WMD RTC32.DLL Cannot SAFE MODE

[wirosari]

Dear PC PITSTOP,

 

My PC infected by Rootkit or Adware.

 

PC status right now :

- Heavy NETWORK Traffic

- Cannot SAFE MODE

- Vshield Mc.Afee services DISABLED

 

Trusted Advisor urgent help needed

FZWG or Jacee please come around.

 

Thanks,

Wirosari

 

 

ADAWARE SE said :

 

Ad-Aware SE Build 1.05

Logfile Created on:Monday, April 09, 2007 3:53:21 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R164 02.04.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):10 total references

Other(TAC index:5):1 total references

Win32.Sality(TAC index:10):38 total references

Win32.TrojanProxy.Agent.dl(TAC index:7):1 total references

Win32.TrojanSpy.Goldun(TAC index:10):7 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

4-9-2007 3:53:21 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\TresnaTan\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\TresnaTan\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru

Description : list of recent documents opened by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru

Description : list of recent documents saved by microsoft word

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\excel\recent files

Description : list of recent files used by microsoft excel

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\nico mak computing\winzip\filemenu

Description : winzip recently used archives

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 488

ThreadCreationTime : 4-9-2007 4:50:45 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 544

ThreadCreationTime : 4-9-2007 4:50:48 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 572

ThreadCreationTime : 4-9-2007 4:50:51 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 616

ThreadCreationTime : 4-9-2007 4:50:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 628

ThreadCreationTime : 4-9-2007 4:50:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 812

ThreadCreationTime : 4-9-2007 4:50:57 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 880

ThreadCreationTime : 4-9-2007 4:50:57 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1012

ThreadCreationTime : 4-9-2007 4:50:58 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1040

ThreadCreationTime : 4-9-2007 4:50:58 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1212

ThreadCreationTime : 4-9-2007 4:50:59 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:11 [cdantsrv.exe]

FilePath : C:\WINDOWS\System32\DRIVERS\

ProcessID : 1624

ThreadCreationTime : 4-9-2007 4:51:05 AM

BasePriority : Normal

FileVersion : 3.25.010

ProductVersion : 3.25.010 Windows NT 2002/01/07

ProductName : CD-Secure/CD-Compress Windows NT

CompanyName : C-Dilla Ltd

FileDescription : C-Dilla RTS Service

InternalName : CDANTSRV

LegalCopyright : Copyright © Macrovision 1993-2002

OriginalFilename : CDANTSRV.EXE

Comments : StringFileInfo: U.S. English

 

#:12 [inetinfo.exe]

FilePath : C:\WINDOWS\System32\inetsrv\

ProcessID : 1664

ThreadCreationTime : 4-9-2007 4:51:05 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Internet Information Services

CompanyName : Microsoft Corporation

FileDescription : Internet Information Services

InternalName : INETINFO.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : INETINFO.EXE

 

#:13 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1688

ThreadCreationTime : 4-9-2007 4:51:06 AM

BasePriority : Normal

FileVersion : 6.13.10.3082

ProductVersion : 6.13.10.3082

ProductName : NVIDIA Driver Helper Service, Version 30.82

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 30.82

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:14 [tcpsvcs.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1720

ThreadCreationTime : 4-9-2007 4:51:06 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : TCP/IP Services Application

InternalName : TCPSVCS.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : TCPSVCS.EXE

 

#:15 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1736

ThreadCreationTime : 4-9-2007 4:51:06 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : snmp.exe

 

#:16 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1752

ThreadCreationTime : 4-9-2007 4:51:07 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:17 [acrotray.exe]

FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\

ProcessID : 840

ThreadCreationTime : 4-9-2007 4:51:16 AM

BasePriority : Normal

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

LegalCopyright : Copyright © 2001

OriginalFilename : AcroTray.exe

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

"C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"Process terminated successfully

 

#:18 [soffice.exe]

FilePath : C:\Program Files\OpenOffice.org 2.0\program\

ProcessID : 1020

ThreadCreationTime : 4-9-2007 4:51:20 AM

BasePriority : Normal

FileVersion : 1.09.9069

ProductVersion : 1.09.9069

CompanyName : OpenOffice.org

FileDescription : OpenOffice.org 2.0

InternalName : SOFFICE

LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc.

OriginalFilename : SOFFICE.EXE

 

#:19 [soffice.bin]

FilePath : C:\Program Files\OpenOffice.org 2.0\program\

ProcessID : 1052

ThreadCreationTime : 4-9-2007 4:51:21 AM

BasePriority : Normal

FileVersion : 1.09.9069

ProductVersion : 1.09.9069

CompanyName : OpenOffice.org

FileDescription : OpenOffice.org 2.0

InternalName : SOFFICE

LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc.

OriginalFilename : SOFFICE.EXE

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

 

#:20 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1600

ThreadCreationTime : 4-9-2007 8:50:20 AM

BasePriority : Normal

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

 

#:21 [ad-aware.exe]

FilePath : C:\ADAWARE\Ad-Aware SE Personal\

ProcessID : 1368

ThreadCreationTime : 4-9-2007 8:53:13 AM

BasePriority : Normal

FileVersion : 6.2.0.206

ProductVersion : VI.Second Edition

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 18

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.TrojanProxy.Agent.dl Object Recognized!

Type : File

Data : winpidn.exe

Category : Malware

Comment :

Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\

 

 

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : A0372822.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP509\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0372850.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-16.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-18.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-21.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-22.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-23.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-24.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0372896.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0372897.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-16.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-18.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-21.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-22.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-23.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : MFEX-24.DAT

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0372957.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373002.rbf

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373007.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373188.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373189.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373242.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP513\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373243.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP513\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373283.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373444.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373445.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373461.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373539.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373540.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373541.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373548.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373549.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0373550.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : A0373655.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : rgoqmn.sys

Category : Malware

Comment :

Object : C:\WINDOWS\system32\drivers\

 

 

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\system32\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 56

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 56

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 56

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 57

 

4:00:52 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:07:30.953

Objects scanned:136392

Objects identified:39

Objects ignored:0

New critical objects:39

 

HIJACKTHIS 99 said :

 

ComboScan log is here :

ComboScan v20070226.18 run by Tres on 2007-04-09 at 09:25:08

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- HijackThis Clone -------------------------------------------------------------

 

Emulating logfile of HijackThis v1.99.1

Scan saved at 2007-04-09 09:25:29

Platform: Windows XP (5.01.2600)

MSIE: Internet Explorer (6.0.2600.0000)

 

Running processes:

C:\WINDOWS\system32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\drivers\CDANTSRV.EXE

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\snmp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.bin

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\inetsrv\davcdata.exe

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winwtqgpw.exe

C:\ADAWARE\VirTools\comboscan.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12

O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL

O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll

O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL

O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: AVSync Manager (AvSynMgr) - "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"

O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: C-DillaSrv - C:\WINDOWS\system32\drivers\CDANTSRV.EXE

O23 - Service: Indexing Service (cisvc) - C:\WINDOWS\system32\cisvc.exe

O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe

O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com

O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService

O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe

O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: IIS Admin (IISADMIN) - C:\WINDOWS\system32\inetsrv\inetinfo.exe

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe

O23 - Service: Infrared Monitor (Irmon) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"

O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe

O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe

O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V

O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe

O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe

O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Client Service for NetWare (NWCWorkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe

O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe

O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Remote Registry (RemoteRegistry) - C:\WINDOWS\system32\svchost.exe -k LocalService

O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe

O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss

O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe

O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe

O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe

O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe

O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Simple TCP/IP Services (SimpTcp) - C:\WINDOWS\system32\tcpsvcs.exe

O23 - Service: Simple Mail Transfer Protocol (SMTP) (SMTPSVC) - C:\WINDOWS\system32\inetsrv\inetinfo.exe

O23 - Service: SNMP Service (SNMP) - C:\WINDOWS\system32\snmp.exe

O23 - Service: SNMP Trap Service (SNMPTRAP) - C:\WINDOWS\system32\snmptrap.exe

O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe

O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc

O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{A7A4442A-5FF2-4273-9D3D-A8DF8D6AC966}

O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe

O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Telnet (TlntSvr) - C:\WINDOWS\system32\tlntsvr.exe

O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe

O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe

O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: World Wide Web Publishing (W3SVC) - C:\WINDOWS\system32\inetsrv\inetinfo.exe

O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService

O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Portable Media Serial Number (WmdmPmSp) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - C:\WINDOWS\System32\svchost.exe -k netsvcs

O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe

O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs

O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs

 

 

-- Files created between 2007-03-09 and 2007-04-09 ------------------------------

 

2007-04-09 09:19:22 81920 --a------ C:\WINDOWS\System32\wmdconf32.dll<WMDCON~1.DLL>

2007-04-05 16:41:26 1923046 --a------ C:\WINDOWS\System32\SBSP.dat

2007-04-05 16:41:24 5477 --a------ C:\WINDOWS\System32\drivers\rgoqmn.sys

2007-04-05 16:41:14 313 --a------ C:\WINDOWS\System32\SBRC.dat

2007-04-05 16:41:14 306 --a------ C:\WINDOWS\System32\SBFC.dat

2007-04-05 16:41:13 40960 --a------ C:\WINDOWS\System32\wmdrtc32.dll

2007-04-05 16:40:26 54200 --a------ C:\WINDOWS\System32\drivers\sbapifs.sys

2007-04-04 11:14:25 0 d-------- C:\Documents and Settings\TresnaTan\DoctorWeb<DOCTOR~1>

2007-04-04 09:50:54 0 d-------- c:\!KillBox

2007-03-21 08:08:01 0 d-------- C:\Program Files\Common Files\Nero

2007-03-21 08:07:36 241664 --a------ C:\WINDOWS\System32\mpg4dmod.dll

2007-03-21 08:07:36 384512 --a------ C:\WINDOWS\System32\mp4sdmod.dll

2007-03-21 08:07:36 316040 --a------ C:\WINDOWS\System32\mp43dmod.dll

2007-03-21 08:07:35 816264 --a------ C:\WINDOWS\System32\wmvdmod.dll

2007-03-21 08:07:35 486536 --a------ C:\WINDOWS\System32\wmspdmod.dll

2007-03-21 08:07:34 997888 --a------ C:\WINDOWS\System32\wmvdmoe2.dll

2007-03-21 08:07:34 892416 --a------ C:\WINDOWS\System32\wmspdmoe.dll

2007-03-21 08:07:34 1111040 --a------ C:\WINDOWS\System32\wmsdmoe2.dll

2007-03-21 08:07:34 760968 --a------ C:\WINDOWS\System32\wmsdmod.dll

2007-03-21 08:07:34 410248 --a------ C:\WINDOWS\System32\wmadmod.dll

2007-03-21 08:07:33 670208 --a------ C:\WINDOWS\System32\wmadmoe.dll

2007-03-21 08:07:33 241664 --a------ C:\WINDOWS\System32\qasf.dll

2007-03-21 08:07:33 6656 --a------ C:\WINDOWS\System32\laprxy.dll

2007-03-21 08:07:32 981504 --a------ C:\WINDOWS\System32\wmnetmgr.dll

2007-03-21 08:07:32 143360 --a------ C:\WINDOWS\System32\wmidx.dll

2007-03-21 08:07:32 81408 --a------ C:\WINDOWS\System32\logagent.exe

2007-03-21 08:07:31 2058888 --a------ C:\WINDOWS\System32\wmvcore.dll

2007-03-21 08:07:30 218112 --a------ C:\WINDOWS\System32\wmasf.dll

2007-03-21 08:07:28 253952 --a------ C:\WINDOWS\System32\msnetobj.dll

2007-03-21 08:07:28 232960 --a------ C:\WINDOWS\System32\blackbox.dll

2007-03-21 08:07:27 678912 --a------ C:\WINDOWS\System32\drmv2clt.dll

2007-03-21 08:07:27 82432 --a------ C:\WINDOWS\System32\drmstor.dll

2007-03-21 08:07:26 301712 --a------ C:\WINDOWS\System32\drmclien.dll

2007-03-21 08:06:12 106496 --a------ C:\WINDOWS\System32\TwnLib20.dll

2007-03-21 08:06:09 471040 -----n--- C:\WINDOWS\System32\ImagXRA7.dll

2007-03-21 08:06:08 262144 -----n--- C:\WINDOWS\System32\ImagXR7.dll

2007-03-21 08:06:08 476320 -----n--- C:\WINDOWS\System32\ImagXpr7.dll

2007-03-21 08:06:08 1568768 -----n--- C:\WINDOWS\System32\ImagX7.dll

2007-03-21 08:06:07 184320 --a------ C:\WINDOWS\System32\NeroCheck.exe<NEROCH~1.EXE>

2007-03-21 08:06:00 0 d-------- C:\Program Files\Common Files\Ahead

2007-03-13 17:57:51 0 d---s---- C:\Documents and Settings\TresnaTan\UserData

 

 

-- Find3M Report ----------------------------------------------------------------

 

2007-04-09 08:21:59 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\OpenOffice.org2<OPENOF~1.ORG>

2007-03-30 08:37:39 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\Identities<IDENTI~1>

2007-03-21 08:06:13 0 d-------- C:\Program Files\Ahead

2007-03-09 15:54:03 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\Canon

 

 

-- Registry Dump ----------------------------------------------------------------

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SBRegRebootCleaner"="C:\\ADAWARE\\CounterSpy\\SBRC.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="msmsgs"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="RUNDLL32"

"hkey"="HKLM"

"command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="nwiz"

"hkey"="HKLM"

"command"="nwiz.exe /install"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="winampa"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Winamp3\\winampa.exe\""

"inimapping"="0"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode.

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

 

-- End of ComboScan: finished at 2007-04-09 at 09:25:39 -------------------------

[FZWG]

Please download HaxFix.exe

Save it to the Desktop.

• Double click on haxfix.exe to install.
• Check: "Create a desktop icon"
• Click: "Next"
• When the installation is completed, make sure "Launch HaxFix" is checked.
• Click "Finish"

A red "DOS window" opens with options:

1. Make logfile

2. Run auto fix

3. Run manual fix

E. Exit Haxfix

• Select option Option 2, Run auto fix by typing 2 and then pressing Enter
• Haxfix starts scanning the computer, and performs a reboot
• When finished, a logfile opens: haxlog.txt
• Please copy the contents of the logfile and provide them in your reply. (c:\haxfix.txt)

====

Next, download SuperAntiSpyware Home Edition Free Version

http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Install the program

 

Run SuperAntiSpyware and click: Check for updates

Once the update is finished, on the main screen, click: Scan your computer

Check: Perform Complete Scan

Click Next to start the scan.

 

Superantispyware scans the computer, and when finished, lists all the infections found.

Make sure everything found has a check next to it, and press: Next

Click Finish

 

It is possible that the program asks to reboot in order to delete some files.

 

Obtain the SuperAntiSpyware log as follows:

Click: Preferences

Click the Statistics/Logs tab

Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

 

 

====

Please post the contents of C:\haxfix.txt, the SuperAntiSpyware log, and a new HijackThis log.

[wirosari]

Dear FZWG,

Hope you still here at these hours.

 

Here is the Log

(Sorry, other log while in progress...)

 

HAXFIX logfile - by Marckie

version 4.39

Tue 04/10/2007 9:47:16.34

 

--- Auto Haxdoorfix ---

 

 

searching for files:

 

no infections found

 

--- Goldunfix ---

 

searching for files:

wmdconf32.dll

 

checking iexplore.exe

iexplore.exe is not infected

 

searching for SSODLkeys:

no SSODLkeys found

 

searching for notifykeys:

no notifykeys found

 

searching for services:

no services found

 

 

.....rebooting the computer.....

 

 

searching for ssodlkeys

 

not needed

 

searching for notifykeys

 

not needed

 

searching for services

 

not needed

 

searching for safeboot services

 

not needed

 

searching for files

 

wmdconf32.dll exists

deleting wmdconf32.dll

wmdconf32.dll has been deleted

 

 

checking for other files

 

No other files found

 

checking for a3d files

 

no a3d files found

 

Finished

 

 

Thank you Mr. Advisor to support us!

Edited April 10, 2007 by wirosari

[FZWG]

HaxFix did its thing.

 

Next, post the SuperAntiSpyware log, and a new HijackThis log when you can.

 

 

By the way, you have some serious infections on that system as a result of not keeping Windows updated!!

 

The malware has exploited the security holes in an unpatched version of XP and may be impossible to fix permanently.

 

Please go to the Windows Update site and install Service Pack 1a followed by all available critical and security patches:

 

http://www.microsoft.com/windowsxp/downloa...p1/default.mspx

 

Reboot after applying the update.

[wirosari]

Dear Sir,

 

This is the SuperAntiSpyware Log.

 

Thanks a lot for enlightment!

 

SUPERAntiSpyware Scan Log

Generated 04/10/2007 at 10:24 AM

 

Application Version : 3.6.1000

 

Core Rules Database Version : 3216

Trace Rules Database Version: 1226

 

Scan type : Complete Scan

Total Scan Time : 00:24:45

 

Memory items scanned : 376

Memory threats detected : 0

Registry items scanned : 4418

Registry threats detected : 0

File items scanned : 25360

File threats detected : 5

 

Trojan.Unknown Origin

C:\DOCUMENTS AND SETTINGS\TRESNATAN\LOCAL SETTINGS\TEMP\WINNHYMHK.EXE

C:\DOCUMENTS AND SETTINGS\TRESNATAN\LOCAL SETTINGS\TEMP\WINOVGAA.EXE

 

Spyware.PWS-Kuku/Resident

C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0373911.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0374104.DLL

C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0375311.DLL

Edited April 10, 2007 by wirosari

[wirosari]

Dear Advisor,

 

I try AVZ Anti Viral Toolkit by Oleg Zaytsev to Restore my Safe Mode.

The PC now can be in Safe Mode.

But the connection still busy/active!

 

The HJT Log looks like this :

 

Logfile of HijackThis v1.99.1

Scan saved at 11:06:32 AM, on 4/10/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\ADAWARE\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\ADAWARE\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\ADAWARE\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12

O20 - Winlogon Notify: !SASWinLogon - C:\ADAWARE\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited April 10, 2007 by wirosari

[wirosari]

Dear advisor,

 

AVZ Anti viral seems clean it, and restore registry of Safe Mode.

These procedure has been done.

 

But Ad-aware still detected these 2 files.

 

The networks still heavy.

Please advice and thanks

[FZWG]

AdAware still detected these 2 files

Which files is it detecting???

 

Please run the AdAware program again, and post its Full System Scan results.

 

 

Also, you are still in the hole...you have not installed SP1.

 

If you do not, we are just doing this routine for exercise.

 

You will be infected again, and again, and again, and again, and again, and again......

Edited April 10, 2007 by FZWG

[wirosari]

Which files is it detecting???

 

 

Dear advisor,

 

the file is :

File : c:\windows\system32\WMDRTC32.DLL

File : c:\windows\system32\drivers\RGOQMN.SYS

 

I will update the hole, but since the traffic crowded, it is rather difficult

 

Thanks for support.

 

The Ad-Aware mention this :

Ad-Aware SE Build 1.05

Logfile Created on:Wednesday, April 11, 2007 9:59:20 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R164 02.04.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Sality(TAC index:10):8 total references

Win32.TrojanSpy.Goldun(TAC index:10):1 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

4-11-2007 9:59:20 AM - Scan started. (Full System Scan)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 480

ThreadCreationTime : 4-11-2007 2:54:37 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 536

ThreadCreationTime : 4-11-2007 2:54:39 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 568

 

ThreadCreationTime : 4-11-2007 2:54:42 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 616

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 628

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 796

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 864

ThreadCreationTime : 4-11-2007 2:54:43 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 996

ThreadCreationTime : 4-11-2007 2:54:44 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1112

ThreadCreationTime : 4-11-2007 2:54:48 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1248

ThreadCreationTime : 4-11-2007 2:54:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:11 [cdantsrv.exe]

FilePath : C:\WINDOWS\System32\DRIVERS\

ProcessID : 1404

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 3.25.010

ProductVersion : 3.25.010 Windows NT 2002/01/07

ProductName : CD-Secure/CD-Compress Windows NT

CompanyName : C-Dilla Ltd

FileDescription : C-Dilla RTS Service

InternalName : CDANTSRV

LegalCopyright : Copyright © Macrovision 1993-2002

OriginalFilename : CDANTSRV.EXE

Comments : StringFileInfo: U.S. English

 

#:12 [inetinfo.exe]

FilePath : C:\WINDOWS\System32\inetsrv\

ProcessID : 1436

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Internet Information Services

