Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Re: Virus in my system!!!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 02-22-2009, 07:24 AM   #1 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
I accidentally clicked on a suspicious file and I got the virus. I don't know what virus it is, but my system still looks normal.

However, when I ran a scan using Norton, it stuck at 7000+ files and stopped, indicating that there is no virus detected etc.

Please help ASAP!!!



So, here are the info you guys need and attached files.

DDS.txt
---------------------------------------------------------------------------------------------------------


DDS (Ver_09-02-01.01) - NTFSx86
Run by Zhong Rong at 21:39:12.81 on Sun 22/02/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_10
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.65.1033.18.3070.1713 [GMT 8:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Acer\Mobility Center\MobilityService.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Altiris\Altiris Agent\AeXAgentUIHost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Zhong Rong\Desktop\dds.scr
C:\Windows\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.np.edu.sg/
uSEARCH PAGE = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/sp/*http://sg.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.sg.acer.yahoo.com
mDefault_Page_URL = hxxp://en.sg.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [PLFSet] rundll32.exe c:\windows\PLFSet.dll,PLFDefSetting
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [MSServer] rundll32.exe c:\windows\system32\awtuvTll.dll,#1
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/authorware/awswaxd.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://npsdmail4.np.edu.sg/dwa7W.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\awtuvTll.dll
SecurityProviders: schannel.dll, credssp.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\zhongr~1\appdata\roaming\mozilla\firefox\profiles\mayz8uik.zhong rong\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\users\zhong rong\appdata\roaming\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\zhong rong\appdata\roaming\mozilla\firefox\profiles\mayz8uik.zhong rong\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-4-3 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-4-2 35712]
R1 FSLX;FSLX;c:\windows\system32\drivers\fslx.sys [2007-10-3 191360]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20090217.002\IDSvix86.sys [2009-2-20 270384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-2-8 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-9-3 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-10 38200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-8-3 809296]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2008-10-3 28464]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2008-2-1 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2008-2-1 8320]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2007-2-22 2808664]

=============== Created Last 30 ================

2009-02-22 13:59 46,592 a------- c:\windows\system32\awtuvTll.dll
2009-02-11 21:17 <DIR> --d----- c:\program files\Microsoft
2009-02-11 21:03 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-11 21:03 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-11 21:03 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-11 21:03 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-11 21:03 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-11 21:03 11,264 a------- c:\windows\system32\icardres.dll
2009-02-11 21:03 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-11 21:03 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-11 20:55 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-11 20:55 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-11 20:55 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-11 20:55 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-11 20:55 83,968 a------- c:\windows\system32\mscories.dll
2009-02-11 08:19 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 08:19 1,383,424 a------- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-01-22 17:13 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-22 17:13 51,200 a------- c:\windows\inf\infpub.dat
2009-01-15 10:38 143,360 a------- c:\windows\inf\infstor.dat
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-10 03:16 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-10 03:14 159,744 a------- c:\windows\system32\atitmmxx.dll
2008-12-10 03:14 348,160 a------- c:\windows\system32\atipdlxx.dll
2008-12-10 03:14 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-10 03:14 286,720 a------- c:\windows\system32\Ati2evxx.dll
2008-12-10 03:12 729,088 a------- c:\windows\system32\Ati2evxx.exe
2008-12-10 03:04 2,345,472 a------- c:\windows\system32\atidxx32.dll
2008-12-10 02:57 3,962,368 a------- c:\windows\system32\atiumdag.dll
2008-12-10 02:48 11,259,904 a------- c:\windows\system32\atioglxx.dll
2008-12-10 02:37 4,765,184 a------- c:\windows\system32\atiumdva.dll
2008-12-10 02:24 50,688 a------- c:\windows\system32\amdpcom32.dll
2008-12-10 02:24 122,880 a------- c:\windows\system32\atiadlxx.dll
2008-11-30 13:50 165,422 a------- c:\windows\hpoins30.dat
2008-11-30 13:06 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-24 22:31 2,248,544 a------- c:\windows\system32\sqlncli.dll
2008-11-24 22:31 65,888 a------- c:\windows\system32\sqlctr90.dll
2008-06-26 03:45 174 a--sh--- c:\program files\desktop.ini
2008-06-26 03:32 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 20:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 20:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 20:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 20:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 17:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 17:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2005-11-15 15:32 3,638 a----r-- c:\program files\common files\Altiris_Icon.ico

============= FINISH: 21:40:46.80 ===============

---------------------------------------------------------------------------------------------------------
Attached Files
File Type: zip Attach.zip (4.8 KB, 1 views)
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-23-2009, 01:08 PM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,691
OS: 2000 Pro; XP Pro; XP Home


Re: Virus in my system!!!
Hello

It's been quite a while since you've needed our help in this section of the forums, and that's good. We always hope our member visits to this section of the forums are a one time event. What's not good is downloading suspicious files and executing them. Please take more care with what gets onto your machine.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 08:01 PM   #3 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
I ran the Combofix, but halfway through I encountered the Blue Screen. After restarting, Combofix still continued its job and produced the log.

The log is attached to this post.

