I Want 2 Try And Remove This Trojan Manually.
Hello everybody. I have been a BD user for about 2 years now. I currently have a 2 yr subscription to Internet Security 08.
I have never had a problem with viruses because BD is amazing. I don't really have a problem right now as far as my computers functionality because BD has quarantined the trojan. However, I don't want it to be an issue later so I would like to manually remove this Trojan.
I have been searching around the internet (google) all morning and have not been able to find a removal tool or specific instructions on how to go about removing this specific Trojan.
I was hoping to find a post here about it, but I was unable to find a relevant post about my specific issue. So on to my issue then.
Overnight system scan picked up Trojan.Download.Delf.NMB
~BD Results~
Trojan.Download.Delf.NMB - "delete failed" on 2 issues(s).
infected: =>HKEY_LOCAL_MACHINE\SOFTWA...Setup=>C:\PROGRAM FILES\COMMON FILES\SETUP.EXE
infected: C:\Program Files\Common Files\setup.exe
In the Results Summary all of the actions available failed. And Now the only option to continue with is "No Action is possilbe" (yikes!)
All ideas are appreciated!
Comments
-
Hello haynest,
Can you please give the entire path where BitDefender found the infection in the registry? Click on start,my computer,program files,common files. Now search for setup.exe select it and delete it. The reason why BitDefender couldn't take any action could be because the infection was found inside the installer.
Please download Deckard's System Scanner. You need to save it on your desktop. Close all other applications and windows. First right click on dss(.exe) and choose for run as administrator. Now double click on dss(.exe) Confirm the warnings. It can take a while. Please copy the content of main and extra textfiles. Extra will be minimized and paste it at your next post. Because it will be large spread them about a few posts or attach the reports.
Kind regards,
Niels0 -
Hello and thanks for your help.
I first went to the directory where the file was found to try and delete it. The file is not there. So I made sure that I could view system and hidden files from that folder. The option to view those files was already enabled.
I ran Deckards System Scanner as you suggested. However, just before it finishes is comes up with an error pop up window from microsoft. The classic "Windows encountered a problem and needs to close."
The error siggy says AppName dss.exe, ModName:ntdll.dll. I am sure these details are not needed at this point. So I cannot post a log for you
Unless you have another suggestion.0 -
Hello haynest,
Please download hijack this to download it and for the instructions take a look here. Post the output here or put it as an attachment.
After that download combofix you will find it here. Print the following instructions and read them carefully. Please post the output of the scan into your next post. So I or someone else can see if there is still some infections. Do not move your mouse pointer or click because it can cause a freeze.
Kind regards,
Niels0 -
Here is the Hijack log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:35 PM, on 7/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\LMabcoms.exe
C:\Program Files\CCP Server 5\ccpsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Microsoft] schost.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [setup] C:\Program Files\Common Files\setup.exe -cleaning
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\RunServices: [Microsoft] schost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -clientconfig cas -clientapp caserver.exe -silent
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {036F8A56-0BC8-4607-8F98-D3231E6FF5ED} (CentraUpdaterAxCtl Class) - https://www.ueclassroom.sprint.com/SiteRoot...raUpdaterAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197394718140
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AB0F8C9-E5E9-47FD-9E9A-7AB3586F0BC8}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: lmab_device - Unknown owner - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe0 -
Ok, followed your instructions. Here is the combofix log.
ComboFix 08-07-09.5 - P 2008-07-10 15:04:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1432 [GMT -4:00]
Running from: C:\Documents and Settings\P\Desktop\Downloaded Files\ComboFix.exe
Command switches used :: C:\Documents and Settings\P\Desktop\Downloaded Files\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bszip.dll
.
((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.
2008-07-10 10:54 . 2008-07-10 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 10:06 . 2008-07-10 10:06 <DIR> d-------- C:\Deckard
2008-07-07 12:01 . 2008-07-10 15:11 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-07-07 12:00 . 2008-07-07 12:00 <DIR> d-------- C:\Documents and Settings\P\Application Data\BitDefender
2008-07-07 11:59 . 2008-07-07 11:59 <DIR> d-------- C:\Program Files\BitDefender
2008-07-07 11:59 . 2008-07-07 12:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-07-07 11:58 . 2008-07-07 11:59 <DIR> d-------- C:\Program Files\Common Files\BitDefender
2008-07-06 14:22 . 2008-07-06 14:22 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-06 14:22 . 2008-07-06 14:22 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-06 14:22 . 2008-07-06 14:22 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-06 14:20 . 2008-07-10 03:00 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-07-06 14:16 . 2008-04-13 20:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-07-06 14:16 . 2008-04-13 20:12 346,112 --------- C:\WINDOWS\system32\windowscodec###t.dll
2008-07-06 14:16 . 2008-04-13 20:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-07-06 14:16 . 2008-04-13 20:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-07-06 14:16 . 2008-04-13 20:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-07-06 14:16 . 2008-04-13 20:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-07-06 14:16 . 2008-04-13 20:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-07-06 14:16 . 2008-04-13 14:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-07-01 13:00 . 2008-07-01 13:00 <DIR> d-------- C:\WINDOWS\Migo Recover Lost Data
2008-07-01 13:00 . 2008-07-01 13:00 <DIR> d-------- C:\Program Files\Migo Software
2008-06-29 11:35 . 2008-07-02 11:04 <DIR> d-------- C:\Program Files\Pixel Mine
2008-06-26 10:03 . 2008-06-26 10:03 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-06-25 15:56 . 2008-06-25 15:56 <DIR> d-------- C:\Program Files\gBurner
2008-06-23 17:48 . 2008-06-23 17:48 <DIR> d-------- C:\Program Files\Acclaim
2008-06-20 13:46 . 2008-06-20 13:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 13:46 . 2008-06-20 13:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 07:51 . 2008-06-20 07:51 361,600 -----c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 07:40 . 2008-06-20 07:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 07:08 . 2008-06-20 07:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 14:53 . 2008-06-19 14:53 <DIR> d-------- C:\Program Files\OGPlanet
2008-06-18 11:42 . 2008-06-18 11:42 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-06-18 11:42 . 2003-07-20 23:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-06-18 11:42 . 2005-01-04 14:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-06-17 11:09 . 2008-06-17 11:09 <DIR> d-------- C:\Program Files\PlayComet
2008-06-11 10:56 . 2006-11-19 19:57 505,344 --a------ C:\WINDOWS\system32\DDSystemIO.dll
2008-06-11 10:56 . 2006-09-03 13:17 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-06-11 10:55 . 2008-06-11 10:58 <DIR> d-------- C:\Program Files\NetAnalysis
2008-06-11 10:55 . 2006-09-03 13:17 1,836,128 --a------ C:\WINDOWS\system32\arpro2.dll
2008-06-11 10:55 . 2006-09-03 13:17 1,064,960 --a------ C:\WINDOWS\system32\tdbg8.ocx
2008-06-11 10:55 . 2006-09-03 13:17 507,904 --a------ C:\WINDOWS\system32\tdbgpp8.dll
2008-06-11 10:55 . 2006-09-03 13:17 374,368 --a------ C:\WINDOWS\system32\pdfexpt.dll
2008-06-11 10:55 . 2006-09-03 13:17 340,768 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2008-06-11 10:55 . 2006-06-09 01:24 227,328 --a------ C:\WINDOWS\system32\tssOfficeMenu1d.ocx
2008-06-11 10:55 . 2006-09-03 13:17 132,880 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-06-11 10:55 . 2006-09-03 13:17 86,016 --a------ C:\WINDOWS\system32\ddprogbar.ocx
2008-06-11 04:58 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 04:58 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 17:34 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-06-10 17:34 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 19:10 --------- d-----w C:\Program Files\Steam
2008-07-10 18:33 1,768 ----a-w C:\STAT.DAT
2008-07-10 16:48 --------- d-----w C:\Documents and Settings\P\Application Data\SolidDocuments
2008-07-10 16:45 --------- d-----w C:\Program Files\Warcraft III
2008-07-10 05:13 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\SolidDocuments
2008-07-07 18:28 --------- d-----w C:\Program Files\Google
2008-07-07 15:57 --------- d-----w C:\Documents and Settings\P\Application Data\Hamachi
2008-06-29 15:29 --------- d-----w C:\Program Files\PokerStars.NET
2008-06-20 18:18 --------- d-----w C:\Documents and Settings\P\Application Data\U3
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 15:50 --------- d-----w C:\Program Files\CCP Server 5
2008-06-13 15:32 --------- d-----w C:\Documents and Settings\P\Application Data\FileZilla