CompanyName : Microsoft Corporation

FileDescription : Internet Information Services

InternalName : INETINFO.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : INETINFO.EXE

 

#:13 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1468

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 6.13.10.3082

ProductVersion : 6.13.10.3082

ProductName : NVIDIA Driver Helper Service, Version 30.82

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 30.82

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:14 [tcpsvcs.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1508

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : TCP/IP Services Application

InternalName : TCPSVCS.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : TCPSVCS.EXE

 

#:15 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1524

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : snmp.exe

 

#:16 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1560

ThreadCreationTime : 4-11-2007 2:54:53 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:17 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 540

ThreadCreationTime : 4-11-2007 2:55:13 AM

BasePriority : High

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

"C:\WINDOWS\Explorer.EXE"Process terminated successfully

 

#:18 [ad-aware.exe]

FilePath : C:\ADAWARE\Ad-Aware SE Personal\

ProcessID : 688

ThreadCreationTime : 4-11-2007 2:55:13 AM

BasePriority : Normal

FileVersion : 6.2.0.206

ProductVersion : VI.Second Edition

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 2

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Win32.Sality Object Recognized!

Type : File

Data : temp.fr22C3

Category : Malware

Comment :

Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : temp.frA8D6

Category : Malware

Comment :

Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\

 

 

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : A0376288.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0376296.sys

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : A0376297.dll

Category : Malware

Comment :

Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : rgoqmn.sys

Category : Malware

Comment :

Object : C:\WINDOWS\system32\drivers\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 9

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 9

 

10:08:19 AM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:08:58.937

Objects scanned:137676

Objects identified:7

Objects ignored:0

New critical objects:7

[FZWG]

Let's get rid of what is in this Temp folder:

C:\Documents and Settings\TresnaTan\Local Settings\Temp

 

Please launch Notepad, (Start > Run, type in: notepad)

Copy/paste the blue text below to it:

 

del %windir%\temp\*.* /f

del C:\Documents and Settings\*\local settings\temp\*.* /f

 

In Notepad, go to File (upper menu bar), and select: Save as

In the Save as prompt:

Save in: Desktop

File Name: clean.bat

Save as Type: All files

Click: Save

Exit out of Notepad.

 

Next, on the Desktop, double click on clean.bat

 

====

To remove the bogus driver and file:

 

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to the Desktop

2. Copy the blue text below by highlighting it and pressing (Ctrl+C):

 

Files to Delete

C:\WINDOWS\system32\wmdrtc32.dll

 

Drivers to delete

rgoqmn.sys

 

 

3. Now, start The Avenger program by clicking on its icon on the Desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which opens a new window titled "View/edit script"
• Paste the blue text copied into this window by pressing (Ctrl+V).
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

4. The Avenger automatically does the following:

• It restarts the computer, and in cases where the code to execute contains Drivers to Unload, the Avenger actually restarts the system twice.
• On reboot, it briefly opens a black command window on the Desktop, and this is normal.
• After the restart, it creates and opens a log file with the results of Avenger’s actions. This log file is located at C:\avenger.txt
• The Avenger also backs up all the files, etc., it deletes, and zips them and moves the zip archives to C:\avenger\backup.zip

Please provide the content of C:\avenger.txt in your reply along with a new HJT log .

[wirosari]

Dear advisor,

 

It seem that, even in the SAFE MODE.

the file WMDRTC32DLL still active!

 

The log is like this :

 

ÿþL o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6

 

R u n n i n g f r o m r e g i s t r y k e y :

 

\ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ k l a n p s u g

 

 

 

* * * * * * * * * * * * * * * * * * *

 

 

 

S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ W I N D O W S \ b x n w i o u m . t x t

 

S c r i p t f i l e o p e n e d s u c c e s s f u l l y .

 

 

 

S c r i p t f i l e r e a d s u c c e s s f u l l y

 

 

 

B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r

 

 

 

* * * * * * * * * * * * * * * * * * *

 

 

 

B e g i n n i n g t o p r o c e s s s c r i p t f i l e :

 

 

 

F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ w m d r t c 3 2 . d l l d e l e t e d s u c c e s s f u l l y .

 

 

 

 

 

F i l e D r i v e r s t o d e l e t e : n o t f o u n d !

 

D e l e t i o n o f f i l e D r i v e r s t o d e l e t e : f a i l e d !

 

 

 

C o u l d n o t p r o c e s s l i n e :

 

D r i v e r s t o d e l e t e :

 

S t a t u s : 0 x c 0 0 0 0 0 3 4

 

 

 

F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ d r i v e r s \ r g o q m n . s y s d e l e t e d s u c c e s s f u l l y .

 

 

 

C o m p l e t e d s c r i p t p r o c e s s i n g .

 

 

 

* * * * * * * * * * * * * * * * * * *

 

 

 

F i n i s h e d ! T e r m i n a t e .

 

 

the HJT log is :

Logfile of HijackThis v1.99.1

Scan saved at 4:26:06 PM, on 4/11/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\ADAWARE\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[FZWG]

Looks as if this infection has an entry that hides, so, please do the following:

 

Open HijackThis

Click on Open Misc Tools Section

Make sure that both boxes beside "Generate StartupList Log" are checked:

--List all minor sections(Full)

--List Empty Sections(Complete)

 

Click: Generate StartupList Log

Click Yes at the prompt.