ComboFix 09-02-21.01 - Zhong Rong 2009-02-24 10:15:25.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3070.2216 [GMT 8:00]
Running from: c:\users\Zhong Rong\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\senekaahpvqbgi.sys
c:\windows\system32\hgGwuUnN.dll.vir
c:\windows\System32\NnUuwGgh.ini
c:\windows\System32\NnUuwGgh.ini2
c:\windows\system32\senekafrpjsflp.dat
c:\windows\system32\senekaleukdqni.dll
c:\windows\system32\senekamifbhvtw.dll
c:\windows\system32\senekaprmxvntt.dll
c:\windows\system32\senekaulsreoie.dat
c:\windows\system32\winlogon2.exe
c:\windows\system32\wvULedbY.dll
c:\windows\system32\x64
c:\windows\system32\x64\csnp2uvc.dll
c:\windows\system32\x64\rsnpvc64.dll
c:\windows\system32\x64\sncduvc.sys
c:\windows\system32\x64\snp2uvc.sys
c:\windows\system32\x64\vsnpvc64.dll
c:\windows\System32\YbdeLUvw.ini
c:\windows\System32\YbdeLUvw.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-24 10:23 . 2009-02-24 10:24 455,428,851 --a------ c:\windows\MEMORY.DMP
2009-02-24 09:49 . 2009-02-22 13:29 46,592 --a------ c:\windows\System32\fccbXonL.dll
2009-02-24 03:36 . 2009-02-24 03:36 69,120 --a------ c:\windows\System32\ytjbxngd.dll
2009-02-24 03:36 . 2009-02-24 03:36 9,728 --a------ c:\windows\instsp1.exe
2009-02-22 21:43 . 2009-02-22 21:43 250 --a------ c:\windows\gmer.ini
2009-02-11 21:17 . 2009-02-11 21:17 <DIR> d-------- c:\program files\Microsoft
2009-02-11 21:03 . 2008-06-20 09:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-11 21:03 . 2008-06-20 09:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-11 21:03 . 2008-06-20 09:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-11 21:03 . 2008-06-20 09:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-11 21:03 . 2008-06-20 09:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-11 21:03 . 2008-06-20 09:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-11 21:03 . 2008-06-20 09:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-11 21:03 . 2008-06-20 09:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-11 20:55 . 2008-07-28 02:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-11 20:55 . 2008-07-28 02:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-11 20:55 . 2008-07-28 02:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-11 20:55 . 2008-07-28 02:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-11 20:55 . 2008-07-28 02:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-11 08:19 . 2009-01-15 11:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 08:19 . 2009-01-15 14:11 827,392 --a------ c:\windows\System32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 02:29 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\DMCache
2009-02-24 01:55 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\uTorrent
2009-02-22 14:01 --------- d-----w c:\programdata\Symantec
2009-02-22 05:39 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-02-21 02:17 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\Babylon
2009-02-19 07:43 --------- d-----w c:\program files\Safari
2009-02-11 15:13 --------- d-----w c:\program files\Windows Mail
2009-02-11 13:18 --------- d-----w c:\programdata\Microsoft Help
2009-02-11 13:16 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-08 02:53 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-30 12:43 --------- d-----w c:\program files\RocketDock
2009-01-30 12:43 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-01-30 12:43 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 10:43 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\vlc
2009-01-30 10:43 --------- d-----w c:\programdata\FLEXnet
2009-01-30 10:43 --------- d-----w c:\program files\MagicISO
2009-01-30 10:43 --------- d-----w c:\program files\DivX
2009-01-04 11:12 --------- d-----w c:\program files\CCleaner
2008-12-28 15:27 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\Sports Interactive
2008-12-28 05:33 --------- d-----w c:\program files\EvilLyrics
2008-12-25 06:24 --------- d-----w c:\program files\Bonjour
2008-12-12 03:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 03:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-12-09 19:16 425,984 ----a-w c:\windows\System32\ATIDEMGX.dll
2008-12-09 19:14 43,520 ----a-w c:\windows\System32\ati2edxx.dll
2008-12-09 19:14 348,160 ----a-w c:\windows\System32\atipdlxx.dll
2008-12-09 19:14 286,720 ----a-w c:\windows\System32\Ati2evxx.dll
2008-12-09 19:14 159,744 ----a-w c:\windows\System32\atitmmxx.dll
2008-12-09 19:12 729,088 ----a-w c:\windows\System32\Ati2evxx.exe
2008-12-09 19:04 2,345,472 ----a-w c:\windows\System32\atidxx32.dll
2008-12-09 18:57 3,962,368 ----a-w c:\windows\System32\atiumdag.dll
2008-12-09 18:48 11,259,904 ----a-w c:\windows\System32\atioglxx.dll
2008-12-09 18:37 4,765,184 ----a-w c:\windows\System32\atiumdva.dll
2008-12-09 18:24 50,688 ----a-w c:\windows\System32\amdpcom32.dll
2008-12-09 18:24 122,880 ----a-w c:\windows\System32\atiadlxx.dll
2008-11-30 05:06 410,976 ----a-w c:\windows\System32\deploytk.dll
2008-11-24 14:31 65,888 ----a-w c:\windows\System32\sqlctr90.dll
2008-11-24 14:31 2,248,544 ----a-w c:\windows\System32\sqlncli.dll
2008-06-25 19:45 174 --sha-w c:\program files\desktop.ini
2005-11-15 07:32 3,638 ----a-r c:\program files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-07-25 5724184]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-06-10 2594224]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-03-28 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-08-02 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\fccbXonL.dll" [2009-02-22 46592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6BA02D78-0688-4FD4-B381-0BA6EC2E445C}"= UDP:2967:Symantec Port
"{830EC0D1-7D2A-4138-8316-DE2F8F5FA6B5}"= c:\program files\Acer\Acer Arcade\PowerCinema.exe:CyberLink PowerCinema
"{56E91E22-2C91-4972-8F43-7D8C010D7ABF}"= c:\program files\Acer\Acer Arcade\PCMService.exe:CyberLink PowerCinema Resident Program
"{3311A946-6CCF-47B3-B9CA-BB2803457F9C}"= c:\program files\Acer\Acer Arcade\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{D9F99135-1B77-4849-A37A-6C6193FFE7BF}"= c:\program files\Acer\Acer Arcade\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{FFC012B9-2DAA-4D32-AA95-DCE3366B2389}"= c:\program files\Acer\HomeMedia\HomeMedia.exe:HomeMedia
"{42468EEB-62D2-46AB-A576-41D5CFFE47F9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{8CAA4C33-7A23-4693-BABB-9AA661D3CA6A}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{E48C3C09-FB2F-4796-B6F2-ABDD37745680}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{4F83BF93-077B-467B-99DE-517BAF490E14}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{A11358CA-DBAF-427D-9EC1-FE7FDAB5FF46}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{A3E86B20-E062-4EEC-9D9C-14F36C23DFFB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{021BD0A7-5924-47E7-A311-9F749BF36061}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{2080A56B-FFD6-49CF-936B-E2E54CC971A1}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DF2DA15B-AAEE-4D68-888B-D5A833827BEC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C8A947BD-CC98-4889-B255-E3B7A0D0CB1B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B16CF037-7149-4AAB-9E9E-E623F1F36E19}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{81E299B0-AA33-4EFB-918D-742BCD8BC3F2}"= UDP:c:\users\Zhong Rong\Desktop\utorrent.exe:µTorrent (TCP-In)
"{36C1BCD1-95DA-4E56-A344-61E6C13919B1}"= TCP:c:\users\Zhong Rong\Desktop\utorrent.exe:µTorrent (UDP-In)
"{011FBDC1-3210-49DC-BDC2-8FEF717FE3A9}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent (TCP-In)
"{41004F39-DAB0-4C9A-BDDD-FD4658E0F157}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent (UDP-In)
"{3CE40562-85D1-475F-8153-30DD00BBB8F0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E65889A-A912-426A-8827-81E2FCA3A60E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3987A0AE-EE6A-485A-9D7B-6C67CA89690F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6CBEA433-B353-4105-8131-1C6D1F575D09}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B4FA9184-4B10-4DDA-B0E1-8C18D1257045}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{8FC49B90-D812-4D5F-963C-6E08F1267810}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{98977AEA-4DAE-4C4D-B34C-7B48A28D8B67}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3E9838E8-8EB4-4C76-8E65-C0B4BCF1C6BB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{000FD40D-11B4-48F0-B528-EACC7662C721}"= e:\setup\hpznui01.exe:hpznui01.exe
"{F7AC6B51-0337-4960-A140-25F1D351F057}"= TCP:427|RPort=427|c:\windows\system32\svchost.exe|Svc=HPSLPSVC:SLP_Service
"{9178C1EE-D297-4E2F-9A30-EC261BF63116}"= c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{30209922-FA9E-449A-9D25-F39FC011A99C}"= c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{AD8413C7-FA7F-4DE0-BC35-5327EBE60D97}"= c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{46B47C7F-0557-4349-A36E-00B79B6B7EC4}"= c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{9F8D5762-18B3-4664-97B9-97421F870EFE}"= c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{49DE716C-4125-48F8-9254-89CDEF89C84F}"= c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{2054EC7B-38C5-437B-84BF-33B1525D8143}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4225DAFD-13C3-428B-B32D-E5BBD87B800F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{42A29EF8-2EB4-43C1-B75E-51F1E740DAAD}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{456DD651-35A7-4D37-9C34-783CCD3976D3}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [2007-04-03 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\System32\drivers\o2sd.sys [2007-04-02 35712]
R1 FSLX;FSLX;c:\windows\System32\drivers\fslx.sys [2007-10-03 191360]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20090217.002\IDSvix86.sys [2009-02-20 270384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-02-08 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2007-01-10 38200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-03 809296]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-10-03 28464]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-22 2808664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##b462#al]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\shell\Open(&0)\command - Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##cal2fs2#wfire3]
\shell\AutoRun\command - X:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]
\shell\AutoRun\command - Y:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{205fa8f8-f33f-11dd-9e49-0016d3ee7b6f}]
\shell\Auto\command - F:\backupuser.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\backupuser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b995986-523f-11dd-ad8c-0016d3ee7b6f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cef0459-d353-11dd-9996-0016d3ee7b6f}]
\shell\AutoRun\command - F:\wdsync.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Zhong Rong.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 17:09]
.
- - - - ORPHANS REMOVED - - - -

BHO-{07E7AFE0-4378-4E7D-8A37-7A0D4B8DC7B3} - c:\windows\system32\wvULedbY.dll
Notify-AWinNotifyVitaKey MC3000 - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.np.edu.sg/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.sg.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Zhong Rong\AppData\Roaming\Mozilla\Firefox\Profiles\mayz8uik.Zhong Rong\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
1 file(s) moved.
FF - component: c:\users\Zhong Rong\AppData\Roaming\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\Zhong Rong\AppData\Roaming\Mozilla\Firefox\Profiles\mayz8uik.Zhong Rong\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 10:29:26
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):25,9c,97,67,98,65,d7,92,53,d5,eb,3b,82,b4,5d,28,1d,ed,54,86,99,
5c,5b,18,c1,b0,71,d6,92,60,33,cd,db,05,b7,53,d2,f4,39,50,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{be844469-fc1b-4cd2-9600-22206b552cde}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000011d
"Therad"=dword:0000001e
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,7e,e9,50,eb,ec,ed,bf,e7,19,06,1c,58,14,91,96,20,db,1d,84,00,19,c7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4616)
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\System32\conime.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\combofix\hidec.exe
c:\windows\servicing\TrustedInstaller.exe
c:\combofix\Catchme.tmp
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-24 10:37:06 - machine was rebooted [Zhong Rong]
ComboFix-quarantined-files.txt 2009-02-24 02:35:47

Pre-Run: 92,934,213,632 bytes free
Post-Run: 91,946,819,584 bytes free

324 --- E O F --- 2009-02-11 13:23:33
Attached Files
File Type: txt ComboFix.txt (22.0 KB, 1 views)
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 08:49 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,691
OS: 2000 Pro; XP Pro; XP Home


Re: Virus in my system!!!
When dealing with driver based infections, sometimes BSOD happens. It should not occur again, but let me know if it does.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348867-re-virus-my-system.html#post1986844

    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UacDisableNotify"=dword:00000000
    "InternetSettingsDisableNotify"=dword:00000000
    "AutoUpdateDisableNotify"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000000
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##b462#al]
    Reglock::
    [HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
    [HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{be844469-fc1b-4cd2-9600-22206b552cde}]

    Collect::
    c:\windows\System32\fccbXonL.dll
    c:\windows\System32\ytjbxngd.dll
    c:\windows\instsp1.exe

    DirLook::
    c:\Program Files\Microsoft
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. Follow the prompts.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  6. I see that UAC is disabled. Sometimes, this is by infection, sometimes, by user choice. By default, the User Account Control is enabled. Many people find it to be a nuisance, (and it is at times), but it is quite effective at protecting Vista. Many people disable it not realizing that when they do, they've essentially brought Vista down to the vulnerabilities of XP.

    Vista UAC does protect

    I would suggest re-enabling UAC.

