a,63,9f,7a,fd,29,55,f2,8e,d5,40,65,
67,03,e1,79,5e,5e,e6,65,cc,4a,79,64,6d,6e,71,86,ee,84,8f,72,ed,eb,b3,c1,33,\
"rkeysecu"=hex:f8,4e,d7,4b,b7,4c,6b,28,98,83,7c,12,c3,89,1b,65
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1380)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\netprovcredman.dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll
.
Completion time: 2010-05-06 13:41:32
ComboFix-quarantined-files.txt 2010-05-06 17:41
ComboFix2.txt 2010-05-06 02:11
Pre-Run: 105,228,808,192 bytes free
Post-Run: 105,224,200,192 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 8D9CF57D7AF6643CF5180BA02703B81C
-
Do you know any of these files:
---- Directory of C:\AX NF ZZ ----
2010-05-06 11:32 . 2010-05-06 11:32 2560 --sha-w- c:\ax nf zz\SIFLA9XEP10103.ekb
2010-05-04 14:50 . 2010-05-04 19:02 2560 --sha-w- c:\ax nf zz\SIFLS7PROF0504.ekb
2010-04-29 22:09 . 2010-04-29 22:09 2560 --sha-w- c:\ax nf zz\SIFLSINUTR0603.ekb
---- Directory of C:\FLASH ----
2010-05-03 13:29 . 2010-05-03 13:42 76 ----a-w- c:\flash\RECIPES\PTRCP_Orange_1.dat
2010-05-03 13:29 . 2010-05-03 13:42 40 ----a-w- c:\flash\RECIPES\PTRCP_Orange_1.rdf
2010-05-03 13:29 . 2010-05-03 13:29 57 ----a-w- c:\flash\RECIPES\PTRCP_Orange_1.vdf
---- Directory of c:\windows\3PQPQpexYafmis ----
2010-04-30 15:02 . 2010-04-30 15:02 1280 ----a-w- c:\windows\3PQPQpexYafmis\00000000000000000000.DLL
---- Directory of c:\windows\4PUPSPPPPPfmis ----
2010-05-03 16:55 . 2010-05-03 16:55 1280 ----a-w- c:\windows\4PUPSPPPPPfmis\00000000000000000000.DLL
---- Directory of c:\windows\system32\3PQPQpexYafmis ----
2010-04-30 15:02 . 2010-04-30 15:02 1280 ----a-w- c:\windows\system32\3PQPQpexYafmis\00000000000000000000.DLL
---- Directory of c:\windows\system32\4PUPSPPPPPfmis ----
2010-05-03 16:55 . 2010-05-03 16:55 1280 ----a-w- c:\windows\system32\4PUPSPPPPPfmis\00000000000000000000.DLL
-
the ones in the Flash directory i do. The others in not sure of. I use alot of Siemns PLC/HMI development software and some of it may be assocated with that. I just started having trouble with the some of the Siemens .dll's missing so i'm going to unistall all the software and reinstall. Before i do the reinstall i can run Combofix again and attach a report.
-
DragonMaster Jay,
the files in the AX NF ZZ directory are also related to the siemens software. They are the license key files for the installed software. i just uninstalled the 3 keys back to a USB drive and those files and the directory disapperared.
I'm not sure about the last directory of files
-
Oh I see.
Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats and the option Scan unwanted applications is checked
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic