Hi Markamus,
Hey, sorry for the delay. Was busy enjoying my weekend.
This is an office PC that has been infected you see!
Neway, here's the ComboFix log.
Please tell me how to proceed further.
ComboFix 08-06-04.5 - abhijeet.savle 2008-06-05 16:48:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.474 [GMT 5.5:30]
Running from: E:\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BMeb3ddf2f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\byXNfEts.dll
C:\WINDOWS\system32\cevvstkx.ini
C:\WINDOWS\system32\dxofypqu.ini
C:\WINDOWS\system32\lmutcohd.ini
C:\WINDOWS\system32\osttojwa.ini
C:\WINDOWS\system32\stEfNXyb.ini
C:\WINDOWS\system32\stEfNXyb.ini2
C:\WINDOWS\system32\urqonnno.dll
C:\WINDOWS\system32\vshatvye.ini
C:\WINDOWS\system32\vuuadffv.ini
----- BITS: Possible infected sites -----
hxxp://172.16.0.185
.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.
2008-06-05 15:10 . 2008-06-05 15:10 2,126 --a------ C:\WINDOWS\system32\wpa.dbl
2008-06-05 12:26 . 2008-06-05 12:26 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-06-05 10:54 . 2008-06-05 10:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-05 10:54 . 2008-06-05 10:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-04 18:51 . 2008-06-04 18:51 <DIR> d-------- C:\Program Files\iTunes
2008-06-04 18:51 . 2008-06-04 18:51 <DIR> d-------- C:\Program Files\iPod
2008-06-04 18:51 . 2008-06-05 10:54 <DIR> d-------- C:\Documents and Settings\abhijeet.savle\Application Data\Apple Computer
2008-06-04 18:50 . 2008-06-04 18:50 <DIR> d-------- C:\Program Files\QuickTime
2008-06-04 18:50 . 2008-06-04 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-04 15:14 . 2008-06-05 15:07 <DIR> d-------- C:\!KillBox
2008-06-04 14:21 . 2008-06-04 14:21 <DIR> d-------- C:\Program Files\AvaFind
2008-06-04 14:21 . 2008-06-05 15:23 <DIR> d-------- C:\Documents and Settings\abhijeet.savle\Application Data\AvaFind Data
2008-06-04 12:04 . 2008-06-04 12:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-04 12:04 . 2008-06-04 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 11:05 . 2008-06-04 11:05 <DIR> d-------- C:\WINDOWS\system32\SmitfraudFix
2008-06-03 11:33 . 2008-06-03 11:44 <DIR> d-------- C:\Program Files\GoldWave
2008-05-30 12:42 . 2008-05-30 12:42 <DIR> d-------- C:\Documents and Settings\ABHIJE~1~SAV\LOCALS~1
2008-05-30 12:42 . 2008-05-30 12:42 <DIR> d-------- C:\Documents and Settings\ABHIJE~1~SAV
2008-05-29 18:03 . 2007-03-17 04:21 <DIR> d-------- C:\Program Files\libmp3lame-3.97
2008-05-29 17:19 . 2008-05-29 17:19 <DIR> d-------- C:\Documents and Settings\lavanya.rajagopalan
2008-05-22 14:32 . 2008-05-22 14:33 <DIR> d-------- C:\Program Files\gtheme
2008-05-20 14:36 . 2008-05-20 14:36 <DIR> d-------- C:\Program Files\My Lockbox
2008-05-20 14:36 . 2007-12-13 20:13 17,264 --a------ C:\WINDOWS\system32\drivers\mprifl.sys
2008-05-19 13:57 . 2008-05-19 13:57 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-05-14 19:04 . 2008-05-14 19:04 <DIR> d-------- C:\Documents and Settings\abhijeet.savle\Application Data\tor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 11:22 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\OpenOffice.org2
2008-06-05 11:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\vulScan
2008-06-04 12:26 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 12:57 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\Audacity
2008-06-02 05:04 --------- d-----w C:\Program Files\DAP
2008-05-30 07:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-30 07:16 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-30 09:35 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\CopyTransControlCenter
2008-04-30 09:15 --------- d-----w C:\Documents and Settings\abhijeet.savle\Application Data\CopyTransManager
2008-04-23 09:36 --------- d-----w C:\Program Files\Easy RealMedia Tools
2008-04-17 05:00 --------- d-----w C:\Program Files\Elitecore