    Enable UAC
    1. Click on Start > Control Panel.
    2. Double click on User Accounts.
    3. Under Make changes to your user account, click on Turn User Account Control on or off.
    4. Check (tick) this box: Use User Account Control (UAC) to help protect the computer.
    5. Click OK.


    ---------------------------------------------------------------------------------------------


__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 09:37 PM   #5 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
UAC is really irritating for me. Hehe.

Talking about driver based infection, last night my D: Drive is left with ~6GB of space, but this morning when I checked, it was left with ~16GB. Could this be the issue? But all my stuffs still looked intact.

Anyway, attached is the log.

ComboFix 09-02-21.01 - Zhong Rong 2009-02-24 12:08:35.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3070.2232 [GMT 8:00]
Running from: c:\users\Zhong Rong\Desktop\ComboFix.exe
Command switches used :: c:\users\Zhong Rong\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\instsp1.exe
c:\windows\system32\drivers\senekawneayjne.sys
c:\windows\System32\fccbXonL.dll
c:\windows\system32\senekadbqnitiw.dll
c:\windows\system32\senekaqahjmixq.dat
c:\windows\system32\senekaucinibsv.dll
c:\windows\system32\senekaxsjmtvqy.dat
c:\windows\system32\senekaymjwxskp.dll
c:\windows\System32\ytjbxngd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-24 12:10 . 2009-02-24 12:10 0 --a------ c:\windows\System32\drivers\seneka.sys
2009-02-24 12:09 . 2009-02-24 12:10 1,416 --a------ c:\windows\System32\senekaemqoiwvt.dat
2009-02-24 10:23 . 2009-02-24 10:24 455,428,851 --a------ c:\windows\MEMORY.DMP
2009-02-24 10:18 . 2009-02-24 12:10 0 --a------ c:\windows\System32\senekapop.dll
2009-02-24 10:18 . 2009-02-24 10:18 0 --a------ c:\windows\System32\drivers\senekarccgrktx.sys
2009-02-22 21:43 . 2009-02-22 21:43 250 --a------ c:\windows\gmer.ini
2009-02-22 13:57 . 2009-02-22 13:57 0 --a------ c:\windows\System32\drivers\senekaodxtpbcv.sys
2009-02-22 13:34 . 2009-02-24 09:53 59 --a------ c:\windows\System32\senekafrpjsflp.dat
2009-02-22 13:29 . 2009-02-22 13:29 67,584 --a------ c:\windows\System32\drivers\senekaahpvqbgi.sys
2009-02-22 13:29 . 2009-02-24 10:12 49,152 --a------ c:\windows\System32\senekaleukdqni.dll
2009-02-22 13:29 . 2009-02-22 13:29 15,872 --a------ c:\windows\System32\senekaprmxvntt.dll
2009-02-22 13:29 . 2009-02-22 13:29 14,336 --a------ c:\windows\System32\senekamifbhvtw.dll
2009-02-22 13:29 . 2009-02-24 10:12 11,531 --a------ c:\windows\System32\senekaulsreoie.dat
2009-02-11 21:17 . 2009-02-11 21:17 <DIR> d-------- c:\program files\Microsoft
2009-02-11 21:03 . 2008-06-20 09:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-11 21:03 . 2008-06-20 09:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-11 21:03 . 2008-06-20 09:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-11 21:03 . 2008-06-20 09:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-11 21:03 . 2008-06-20 09:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-11 21:03 . 2008-06-20 09:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-11 21:03 . 2008-06-20 09:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-11 21:03 . 2008-06-20 09:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-11 20:55 . 2008-07-28 02:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-11 20:55 . 2008-07-28 02:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-11 20:55 . 2008-07-28 02:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-11 20:55 . 2008-07-28 02:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-11 20:55 . 2008-07-28 02:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-11 08:19 . 2009-01-15 11:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 08:19 . 2009-01-15 14:11 827,392 --a------ c:\windows\System32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 04:15 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\DMCache
2009-02-24 03:14 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\uTorrent
2009-02-22 14:01 --------- d-----w c:\programdata\Symantec
2009-02-22 05:39 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-02-21 02:17 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\Babylon
2009-02-19 07:43 --------- d-----w c:\program files\Safari
2009-02-11 15:13 --------- d-----w c:\program files\Windows Mail
2009-02-11 13:18 --------- d-----w c:\programdata\Microsoft Help
2009-02-11 13:16 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-08 02:53 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-30 12:43 --------- d-----w c:\program files\RocketDock
2009-01-30 12:43 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-01-30 12:43 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 10:43 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\vlc
2009-01-30 10:43 --------- d-----w c:\programdata\FLEXnet
2009-01-30 10:43 --------- d-----w c:\program files\MagicISO
2009-01-30 10:43 --------- d-----w c:\program files\DivX
2009-01-04 11:12 --------- d-----w c:\program files\CCleaner
2008-12-28 15:27 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\Sports Interactive
2008-12-28 05:33 --------- d-----w c:\program files\EvilLyrics
2008-12-25 06:24 --------- d-----w c:\program files\Bonjour
2008-06-25 19:45 174 --sha-w c:\program files\desktop.ini
2005-11-15 07:32 3,638 ----a-r c:\program files\Common Files\Altiris_Icon.ico
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\Microsoft ----

2008-11-13 09:34 203112 --a------ c:\program files\Microsoft\Office Live\OLConnector.dll
2008-11-13 09:34 128872 --a------ c:\program files\Microsoft\Office Live\OLConnectorResources.dll
2008-11-13 09:33 97128 --a------ c:\program files\Microsoft\Office Live\OfficeLiveSignIn.exe
2008-11-13 09:33 65896 --a------ c:\program files\Microsoft\Office Live\npOLW.dll
2008-09-09 15:45 7699 --a------ c:\program files\Microsoft\Office Live\muauth.cab


((((((((((((((((((((((((((((( SnapShot@2009-02-24_10.33.36.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-24 02:25:44 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-24 04:15:15 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-24 04:15:15 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-24 02:25:43 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-24 04:15:15 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-24 04:15:15 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-24 02:23:32 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-24 04:10:14 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-24 02:23:32 98,304 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-24 04:10:14 98,304 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-24 02:23:32 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-24 04:10:14 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-24 02:20:46 124,338 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-24 04:11:52 124,338 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-24 02:20:46 649,990 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-24 04:11:52 649,990 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-24 02:16:44 15,600 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3691893551-3989496584-2027366539-1005_UserData.bin
+ 2009-02-24 04:08:26 15,600 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3691893551-3989496584-2027366539-1005_UserData.bin
- 2009-02-24 02:16:44 102,266 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-24 04:08:26 102,378 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-24 02:16:37 79,228 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-24 04:08:22 79,438 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-07-25 5724184]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-06-10 2594224]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-03-28 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-08-02 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6BA02D78-0688-4FD4-B381-0BA6EC2E445C}"= UDP:2967:Symantec Port
"{830EC0D1-7D2A-4138-8316-DE2F8F5FA6B5}"= c:\program files\Acer\Acer Arcade\PowerCinema.exe:CyberLink PowerCinema
"{56E91E22-2C91-4972-8F43-7D8C010D7ABF}"= c:\program files\Acer\Acer Arcade\PCMService.exe:CyberLink PowerCinema Resident Program
"{3311A946-6CCF-47B3-B9CA-BB2803457F9C}"= c:\program files\Acer\Acer Arcade\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{D9F99135-1B77-4849-A37A-6C6193FFE7BF}"= c:\program files\Acer\Acer Arcade\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{FFC012B9-2DAA-4D32-AA95-DCE3366B2389}"= c:\program files\Acer\HomeMedia\HomeMedia.exe:HomeMedia
"{42468EEB-62D2-46AB-A576-41D5CFFE47F9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{8CAA4C33-7A23-4693-BABB-9AA661D3CA6A}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{E48C3C09-FB2F-4796-B6F2-ABDD37745680}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{4F83BF93-077B-467B-99DE-517BAF490E14}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{A11358CA-DBAF-427D-9EC1-FE7FDAB5FF46}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{A3E86B20-E062-4EEC-9D9C-14F36C23DFFB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{021BD0A7-5924-47E7-A311-9F749BF36061}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{2080A56B-FFD6-49CF-936B-E2E54CC971A1}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DF2DA15B-AAEE-4D68-888B-D5A833827BEC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C8A947BD-CC98-4889-B255-E3B7A0D0CB1B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B16CF037-7149-4AAB-9E9E-E623F1F36E19}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{81E299B0-AA33-4EFB-918D-742BCD8BC3F2}"= UDP:c:\users\Zhong Rong\Desktop\utorrent.exe:µTorrent (TCP-In)
"{36C1BCD1-95DA-4E56-A344-61E6C13919B1}"= TCP:c:\users\Zhong Rong\Desktop\utorrent.exe:µTorrent (UDP-In)
"{011FBDC1-3210-49DC-BDC2-8FEF717FE3A9}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent (TCP-In)
"{41004F39-DAB0-4C9A-BDDD-FD4658E0F157}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent (UDP-In)
"{3CE40562-85D1-475F-8153-30DD00BBB8F0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E65889A-A912-426A-8827-81E2FCA3A60E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3987A0AE-EE6A-485A-9D7B-6C67CA89690F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6CBEA433-B353-4105-8131-1C6D1F575D09}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B4FA9184-4B10-4DDA-B0E1-8C18D1257045}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{8FC49B90-D812-4D5F-963C-6E08F1267810}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{98977AEA-4DAE-4C4D-B34C-7B48A28D8B67}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3E9838E8-8EB4-4C76-8E65-C0B4BCF1C6BB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{000FD40D-11B4-48F0-B528-EACC7662C721}"= e:\setup\hpznui01.exe:hpznui01.exe
"{F7AC6B51-0337-4960-A140-25F1D351F057}"= TCP:427|RPort=427|c:\windows\system32\svchost.exe|Svc=HPSLPSVC:SLP_Service
"{9178C1EE-D297-4E2F-9A30-EC261BF63116}"= c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{30209922-FA9E-449A-9D25-F39FC011A99C}"= c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{AD8413C7-FA7F-4DE0-BC35-5327EBE60D97}"= c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{46B47C7F-0557-4349-A36E-00B79B6B7EC4}"= c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{9F8D5762-18B3-4664-97B9-97421F870EFE}"= c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{49DE716C-4125-48F8-9254-89CDEF89C84F}"= c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{2054EC7B-38C5-437B-84BF-33B1525D8143}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4225DAFD-13C3-428B-B32D-E5BBD87B800F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{42A29EF8-2EB4-43C1-B75E-51F1E740DAAD}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{456DD651-35A7-4D37-9C34-783CCD3976D3}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [2007-04-03 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\System32\drivers\o2sd.sys [2007-04-02 35712]
R1 FSLX;FSLX;c:\windows\System32\drivers\fslx.sys [2007-10-03 191360]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20090217.002\IDSvix86.sys [2009-02-20 270384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-02-08 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2007-01-10 38200]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-03 809296]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-10-03 28464]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-22 2808664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##cal2fs2#wfire3]
\shell\AutoRun\command - X:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]
\shell\AutoRun\command - Y:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{205fa8f8-f33f-11dd-9e49-0016d3ee7b6f}]
\shell\Auto\command - F:\backupuser.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\backupuser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b995986-523f-11dd-ad8c-0016d3ee7b6f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cef0459-d353-11dd-9996-0016d3ee7b6f}]
\shell\AutoRun\command - F:\wdsync.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Zhong Rong.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 17:09]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\fccbXonL.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.np.edu.sg/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.sg.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Zhong Rong\AppData\Roaming\Mozilla\Firefox\Profiles\mayz8uik.Zhong Rong\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\users\Zhong Rong\AppData\Roaming\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\Zhong Rong\AppData\Roaming\Mozilla\Firefox\Profiles\mayz8uik.Zhong Rong\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 12:15:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):25,9c,97,67,98,65,d7,92,53,d5,eb,3b,82,b4,5d,28,1d,ed,54,86,99,
5c,5b,18,c1,b0,71,d6,92,60,33,cd,db,05,b7,53,d2,f4,39,50,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{be844469-fc1b-4cd2-9600-22206b552cde}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000011d
"Therad"=dword:0000001e
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,7e,e9,50,eb,ec,ed,bf,e7,19,06,1c,58,14,91,96,20,db,1d,84,00,19,c7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5328)
c:\program files\RocketDock\RocketDock.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\conime.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-02-24 12:23:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 04:23:26
ComboFix2.txt 2009-02-24 02:37:07

