PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
Have something to say? Contribute New Article Reply to this Article
Virus removal help
Microsoft® Windows® Malicious Software Removal Tool removed:
TrojanDownloader:Win32/cutwail.AQ
Virus:Win32/cutwail.G
(I could only run this program in safe mode)
Restart
Ran ATF-Cleaner (Could only run in safe mode)
*Received error"Application cannot be executed. The file ATF-Cleaner.exe is infected. Do you want to activate your anti virus software now?"*
Restart
Ran MBAM.EXE. (Could only run in safe mode)
*Received error"Application cannot be executed. The file MBAM.EXE is infected. Do you want to activate your anti virus software now?"*
This is the log I did shortly after computer was infected.
Malwarebytes' Anti-Malware 1.37
Database version: 2261
Windows 5.1.2600 Service Pack 3
12/11/2009 10:31:40 AM
mbam-log-2009-12-11 (10-31-40).txt
Scan type: Full Scan (C:\|)
Objects scanned: 394178
Time elapsed: 1 hour(s), 8 minute(s), 1 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: izeap6.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\izeap6.dll (Trojan.Vundo.H) -> Delete on reboot.
I cannot run ESET because I cannot get on the internet with the computer.
DDS log:
DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by MikeKafka at 9:04:04.09 on Tue 12/15/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2570 [GMT -6:00]
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\dds.scr
============== Pseudo HJT Report ===============
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/* http://www.yahoo.com
uStart Page = hxxp://www.yahoo.com/
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/* http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com/
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/* http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/* http://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/* http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/* http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ttool] c:\windows\srsdllpro.exe
uRun: [av_md] c:\documents and settings\mikekafka\av_md.exe
uRun: [peqqlgij] c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [SolidWorks_CheckForUpdates] "c:\program files\common files\solidworks installation manager\scheduler\sldIMScheduler.exe" /scheduler
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [sysgif32] c:\windows\temp\~TM5F.tmp
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [peqqlgij] c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [] c:\documents and settings\networkservice\.exe /i
StartupFolder: c:\docume~1\mikeka~1\startm~1\programs\startup\solidw~1.lnk - c:\program files\solidworks2007\swscheduler\swBOEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123169160567
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147888441115
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 192.168.5.10 kmcfs1.com
============= SERVICES / DRIVERS ===============
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-28 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-10-28 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-10-28 2477304]
S2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S2 MSSQL$SIGMANEST;SQL Server (SIGMANEST);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\solidworks2007\cosmosfloworks\floworks\bincfw\StandAloneSlv.exe [2008-1-23 245760]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-3-21 24652]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-10-28 23888]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-11-3 102448]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-6-11 40160]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091124.050\NAVENG.SYS [2009-11-25 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091124.050\NAVEX15.SYS [2009-11-25 1323568]
=============== Created Last 30 ================
2009-12-15 13:43:24 0 ----a-w- c:\documents and settings\mikekafka\mikekafka.exe
2009-12-14 13:53:06 0 d-----w- C:\69b7e6b16957ee122e89
2009-12-14 13:53:04 0 d-----w- C:\92546d5f3d170e73ec0bf0
2009-12-14 13:52:57 0 d-----w- C:\91cdd5b4f92a414575b8
2009-12-14 13:52:54 0 d-----w- C:\24c80100adea7db056daa981c8
2009-12-11 00:12:48 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-11 00:11:59 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
2009-12-11 00:11:56 66048 ----a-w- c:\windows\srsdllpro.exe
2009-12-11 00:11:48 4 ----a-w- c:\docume~1\mikeka~1\applic~1\avdrn.dat
2009-11-18 02:10:58 0 d-----w- c:\docume~1\mikeka~1\applic~1\DassaultSystemes
==================== Find3M ====================
2009-12-11 00:12:48 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 19:08:22 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-29 05:38:23 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 05:38:23 667136 ------w- c:\windows\system32\dllcache\wininet.dll