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35d0e591-18f0-45b5-8e3f-237921f053e5}]
C:\WINDOWS\system32\wbvipmnc.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-13 18:11 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16 4670968]
"AvaFind"="C:\Program Files\AvaFind\AvaFind.exe" [2004-06-01 12:48 295936]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-05-08 09:28 1015808]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-05 21:23 141848]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-05 21:23 162328]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-05 21:22 137752]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2008-03-14 15:06 136512]
"SDClientMonitor"="C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2006-11-01 08:06 258048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50 112216]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:52 3739648]
"Single Signon"="C:\Program Files\Elitecore\Single Signon\SSCyberoam_7310.exe" [2006-12-22 20:32 57344]
"flockbox"="C:\Program Files\My Lockbox\flockbox.exe" [2007-12-14 16:59 1071472]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 15:30 53760 C:\WINDOWS\system32\narrator.exe]
C:\Documents and Settings\abhijeet.savle\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 20:45:54 65588]
SnagIt 8.lnk - C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe [2006-03-14 09:01:00 5517312]
VPN Client.lnk - C:\WINDOWS\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2008-03-12 15:45:53 6144]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-03-17 15:17:02 19968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"VIDC.YV12"= yv12vfw.dll
"msacm.divxa32"= divxa32.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\
0\
0]
"Script"=\\FPS.NIHILENT.com\SysVol\FPS.NIHILENT.COM\scripts\cyberlogin.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\
0]
"Script"=\\nipns00a150\SYSVOL\FPS.NIHILENT.COM\scripts\cyberlogin.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12418\Scripts\Logon\
0\
0]
"Script"=a.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12418\Scripts\Logon\
0\1]
"Script"=\\FPS.NIHILENT.com\SysVol\FPS.NIHILENT.COM\scripts\cyberlogin.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12418\Scripts\Logon\1\
0]
"Script"=cyberlogin.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12440\Scripts\Logon\
0\
0]
"Script"=a.bat
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1644491937-484061587-725345543-12440\Scripts\Logon\1\
0]
"Script"=a.bat
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\WINDOWS\\system32\\cba\\pds.exe"=
"C:\\WINDOWS\\system32\\msgsys.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"C:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
R0 MPRIFL;MPRIFL;C:\WINDOWS\system32\DRIVERS\MPRIFL.SYS [2007-12-13 20:13]
R2 CBA8;LANDesk(R) Management Agent;"C:\Program Files\LANDesk\Shared Files\residentagent.exe" [2007-01-09 11:03]
R2 Softmon;LANDesk(R) Software Monitoring Service;"C:\Program Files\LANDesk\LDClient\softmon.exe" [2007-04-27 05:53]
R3 ldblank;Screen Blanking driver for Remote Control;C:\WINDOWS\system32\DRIVERS\ldblank.sys [2005-07-02 05:18]
R3 ldmirror;ldmirror;C:\WINDOWS\system32\DRIVERS\ldmirror.sys [2005-07-02 05:18]
R3 mirrorflt;Mirror Filter Driver for Uninstall;C:\WINDOWS\system32\DRIVERS\mirrorflt.sys [2005-07-02 05:18]
S3 TPPWRIF;TPPWRIF;C:\Documents and Settings\All Users\Application Data\vulScan\TPPWRIF.sys [2006-09-21 17:53]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2008-06-05 16:51:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\Mctray.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\TechSmith\SnagIt 8\TscHelp.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2008-06-05 16:53:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 11:23:37
Pre-Run: 14,533,349,376 bytes free
Post-Run: 14,519,353,344 bytes free
183