Pre-Run: 91,793,858,560 bytes free
Post-Run: 91,498,577,920 bytes free

331 --- E O F --- 2009-02-11 13:23:33
Attached Files
File Type: txt ComboFix.txt (23.9 KB, 1 views)
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 09:46 PM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,691
OS: 2000 Pro; XP Pro; XP Home


Re: Virus in my system!!!
It may be annoying, but I'd appreciate it if you'd re-enable it for the duration of this fix. It WILL help prevent more malware installing. Also, please stay away from whatever sites you've been visiting recently. The infection seems to have returned.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  2. Open notepad and copy/paste the text in the quotebox below into it:

    Quote:
    http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/348867-re-virus-my-system.html#post1986952

    Collect::
    c:\windows\System32\drivers\seneka.sys
    c:\windows\System32\senekaemqoiwvt.dat
    c:\windows\System32\senekapop.dll
    c:\windows\System32\drivers\senekarccgrktx.sys
    c:\windows\System32\drivers\senekaodxtpbcv.sys
    c:\windows\System32\senekafrpjsflp.dat
    c:\windows\System32\drivers\senekaahpvqbgi.sys
    c:\windows\System32\senekaleukdqni.dll
    c:\windows\System32\senekaprmxvntt.dll
    c:\windows\System32\senekamifbhvtw.dll
    c:\windows\System32\senekaulsreoie.dat
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UacDisableNotify"=dword:00000000
    "InternetSettingsDisableNotify"=dword:00000000
    "AutoUpdateDisableNotify"=dword:00000000
    Save this as CFScript.txt




    Referring to the picture above, drag CFScript.txt into ComboFix.exe


  3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  4. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

    Ensure you are connected to the internet and click OK. Follow the prompts.
  5. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

  6. Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

    ---------------------------------------------------------------------------------------------


Please do NOT attach the logs, post them in reply. Thanks.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 10:32 PM   #7 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
Quote:
ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. Follow the prompts.
Had an error. (in screenshot)


So do I upload it manually?
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 10:34 PM   #8 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,691
OS: 2000 Pro; XP Pro; XP Home


Re: Virus in my system!!!
I can't view that image. Attach it to the post, although, it's not really needed, as the upload went through. Please post the ComboFix log.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 10:41 PM   #9 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
Okay, attached the screenshot and here's the log.

I had not done the second part(anti-malware) of the instructions yet.

------------------------------------------------------------------------------------------------------------------

ComboFix 09-02-21.01 - Zhong Rong 2009-02-24 13:02:31.3 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3070.2036 [GMT 8:00]
Running from: c:\users\Zhong Rong\Desktop\ComboFix.exe
Command switches used :: c:\users\Zhong Rong\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\System32\drivers\seneka.sys
c:\windows\System32\drivers\senekaahpvqbgi.sys
c:\windows\System32\drivers\senekaodxtpbcv.sys
c:\windows\System32\drivers\senekarccgrktx.sys
c:\windows\System32\senekaemqoiwvt.dat
c:\windows\System32\senekafrpjsflp.dat
c:\windows\System32\senekaleukdqni.dll
c:\windows\System32\senekamifbhvtw.dll
c:\windows\System32\senekapop.dll
c:\windows\System32\senekaprmxvntt.dll
c:\windows\System32\senekaulsreoie.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 )))))))))))))))))))))))))))))))
.

2009-02-24 10:23 . 2009-02-24 13:11 290,921,232 --a------ c:\windows\MEMORY.DMP
2009-02-22 21:43 . 2009-02-22 21:43 250 --a------ c:\windows\gmer.ini
2009-02-11 21:17 . 2009-02-11 21:17 <DIR> d-------- c:\program files\Microsoft
2009-02-11 21:03 . 2008-06-20 09:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-11 21:03 . 2008-06-20 09:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-11 21:03 . 2008-06-20 09:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-11 21:03 . 2008-06-20 09:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-11 21:03 . 2008-06-20 09:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-11 21:03 . 2008-06-20 09:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-11 21:03 . 2008-06-20 09:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-11 21:03 . 2008-06-20 09:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-11 20:55 . 2008-07-28 02:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-11 20:55 . 2008-07-28 02:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-11 20:55 . 2008-07-28 02:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-11 20:55 . 2008-07-28 02:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-11 20:55 . 2008-07-28 02:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-11 08:19 . 2009-01-15 11:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 08:19 . 2009-01-15 14:11 827,392 --a------ c:\windows\System32\wininet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 05:04 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\DMCache
2009-02-24 03:14 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\uTorrent
2009-02-22 14:01 --------- d-----w c:\programdata\Symantec
2009-02-22 05:39 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-02-21 02:17 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\Babylon
2009-02-19 07:43 --------- d-----w c:\program files\Safari
2009-02-11 15:13 --------- d-----w c:\program files\Windows Mail
2009-02-11 13:18 --------- d-----w c:\programdata\Microsoft Help
2009-02-11 13:16 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-08 02:53 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-30 12:43 --------- d-----w c:\program files\RocketDock
2009-01-30 12:43 --------- d-----w c:\program files\Common Files\Adobe Systems Shared
2009-01-30 12:43 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 10:43 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\vlc
2009-01-30 10:43 --------- d-----w c:\programdata\FLEXnet
2009-01-30 10:43 --------- d-----w c:\program files\MagicISO
2009-01-30 10:43 --------- d-----w c:\program files\DivX
2009-01-04 11:12 --------- d-----w c:\program files\CCleaner
2008-12-28 15:27 --------- d-----w c:\users\Zhong Rong\AppData\Roaming\Sports Interactive
2008-12-28 05:33 --------- d-----w c:\program files\EvilLyrics
2008-12-25 06:24 --------- d-----w c:\program files\Bonjour
2008-06-25 19:45 174 --sha-w c:\program files\desktop.ini
2005-11-15 07:32 3,638 ----a-r c:\program files\Common Files\Altiris_Icon.ico
.