2009-10-29 05:38:22 627712 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-10-29 05:38:22 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-10-28 17:54:39 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-10-28 17:54:39 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-10-28 17:54:39 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-10-28 17:54:39 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-10-28 17:44:52 9892 ----a-w- c:\windows\system32\drivers\SymRedir.cat
2009-10-28 17:44:52 39856 ----a-w- c:\windows\system32\drivers\symids.sys
2009-10-28 17:44:52 38448 ----a-w- c:\windows\system32\drivers\symndisv.sys
2009-10-28 17:44:52 35120 ----a-w- c:\windows\system32\drivers\symndis.sys
2009-10-28 17:44:52 26416 ----a-w- c:\windows\system32\drivers\symredrv.sys
2009-10-28 17:44:52 188080 ----a-w- c:\windows\system32\drivers\symtdi.sys
2009-10-28 17:44:52 145968 ----a-w- c:\windows\system32\drivers\symfw.sys
2009-10-28 17:44:52 1356 ----a-w- c:\windows\system32\drivers\SymRedir.inf
2009-10-28 17:44:52 12720 ----a-w- c:\windows\system32\drivers\symdns.sys
2009-10-28 17:44:50 706 ----a-w- c:\windows\system32\drivers\COH_Mon.inf
2009-10-28 17:44:50 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2009-10-28 17:44:50 10537 ----a-w- c:\windows\system32\drivers\coh_mon.cat
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-16 00:07:20 262144 ----a-w- C:\ntuser.dat
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-09-25 05:37:09 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:37:09 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
============= FINISH: 9:04:17.82 ===============
Attach.txt is attached.
Please help!
ESET Scan -- safe mode only -- I can't get on the internet in normal mode.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=45aa0fef9fb508458ce485722538cc53
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-15 07:34:12
# local_time=2009-12-15 01:34:12 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=198120
# found=2
# cleaned=2
# scan_time=3683
C:\WINDOWS\srsdllpro.exe a variant of Win32/Kryptik.BIP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\dirfut\kqnfsysguard.exe Win32/Adware.SpyProtector.N application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
That .exe I cannot get rid of. That is something bad that I cannot delete. Not sure how to get rid of it.
I followed all the steps in the sticky post and I can run fine in normal mode now with no pop-ups. So the way it goes is nothing is acting bad but I know that file is bad. How can I get rid of it? This terminal takes forever to start and shutdown. Much longer than all the others on my network. Not sure that means anything to do with this.
How can I get rid of that file? I will runn a more current MBAM with current definitions tomorrow. I ran it this morning with these dated definitions and it doesn't find anything.
Oh yeah, I do have full internet access and it is not blocking sites like it was before.
Oh yeah, I do have full internet access and it is not blocking sites like it was before.
OK - see if you can update and run MBAM and post the log for me.
Looks like a bunch of Vundo + others. You'll definitely need to get that Java updated on all vulnerable machines on the network.
Let's see what MBAM can remove and go from there.
PP:)
PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
Fresh MBAM:
Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
12/17/2009 12:50:07 PM
mbam-log-2009-12-17 (12-50-07).txt
Scan type: Full Scan (C:\|)
Objects scanned: 348872
Time elapsed: 1 hour(s), 33 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysgif32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\av_md (Trojan.Dropper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Well . . . That still leaves a mess.
I'd like to wait until combofix is back up (non-beta) and then have a go with that.
In the meantime, you should update Adobe / Java as with previous compy and remove the old versions.
Also, remove Viewpoint, if you so desire.
-- Do you know what this is? What's in the dirfut folder?
c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exe
PP:)
PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
I am not sure what Viewpoint is used for. Can I just remove it?
I am not sure what that file and folder are. I will have to check with some of the other terminals on the network and see if I can see similar folders and files. Most of the computers were all from the same time frame and that looks like a sstem file so maybe the other will have it. You are going to have to re-instruct me as to how to use combofix when it is back up.
Let me know when we are good to go.
Thanks
I am not sure what Viewpoint is used for. Can I just remove it?