 

A text file opens. Please provide the entire contents of the StartupList.

 

====

Also, please post another AdAware report.

 

====

Also, download SDFix and save it to the Desktop.

 

Right click the SDFix.zip folder

Select: Extract All to extract it to its own folder on the Desktop.

 

~~~~

Start the computer in Safe Mode :

-When the machine first starts again, tap the F8 key before Windows starts

-You are presented with a Windows XP Advanced Options menu.

-Select the option for Safe Mode using the arrow keys.

-Press Enter to boot into Safe Mode.

 

~~~~

Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

 

Press any key to restart the PC.

When the PC restarts the SDFix will run again and complete the removal process

It then displays Finished

Press any key to end the script and load the Desktop icons.

 

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

 

~~~~

Please provide the StartupList, another AdAware report, and the contents of the SDFix Report.txt.

Edited April 11, 2007 by FZWG

[wirosari]

Dear fzwg,

 

While scanning the other tools.

Here is the HJT :

With thanks for analyzing.

 

StartupList report, 4/12/2007, 9:38:34 AM

StartupList version: 1.52.2

Started from : C:\ADAWARE\HijackThis.EXE

Detected: Windows XP (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 (6.00.2600.0000)

* Using default options

* Including empty and uninteresting sections

* Showing rarely important sections

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winkcmol.exe

C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe

C:\ADAWARE\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Startup:

[C:\Documents and Settings\TresnaTan\Start Menu\Programs\Startup]

OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

 

Shell folders AltStartup:

*Folder not found*

 

User shell folders Startup:

*Folder not found*

 

User shell folders AltStartup:

*Folder not found*

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

 

Shell folders Common AltStartup:

*Folder not found*

 

User shell folders Common Startup:

*Folder not found*

 

User shell folders Alternate Common Startup:

*Folder not found*

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

*Registry value not found*

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

SBRegRebootCleaner = C:\ADAWARE\CounterSpy\SBRC.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

 

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No subkeys found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

Autorun entries in Registry subkeys of:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

 

--------------------------------------------------

 

File association entry for .EXE:

HKEY_CLASSES_ROOT\exefile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .COM:

HKEY_CLASSES_ROOT\comfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .BAT:

HKEY_CLASSES_ROOT\batfile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .PIF:

HKEY_CLASSES_ROOT\piffile\shell\open\command

 

(Default) = "%1" %*

 

--------------------------------------------------

 

File association entry for .SCR:

HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command

 

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

 

--------------------------------------------------

 

File association entry for .HTA:

HKEY_CLASSES_ROOT\htafile\shell\open\command

 

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

 

--------------------------------------------------

 

File association entry for .TXT:

HKEY_CLASSES_ROOT\txtfile\shell\open\command

 

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

 

--------------------------------------------------

 

Enumerating Active Setup stub paths:

HKLM\Software\Microsoft\Active Setup\Installed Components

(* = disabled by HKCU twin)

 

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *

StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

 

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

 

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *

StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

 

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

 

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

 

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

 

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *

StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

 

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *

StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

 

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *

StubPath = regsvr32.exe /s /n /i:U shell32.dll

 

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *

StubPath = %SystemRoot%\system32\ie4uinit.exe

 

[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *

StubPath = rundll32 iesetup.dll,IEAccessUserInst

 

--------------------------------------------------

 

Enumerating ICQ Agent Autostart apps:

HKCU\Software\Mirabilis\ICQ\Agent\Apps

 

*Registry key not found*

 

--------------------------------------------------

 

Load/Run keys from C:\WINDOWS\WIN.INI:

 

load=*INI section not found*

run=*INI section not found*

 

Load/Run keys from Registry:

 

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=*Registry value not found*

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry value not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

Checking for EXPLORER.EXE instances:

 

C:\WINDOWS\Explorer.exe: PRESENT!

 

C:\Explorer.exe: not present

C:\WINDOWS\Explorer\Explorer.exe: not present

C:\WINDOWS\System\Explorer.exe: not present

C:\WINDOWS\System32\Explorer.exe: not present

C:\WINDOWS\Command\Explorer.exe: not present

C:\WINDOWS\Fonts\Explorer.exe: not present

 

--------------------------------------------------

 

Checking for superhidden extensions:

 

.lnk: HIDDEN! (arrow overlay: yes)

.pif: HIDDEN! (arrow overlay: yes)

.exe: not hidden

.com: not hidden

.bat: not hidden

.hta: not hidden

.scr: not hidden

.shs: HIDDEN!

.shb: HIDDEN!

.vbs: not hidden

.vbe: not hidden

.wsh: not hidden

.scf: HIDDEN! (arrow overlay: NO!)

.url: HIDDEN! (arrow overlay: yes)

.js: not hidden

.jse: not hidden

 

--------------------------------------------------

 

Verifying REGEDIT.EXE integrity:

 

- Regedit.exe found in C:\WINDOWS

- .reg open command is normal (regedit.exe %1)

- Company name OK: 'Microsoft Corporation'

- Original filename OK: 'REGEDIT.EXE'

- File description: 'Registry Editor'

 

Registry check passed

 

--------------------------------------------------

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

 

--------------------------------------------------

 

Enumerating Task Scheduler jobs:

 

*No jobs found*

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[MsnMessengerSetupDownloadControl Class]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx

CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab

 

[instaFred]

InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx

CODEBASE = file://C:\Program Files\AutoCAD 2002\InstFred.ocx

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[AcPreview Control]

InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX

CODEBASE = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

 

--------------------------------------------------

 

Enumerating Winsock LSP files:

 

NameSpace #1: C:\WINDOWS\System32\mswsock.dll

NameSpace #2: C:\WINDOWS\System32\winrnr.dll

NameSpace #3: C:\WINDOWS\System32\mswsock.dll

NameSpace #4: C:\WINDOWS\System32\nwprovau.dll

Protocol #1: C:\WINDOWS\system32\mswsock.dll

Protocol #2: C:\WINDOWS\system32\mswsock.dll

Protocol #3: C:\WINDOWS\system32\mswsock.dll

Protocol #4: C:\WINDOWS\system32\rsvpsp.dll