((((((((((((((((((((((((((((( SnapShot@2009-02-24_10.33.36.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-24 02:23:38 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-02-24 05:12:17 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-24 02:23:38 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-02-24 05:12:17 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-02-24 02:25:44 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-24 05:14:16 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-24 05:14:16 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2009-02-24 02:25:43 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-24 05:14:16 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-24 05:14:16 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-24 02:23:32 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-24 04:59:46 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-24 02:23:32 98,304 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-24 04:59:46 98,304 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-24 02:23:32 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-24 04:59:46 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-24 02:20:46 124,338 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-24 05:01:07 124,338 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-24 02:20:46 649,990 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-24 05:01:07 649,990 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-24 02:16:44 15,600 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3691893551-3989496584-2027366539-1005_UserData.bin
+ 2009-02-24 04:57:53 16,154 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3691893551-3989496584-2027366539-1005_UserData.bin
- 2009-02-24 02:16:44 102,266 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-24 04:57:53 102,490 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-24 02:16:37 79,228 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-24 04:57:51 79,700 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-07-25 5724184]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-06-10 2594224]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"PLFSet"="c:\windows\PLFSet.dll" [2007-04-24 45056]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2007-03-28 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-08-02 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{6BA02D78-0688-4FD4-B381-0BA6EC2E445C}"= UDP:2967:Symantec Port
"{830EC0D1-7D2A-4138-8316-DE2F8F5FA6B5}"= c:\program files\Acer\Acer Arcade\PowerCinema.exe:CyberLink PowerCinema
"{56E91E22-2C91-4972-8F43-7D8C010D7ABF}"= c:\program files\Acer\Acer Arcade\PCMService.exe:CyberLink PowerCinema Resident Program
"{3311A946-6CCF-47B3-B9CA-BB2803457F9C}"= c:\program files\Acer\Acer Arcade\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{D9F99135-1B77-4849-A37A-6C6193FFE7BF}"= c:\program files\Acer\Acer Arcade\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{FFC012B9-2DAA-4D32-AA95-DCE3366B2389}"= c:\program files\Acer\HomeMedia\HomeMedia.exe:HomeMedia
"{42468EEB-62D2-46AB-A576-41D5CFFE47F9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{8CAA4C33-7A23-4693-BABB-9AA661D3CA6A}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{E48C3C09-FB2F-4796-B6F2-ABDD37745680}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{4F83BF93-077B-467B-99DE-517BAF490E14}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{A11358CA-DBAF-427D-9EC1-FE7FDAB5FF46}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent
"{A3E86B20-E062-4EEC-9D9C-14F36C23DFFB}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{021BD0A7-5924-47E7-A311-9F749BF36061}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{2080A56B-FFD6-49CF-936B-E2E54CC971A1}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DF2DA15B-AAEE-4D68-888B-D5A833827BEC}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C8A947BD-CC98-4889-B255-E3B7A0D0CB1B}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B16CF037-7149-4AAB-9E9E-E623F1F36E19}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{81E299B0-AA33-4EFB-918D-742BCD8BC3F2}"= UDP:c:\users\Zhong Rong\Desktop\utorrent.exe:µTorrent (TCP-In)
"{36C1BCD1-95DA-4E56-A344-61E6C13919B1}"= TCP:c:\users\Zhong Rong\Desktop\utorrent.exe:µTorrent (UDP-In)
"{011FBDC1-3210-49DC-BDC2-8FEF717FE3A9}"= UDP:c:\program files\uTorrent\utorrent.exe:µTorrent (TCP-In)
"{41004F39-DAB0-4C9A-BDDD-FD4658E0F157}"= TCP:c:\program files\uTorrent\utorrent.exe:µTorrent (UDP-In)
"{3CE40562-85D1-475F-8153-30DD00BBB8F0}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{1E65889A-A912-426A-8827-81E2FCA3A60E}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3987A0AE-EE6A-485A-9D7B-6C67CA89690F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6CBEA433-B353-4105-8131-1C6D1F575D09}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{B4FA9184-4B10-4DDA-B0E1-8C18D1257045}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{8FC49B90-D812-4D5F-963C-6E08F1267810}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{98977AEA-4DAE-4C4D-B34C-7B48A28D8B67}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3E9838E8-8EB4-4C76-8E65-C0B4BCF1C6BB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{000FD40D-11B4-48F0-B528-EACC7662C721}"= e:\setup\hpznui01.exe:hpznui01.exe
"{F7AC6B51-0337-4960-A140-25F1D351F057}"= TCP:427|RPort=427|c:\windows\system32\svchost.exe|Svc=HPSLPSVC:SLP_Service
"{9178C1EE-D297-4E2F-9A30-EC261BF63116}"= c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{30209922-FA9E-449A-9D25-F39FC011A99C}"= c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{AD8413C7-FA7F-4DE0-BC35-5327EBE60D97}"= c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{46B47C7F-0557-4349-A36E-00B79B6B7EC4}"= c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{9F8D5762-18B3-4664-97B9-97421F870EFE}"= c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{49DE716C-4125-48F8-9254-89CDEF89C84F}"= c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{2054EC7B-38C5-437B-84BF-33B1525D8143}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4225DAFD-13C3-428B-B32D-E5BBD87B800F}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{42A29EF8-2EB4-43C1-B75E-51F1E740DAAD}"= UDP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009
"{456DD651-35A7-4D37-9C34-783CCD3976D3}"= TCP:c:\program files\Sports Interactive\Football Manager 2009\fm.exe:Football Manager 2009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 O2MDRDR;O2MDRDR;c:\windows\System32\drivers\o2media.sys [2007-04-03 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\System32\drivers\o2sd.sys [2007-04-02 35712]
R1 FSLX;FSLX;c:\windows\System32\drivers\fslx.sys [2007-10-03 191360]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20090217.002\IDSvix86.sys [2009-02-20 270384]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2008-08-03 809296]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [2007-02-08 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-03 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2007-01-10 38200]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-10-03 28464]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [2008-02-01 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [2008-02-01 8320]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2007-02-22 2808664]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##cal2fs2#wfire3]
\shell\AutoRun\command - X:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Y]
\shell\AutoRun\command - Y:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{205fa8f8-f33f-11dd-9e49-0016d3ee7b6f}]
\shell\Auto\command - F:\backupuser.exe
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\backupuser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b995986-523f-11dd-ad8c-0016d3ee7b6f}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7cef0459-d353-11dd-9996-0016d3ee7b6f}]
\shell\AutoRun\command - F:\wdsync.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Zhong Rong.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-14 17:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.np.edu.sg/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.sg.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://sg.rd.yahoo.com/customize/ycomp/defaults/su/*http://sg.yahoo.com
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\Zhong Rong\AppData\Roaming\Mozilla\Firefox\Profiles\mayz8uik.Zhong Rong\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\users\Zhong Rong\AppData\Roaming\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\Zhong Rong\AppData\Roaming\Mozilla\Firefox\Profiles\mayz8uik.Zhong Rong\extensions\bkmrksync@nokia.com\components\BkMrkExt.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 13:14:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):25,9c,97,67,98,65,d7,92,53,d5,eb,3b,82,b4,5d,28,1d,ed,54,86,99,
5c,5b,18,c1,b0,71,d6,92,60,33,cd,db,05,b7,53,d2,f4,39,50,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-1777197223-3070770610-3364904613-1003_Classes\CLSID\{be844469-fc1b-4cd2-9600-22206b552cde}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:0000011d
"Therad"=dword:0000001e
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,7e,e9,50,eb,ec,ed,bf,e7,19,06,1c,58,14,91,96,20,db,1d,84,00,19,c7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5944)
c:\program files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\conime.exe
c:\program files\Altiris\Altiris Agent\AeXAgentUIHost.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-02-24 13:22:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-24 05:22:13
ComboFix2.txt 2009-02-24 04:23:39
ComboFix3.txt 2009-02-24 02:37:07