I am not sure what that file and folder are. I will have to check with some of the other terminals on the network and see if I can see similar folders and files. Most of the computers were all from the same time frame and that looks like a sstem file so maybe the other will have it. You are going to have to re-instruct me as to how to use combofix when it is back up.
Let me know when we are good to go.
Thanks
No worries - Hopefully it'll be back up for general download soon.
-- I hope you don't have a network of infected machines . . . This one is worse than the last, or close to it.
You can just uninstallViewpoint Media Player via Add / Remove programs. Not that big a deal.
The Adobe and Java updates are much more critical for security. You probably need for all machines to help keep the Vundo away.
PP:)
PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
Is there an easy scan for me to tell if the other 6 terminals are infected? I do run MBAM everyonce in awhile but is that going to tell me if that is infected with this? All my other machines are acting normal at this point.
Is there an easy scan for me to tell if the other 6 terminals are infected? I do run MBAM everyonce in awhile but is that going to tell me if that is infected with this? All my other machines are acting normal at this point.
MBAM is good. The Kaspersky or ESET online scans are good, too.
DDS is quick and will show many baddies.
The GMER Quick scan is good to try in conjunction with DDS. But both of these require interpretation by somebody used to reading the logs to pick out most baddies.
PP:)
PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
ronnie2123, please start a new thread. We don't want to combine different issues on different computers within the same thread.
Well . . . That still leaves a mess.
I'd like to wait until combofix is back up (non-beta) and then have a go with that.
In the meantime, you should update Adobe / Java as with previous compy and remove the old versions.
Also, remove Viewpoint, if you so desire.-- Do you know what this is? What's in the dirfut folder?
c:\windows\system32\config\systemprofile\local settings\application data\dirfut\kqnfsysguard.exePP:)
The c:\windows folder you list above is nothing. More than likely something bad. That dirfut folder is also probably something bad. I could get rid of everything related to it if we wish.
I updated Adobe and Java and I will remove viewpoint. Let me know when combo fix is good to go and forward me instructions as what you would like me to do. I will update the other computers with new Java and Adobe today.
PP, is combofix back up and running?
It seems so - let's give that a go and see what shakes out.
If you already have Combofix on your machine, DELETE it.
Here are the instructions to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to install Recovery Console (as you did on the other machine) and disable any security programs or Anti-Virus programs as per the linky before running Combofix!
Will check back as time permits.
Cheers :)
PP
PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
Combo fix results:
ComboFix 09-12-21.07 - mikekafka 12/22/2009 8:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2483 [GMT -6:00]
Running from: c:\documents and settings\mikekafka\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\MIKEKA~1\LOCALS~1\Temp\SolidWorksLicTemp.0001.dir.0005\~de688f.tmp
c:\docume~1\MIKEKA~1\LOCALS~1\Temp\SolidWorksLicTemp.0001.dir.0005\~df394b.tmp
c:\documents and settings\mikekafka\Application Data\avdrn.dat
c:\documents and settings\mikekafka\Application Data\EurekaLog
c:\documents and settings\mikekafka\Local Settings\Temp\SolidWorksLicTemp.0001.dir.0005\~de688f.tmp
c:\documents and settings\mikekafka\Local Settings\Temp\SolidWorksLicTemp.0001.dir.0005\~df394b.tmp
c:\documents and settings\mikekafka\mikekafka.exe
c:\documents and settings\scottklingberg\Application Data\EurekaLog
c:\documents and settings\scottklingberg\Application Data\EurekaLog\EurekaLog.ini
c:\recycler\S-1-5-21-679709237-68272196-2397749495-500
c:\windows\EventSystem.log
c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd
.
((((((((((((((((((((((((( Files Created from 2009-11-22 to 2009-12-22 )))))))))))))))))))))))))))))))
.