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 22:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-03 22:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-03 22:22 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-03 22:22 --------- d-----w C:\Program Files\Bonjour
2008-06-03 22:16 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-06-02 20:16 86,792 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-06-02 17:25 --------- d-----w C:\Documents and Settings\P\Application Data\dvdcss
2008-06-02 17:24 --------- d-----w C:\Program Files\QuickTime
2008-06-02 17:24 --------- d-----w C:\Program Files\ImTOO
2008-06-02 16:52 --------- d-----w C:\Program Files\eRightSoft
2008-06-02 16:27 --------- d-----w C:\Program Files\AviSynth 2.5
2008-06-02 16:26 --------- d-----w C:\Program Files\Gabest
2008-05-31 00:32 --------- d-----w C:\Program Files\SolidDocuments
2008-05-06 17:29 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-05-06 17:29 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-07-02 06:27 219520]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 19:05 143360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 03:52 2595480]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 04:02 905056]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 03:55 140568]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 18:54 127022]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 16:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-05-23 19:16 368640]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-06 20:40:54 815104]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"VIDC.YV12"= yv12vfw.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 4200 Series]
--a------ 2004-01-16 06:04 57344 C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2002-12-10 19:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a------ 2002-12-10 19:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LMabcoms.exe"=
"C:\\Program Files\\CCP Server 5\\ccpsrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25842:TCP"= 25842:TCP:BitCometBeta 25842 TCP
"25842:UDP"= 25842:UDP:BitCometBeta 25842 UDP
R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2007-12-11 16:29]
R2 TryAndDecideService;Acronis Try And Decide Service;C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-09-14 05:01]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-06-02 16:16]
R3 EUCR;ENE USB Mass Storage;C:\WINDOWS\system32\DRIVERS\EUCR6SK.SYS [2005-02-21 06:22]
S3 axvbusx;axvbusx;C:\WINDOWS\system32\DRIVERS\axvbusx.sys [2002-12-27 21:14]
S3 axvscsi;axvscsi;C:\WINDOWS\system32\DRIVERS\axvscsi.sys [2002-12-27 21:14]
S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []
S3 XDva186;XDva186;C:\WINDOWS\system32\XDva186.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\P]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3854e4aa-d9bd-11dc-b095-001731e5f384}]
\Shell\AutoRun\command - ek.com
\Shell\explore\Command - ek.com
\Shell\open\Command - ek.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{614f22b6-f10c-11dc-b0aa-001731e5f384}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82a5ddbc-2db7-11dd-b0b8-001731e5f384}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3d7451c-af0d-11dc-b070-001731e5f384}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9edb5fc-e70d-11dc-b09c-001731e5f384}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Steam - C:\Program Files\Steam\Steam.exe -clientconfig cas -clientapp caserver.exe
HKCU-Run-Sonic RecordNow! Deluxe - (no file)
HKLM-Run-RAMDrive - C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe
MSConfigStartUp-Aim6 - C:\Program Files\AIM6\aim6.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 15:10:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Steam\caserver.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-07-10 15:14:54 - machine was rebooted [P]
ComboFix-quarantined-files.txt 2008-07-10 19:14:38
Pre-Run: 45,080,006,656 bytes free
Post-Run: 44,991,864,832 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
239 --- E O F --- 2008-07-10 07:00:420 -
Hello haynest,
The infection might have been spread trough an infected external drive (usb hard disk,memory stick,...)
Please press the windows button together with r now type regedit press enter. Expand HKEY_CURRENT_USER by clicking on the +-sign,open the following folders and subfolders: software,microsoft,windows,currentversion,explorer,mountpoints2 Now right click on {3854e4aa-d9bd-11dc-b095-001731e5f384} choose export and save it. Expand 3854e4aa-d9bd-11dc-b095-001731e5f384 also and open shell and open autorun and click on command do that also for explore and open. What is the location off ek.com? Please post it. Attach your memory stick,external hard disk,flash disk,etc be sure that hidden files and folders are being visible see if you can see a file called autorun.inf (it could be that you will not see .inf) Right click on it by open with select wordpad and post the content here. See if you find ek.com. Try to catch all files that are mentionned in the autorun.inf file.
Kind regards,
Niels0