Pre-Run: 91,359,608,832 bytes free
Post-Run: 91,071,049,728 bytes free

313 --- E O F --- 2009-02-11 13:23:33

------------------------------------------------------------------------------------------------------------------
Attached Images
File Type: jpg Error.jpg (296.3 KB, 16 views)
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 10:45 PM   #10 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,691
OS: 2000 Pro; XP Pro; XP Home


Re: Virus in my system!!!
Ok, thanks....did you use CF-Submit.htm? In any case, the collected files were uploaded, so that's what counts.

Please do continue with the rest of the steps.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 10:59 PM   #11 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
Nope, I did not use CF-Submit.htm.

After the scan, they stated that there is no infected files and a log just popped up:

-------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.34
Database version: 1798
Windows 6.0.6001 Service Pack 1

24/2/2009 1:57:00 PM
mbam-log-2009-02-24 (13-57-00).txt

Scan type: Quick Scan
Objects scanned: 70709
Time elapsed: 3 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-------------------------------------------------------------------------------------------------------------------
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-23-2009, 11:18 PM   #12 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,691
OS: 2000 Pro; XP Pro; XP Home


Re: Virus in my system!!!
OK, good.

More work to do...

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 12:50 AM   #13 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
The updating of the database is taking ages, and is still updating. Still a long way to go I think.

Anyway, my system still looks as per normal. When infected, Norton will once in a while pop-up saying that "Packed.Generic.203" has being blocked. But now it doesn't.

And, like what I had stated in my previous post, last night my D: Drive is left with ~6GB of space, but this morning when I checked, it was left with ~16GB. But all my stuffs still looked intact. I'm not sure if there is something gotta do with the virus.
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 03:42 AM   #14 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
Here's the log from Kaspersky:

-------------------------------------------------------------------------------------------------------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 24, 2009
Operating System: Microsoft Windows Vista Business Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 24, 2009 07:00:44
Records in database: 1837212
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
Y:\
Z:\

Scan statistics:
Files scanned: 288021
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 02:40:14


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\drivers\senekawneayjne.sys.vir Infected: Rootkit.Win32.TDSS.phm 1
C:\Qoobox\Quarantine\[4]-Submit_2009-02-24@12.07.zip Infected: Trojan.Win32.Monder.bdnx 1
C:\Qoobox\Quarantine\[4]-Submit_2009-02-24@12.07.zip Infected: Trojan.Win32.Monderb.aknp 1
C:\Qoobox\Quarantine\[4]-Submit_2009-02-24@12.07.zip Infected: Trojan.Win32.Monder.bdri 1
C:\Qoobox\Quarantine\[4]-Submit_2009-02-24@12.59.zip Infected: Rootkit.Win32.TDSS.phm 1

The selected area was scanned.

-------------------------------------------------------------------------------------------------------------
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 08:25 AM   #15 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,691
OS: 2000 Pro; XP Pro; XP Home


Re: Virus in my system!!!
Quote:
D: Drive is left with ~6GB of space, but this morning when I checked, it was left with ~16GB. But all my stuffs still looked intact. I'm not sure if there is something gotta do with the virus.
Not sure what to tell you there. That's more space, not less. Is that a problem?

The other items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Press the Windows key + R ->in the Run box which opens -> copy/paste in the following single line command & click OK

combofix /u



This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:
  • Microsoft Windows Update - http://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • SpywareBlaster to help prevent spyware from installing in the first place.
    • Install & update SpywareBlaster with the latest definitions.
      After you have updated, click the button - enable protection for all unprotected items
  • McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
  • Winpatrol

    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  • MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
    • Download Host.zip to your desktop.
    • From your Desktop right-click (hosts.zip) and select:
      Extract All from the menu.
    • Click Next, click Next, select the option:
      "Show Extracted files", click Finish
    • This will open the newly created hosts folder on your Desktop.
    • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    • Once updated you should see another prompt that the task was completed.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

    Do not install more than one AntiVirus program because they will conflict with each other.

  • Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

  • http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles
If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-24-2009, 08:48 AM   #16 (permalink)
Registered User
 
Join Date: Dec 2006
Posts: 159
OS: WinVista Business


Re: Virus in my system!!!
Quote:
Not sure what to tell you there. That's more space, not less. Is that a problem?
Hmm, just feel weird that how come suddenly there is extra 10GB out of nowhere.

Thanks anyway! :)
cazua is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:59 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85