2009-12-22 12:59 . 2009-03-31 00:39 -------- d-----w- c:\documents and settings\mikekafka\Application Data\Viewpoint
2009-12-21 17:49 . 2009-12-21 17:49 -------- d--h--w- c:\windows\PIF
2009-12-16 21:18 . 2009-12-16 21:18 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-12-16 14:02 . 2009-10-29 07:45 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-12-16 14:02 . 2009-10-29 07:45 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-12-16 14:02 . 2009-10-29 07:45 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-12-16 14:02 . 2009-10-29 07:45 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-12-16 14:02 . 2009-10-29 07:45 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-12-16 14:02 . 2009-10-29 07:45 11069952 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-12-16 14:02 . 2009-12-18 12:35 -------- d-----w- c:\windows\ie8updates
2009-12-16 14:02 . 2009-10-02 04:44 92160 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-16 14:00 . 2009-12-16 14:02 -------- dc-h--w- c:\windows\ie8
2009-12-16 13:49 . 2009-12-16 13:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 13:49 . 2009-12-16 13:49 -------- d-----w- c:\program files\Java
2009-12-16 13:34 . 2009-12-16 13:34 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-16 13:31 . 2009-12-16 14:18 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-15 18:29 . 2009-12-15 18:29 -------- d-----w- c:\program files\ESET
2009-12-14 13:53 . 2009-12-14 13:53 -------- d-----w- C:\69b7e6b16957ee122e89
2009-12-14 13:53 . 2009-12-14 13:53 -------- d-----w- C:\92546d5f3d170e73ec0bf0
2009-12-14 13:52 . 2009-12-14 13:52 -------- d-----w- C:\91cdd5b4f92a414575b8
2009-12-14 13:52 . 2009-12-14 13:52 -------- d-----w- C:\24c80100adea7db056daa981c8
2009-12-11 00:12 . 2009-12-11 00:12 96512 ----a-w- c:\windows\system32\dllcache\atapi.sys
2009-12-11 00:11 . 2009-12-11 00:11 148 ----a-w- c:\windows\system32\fjhdyfhsn.bat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-22 14:58 . 2009-04-29 14:26 -------- d-----w- c:\documents and settings\mikekafka\Application Data\IM
2009-12-22 14:45 . 2005-06-10 22:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-22 14:16 . 2005-08-04 17:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-22 14:14 . 2005-08-11 20:01 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-22 12:59 . 2005-10-12 13:13 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-21 12:33 . 2007-01-11 14:23 -------- d-----w- c:\program files\Viewpoint
2009-12-18 13:01 . 2007-01-11 14:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-12-17 12:47 . 2009-06-11 13:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-16 13:37 . 2005-08-04 17:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-15 15:27 . 2009-04-29 14:25 -------- d-----w- c:\documents and settings\mikekafka\Application Data\SolidWorks
2009-12-11 00:12 . 2004-08-04 00:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-03 22:14 . 2009-06-11 13:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-06-11 13:15 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-18 02:10 . 2009-11-18 02:10 -------- d-----w- c:\documents and settings\mikekafka\Application Data\DassaultSystemes
2009-11-18 02:10 . 2007-01-11 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DassaultSystemes
2009-10-29 07:45 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-28 17:45 . 2009-10-28 17:45 89600 ----a-w- c:\windows\system32\atl71.dll
2009-10-21 05:38 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 08:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-16 00:07 . 2009-10-16 00:07 262144 ----a-w- C:\ntuser.dat
2009-10-13 10:30 . 2004-08-04 08:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 08:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 08:00 79872 ----a-w- c:\windows\system32\raschap.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-04-25 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-04-25 77824]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-04-25 114688]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"SolidWorks_CheckForUpdates"="c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe" [2008-02-29 6767896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"HP Network Registry Agent"="c:\windows\system32\hpnra.exe" [2000-10-26 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-16 149280]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
c:\documents and settings\sampyne\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks2007\swScheduler\swBOEngine.exe [2008-2-29 488728]
c:\documents and settings\tedbourbonnais\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks2007\swScheduler\swBOEngine.exe [2008-2-29 488728]
c:\documents and settings\mikekafka\Start Menu\Programs\Startup\
SolidWorks Task Scheduler Engine.lnk - c:\program files\SolidWorks2007\swScheduler\swBOEngine.exe [2008-2-29 488728]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-8-10 221295]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2005-8-10 6144]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MSSQL$SIGMANEST;SQL Server (SIGMANEST);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2/10/2007 7:29 AM 29178224]
R2 Remote Solver for COSMOSFloWorks 2008;Remote Solver for COSMOSFloWorks 2008;c:\program files\SolidWorks2007\COSMOSFloWorks\FloWorks\binCFW\StandAloneSlv.exe [1/23/2008 5:37 PM 245760]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/* http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/* http://www.yahoo.com
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
Notify-NavLogon - (no file)
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-22 08:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(812)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\system32\hasplms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\docume~1\MIKEKA~1\LOCALS~1\Temp\SolidWorksLicTemp.0001
c:\program files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2009-12-22 09:07:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-22 15:07
Pre-Run: 38,730,878,976 bytes free
Post-Run: 40,098,603,008 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - A437003D330587CA2F46DDE1024512F7
Hey PP,
As an FYI, Symantec Endpoint Protection needs to be completely removed inorder to run combofix. I tried to diable it and run it but it wouldn't so my only option was to completely remove it.
Thanks
Scott
As an FYI, Symantec Endpoint Protection needs to be completely removed inorder to run combofix. I tried to diable it and run it but it wouldn't so my only option was to completely remove it.
That's interesting - there is a command we can use to start combofix that may address this.....
Interestingly enough, I didn't see what I expected to see. So, let's try this:
First - DELETE this ---> c:\windows\system32\fjhdyfhsn.bat
Then:
Please run a scan with the Kaspersky Online Scanner 7.0
* Note that you may need to temporarily disable your Anti-virus program for the duration of this scan.
-- Accept the agreement and allow the scanner to load and update its definitions. This may take a few minutes.
-- After the program files are downloaded and the anti-virus database is successfully updated, please select the Scan section in the left part of the main program window.
-- Click My Computer to begin a complete scan of your computer, including critical areas.
-- Once the scan has finished, select the Reports section in the left part of the main program window. Click the Save report button in the report viewing window. The Saving window will open.
-- Name the file KAS 1 and choos to save it to the Desktop as a .txt file and then click the Save button.
Please post that for me.
Let's also do a more thorough rootkit scan. Please download GMER Rootkit Scanner:
http://www.gmer.net/download.php
-- DoubleClick the .exe file and, if asked, allow the gmer.sys driver to load.[INDENT] * When GMER opens, it should automatically do a quick scan for rootkits.
When the quick scan finishes, click the Save Button and save the scanlog to your Desktop as GMER One.log.[/INDENT]
-- If upon running GMER you receive a warning about Rootkit Activity and GMER asks if you want to run a scan, Click NO
-- Make sure the Rootkit/Malware Tab is selected (Top Left of GMER GUI)
Along the Right Side of the GMER GUI there will be a number of checked boxes. Please Uncheck the following:
- Sections
- Drives or Partitions other than your Systemdrive (usually C:\)
- Show All (be sure this one remains Unchecked)
-- Then, click the Scan Button
Allow the scan as long as it needs and then click the save button and name the log GMER Two.log and save it to where you can easily find it and post it for me along with the first log.
***Disconnect from the internet and do not run any other programs while GMER is scanning. Temporarily disable any real-time anti-spyware or anti-virus protection so they do not interfere with the running of GMER.
DO NOT take any action for any found items until I can have a look.
I'll check back as time permits.
Hope the holidays are treating you and your new addition well :)
PP
PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
I am running the GMER scan right now.
I am having a problem with the Kaspersky though. When it goes to run it starts Java and then it says it needs an uninterupted internet connection, which it has so I am not sure if something virus related is messing with the continuous internet connection. After the GMER Two runs I will bring the terminal home with me over the holidays and try to get it to run at home.
I completely removed Symantec from this computer so it does not have any AV running at all.
I will post the GMER logs when they are complete and I will work on the Kaspersky issue.
As always thanks for your help with this and have a good holiday!
This article has been dead for over three months
You
© 2012 DaniWeb® LLC