Protocol #5: C:\WINDOWS\system32\rsvpsp.dll

Protocol #6: C:\WINDOWS\system32\mswsock.dll

Protocol #7: C:\WINDOWS\system32\mswsock.dll

Protocol #8: C:\WINDOWS\system32\mswsock.dll

Protocol #9: C:\WINDOWS\system32\mswsock.dll

Protocol #10: C:\WINDOWS\system32\mswsock.dll

Protocol #11: C:\WINDOWS\system32\mswsock.dll

Protocol #12: C:\WINDOWS\system32\mswsock.dll

Protocol #13: C:\WINDOWS\system32\mswsock.dll

Protocol #14: C:\WINDOWS\system32\mswsock.dll

Protocol #15: C:\WINDOWS\system32\mswsock.dll

Protocol #16: C:\WINDOWS\system32\mswsock.dll

Protocol #17: C:\WINDOWS\system32\mswsock.dll

Protocol #18: C:\WINDOWS\system32\mswsock.dll

Protocol #19: C:\WINDOWS\system32\mswsock.dll

 

--------------------------------------------------

 

Enumerating Windows NT/2000/XP services

 

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)

Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)

Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)

Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)

ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)

AVSync Manager: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" (autostart)

Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

C-Dilla: \??\C:\WINDOWS\System32\drivers\CDANT.SYS (manual start)

C-DillaSrv: C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (autostart)

CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)

Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)

ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)

COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)

Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Disk Driver: System32\DRIVERS\disk.sys (system)

Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)

dmboot: System32\drivers\dmboot.sys (disabled)

Logical Disk Manager Driver: System32\drivers\dmio.sys (system)

dmload: System32\drivers\dmload.sys (system)

Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)

DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)

MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)

Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)

Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)

Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Event Log: %SystemRoot%\system32\services.exe (autostart)

COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)

Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)

Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)

Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)

Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start)

Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)

Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)

IIS Admin: C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)

IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)

IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)

IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)

IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)

IPSEC driver: System32\DRIVERS\ipsec.sys (system)

IrDA Protocol: System32\DRIVERS\irda.sys (autostart)

IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)

Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start)

PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)

Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)

Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)

Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (disabled)

Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)

Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)

WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)

MRXSMB: System32\DRIVERS\mrxsmb.sys (system)

Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)

Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)

Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)

Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)

Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)

Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start)

NaiFiltr: System32\DRIVERS\NaiFiltr.sys (manual start)

NdisFileServices32: \??\C:\WINDOWS\System32\drivers\rgoqmn.sys (disabled)

Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)

NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)

Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)

NetBIOS Interface: System32\DRIVERS\netbios.sys (system)

NetBT: System32\DRIVERS\netbt.sys (system)

Network DDE: %SystemRoot%\system32\netdde.exe (manual start)

Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)

Net Logon: %SystemRoot%\System32\lsass.exe (autostart)

Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)

Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)

nv: System32\DRIVERS\nv4_mini.sys (manual start)

NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)

Client Service for NetWare: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)

IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)

NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart)

NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart)

NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart)

NetWare Rdr: System32\DRIVERS\nwrdr.sys (manual start)

Parallel port driver: System32\DRIVERS\parport.sys (manual start)

PCI Bus Driver: System32\DRIVERS\pci.sys (system)

PCIIde: System32\DRIVERS\pciide.sys (system)

Plug and Play: %SystemRoot%\system32\services.exe (autostart)

IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)

WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)

Processor Driver: System32\DRIVERS\processr.sys (system)

Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)

QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)

Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)

Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)

Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start)

WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)

Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)

Direct Parallel: System32\DRIVERS\raspti.sys (manual start)

Rdbss: System32\DRIVERS\rdbss.sys (system)

RDPCDD: System32\DRIVERS\RDPCDD.sys (system)

Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start)

Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)

Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)

Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)

Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)

Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)

Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)

QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)

Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)

Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)

Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)

Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Secdrv: System32\DRIVERS\secdrv.sys (manual start)

Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)

Serial port driver: System32\DRIVERS\serial.sys (system)

Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart)

SIS AGP Bus Filter: System32\DRIVERS\sisagp.sys (system)

SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start)

Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)

SNMP Service: %SystemRoot%\System32\snmp.exe (autostart)

SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start)

Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)

Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)

Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)

System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled)

System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Srv: System32\DRIVERS\srv.sys (manual start)

SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)

Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)

Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)

MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{A7A4442A-5FF2-4273-9D3D-A8DF8D6AC966} (manual start)

Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)

Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)

Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)

Terminal Device Driver: System32\DRIVERS\termdd.sys (system)

Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start)

Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Microcode Update Driver: System32\DRIVERS\update.sys (manual start)

Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)

Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)

USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)

Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)

Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)

USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)

USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)

VgaSave: \SystemRoot\System32\drivers\vga.sys (system)

Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)

Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (autostart)

Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)

Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)

WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)

Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)

Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)

WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)

Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)

Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)

Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

 

 

--------------------------------------------------

 

Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*

 

Windows NT checkdisk command:

BootExecute = autocheck autochk *

 

Windows NT 'Wininit.ini':

PendingFileRenameOperations: *Registry value not found*

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

 

--------------------------------------------------

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*No values found*

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

 

*No values found*

 

--------------------------------------------------

 

End of report, 30,791 bytes

Report generated in 0.109 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

[FZWG]

Did not see what I was looking for...

 

This infection may have an entry that hides in system.ini

 

Please go to Start > Run, and type:

System.ini

Click: OK

 

The System.ini file text is displayed.

 

Please provide its contents in your reply.

 

Also,need the results of SDFix.

Edited April 12, 2007 by FZWG

[wirosari]

Here is the AD AWARE log :

 

 

Ad-Aware SE Build 1.05

Logfile Created on:Thursday, April 12, 2007 10:11:13 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R164 02.04.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

MRU List(TAC index:0):7 total references

Other(TAC index:5):1 total references

Win32.Sality(TAC index:10):9 total references

Win32.TrojanProxy.Agent.dl(TAC index:7):1 total references

Win32.TrojanSpy.Goldun(TAC index:10):6 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan within archives

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

4-12-2007 10:11:13 AM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\TresnaTan\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\search assistant\acmru

Description : list of recent search terms used with the search assistant

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\nico mak computing\winzip\filemenu

Description : winzip recently used archives

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 476

ThreadCreationTime : 4-12-2007 1:30:43 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 532

ThreadCreationTime : 4-12-2007 1:30:45 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 560

ThreadCreationTime : 4-12-2007 1:30:48 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 608

ThreadCreationTime : 4-12-2007 1:30:48 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 620

ThreadCreationTime : 4-12-2007 1:30:48 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 792

ThreadCreationTime : 4-12-2007 1:30:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 860

ThreadCreationTime : 4-12-2007 1:30:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 992

ThreadCreationTime : 4-12-2007 1:30:49 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1040

ThreadCreationTime : 4-12-2007 1:30:50 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1200

ThreadCreationTime : 4-12-2007 1:30:50 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (XPClient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:11 [cdantsrv.exe]

FilePath : C:\WINDOWS\System32\DRIVERS\

ProcessID : 1420

ThreadCreationTime : 4-12-2007 1:30:54 AM

BasePriority : Normal

FileVersion : 3.25.010

ProductVersion : 3.25.010 Windows NT 2002/01/07

ProductName : CD-Secure/CD-Compress Windows NT

CompanyName : C-Dilla Ltd

FileDescription : C-Dilla RTS Service

InternalName : CDANTSRV

LegalCopyright : Copyright © Macrovision 1993-2002

OriginalFilename : CDANTSRV.EXE

Comments : StringFileInfo: U.S. English

 

#:12 [inetinfo.exe]

FilePath : C:\WINDOWS\System32\inetsrv\

ProcessID : 1452

ThreadCreationTime : 4-12-2007 1:30:54 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Internet Information Services

CompanyName : Microsoft Corporation

FileDescription : Internet Information Services

InternalName : INETINFO.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : INETINFO.EXE

 

#:13 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1488

ThreadCreationTime : 4-12-2007 1:30:54 AM

BasePriority : Normal

FileVersion : 6.13.10.3082

ProductVersion : 6.13.10.3082

ProductName : NVIDIA Driver Helper Service, Version 30.82

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 30.82

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:14 [tcpsvcs.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1532

ThreadCreationTime : 4-12-2007 1:30:54 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : TCP/IP Services Application

InternalName : TCPSVCS.EXE

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : TCPSVCS.EXE

 

#:15 [snmp.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1588

ThreadCreationTime : 4-12-2007 1:30:54 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : SNMP Service

InternalName : snmp.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : snmp.exe

 

#:16 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1612

ThreadCreationTime : 4-12-2007 1:30:54 AM

BasePriority : Normal

FileVersion : 5.1.2600.0 (xpclient.010817-1148)

ProductVersion : 5.1.2600.0

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:17 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1852

ThreadCreationTime : 4-12-2007 2:36:55 AM

BasePriority : Normal

FileVersion : 6.00.2600.0000 (xpclient.010817-1148)

ProductVersion : 6.00.2600.0000

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

 

#:18 [acrotray.exe]

FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\

ProcessID : 388

ThreadCreationTime : 4-12-2007 2:36:59 AM

BasePriority : Normal

FileVersion : 5, 0, 0, 0

ProductVersion : 5, 0, 0, 0

ProductName : AcroTray - Adobe Acrobat Distiller helper application.

CompanyName : Adobe Systems Inc.

FileDescription : AcroTray

InternalName : AcroTray

LegalCopyright : Copyright © 2001

OriginalFilename : AcroTray.exe

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

"C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"Process terminated successfully

 

#:19 [soffice.exe]

FilePath : C:\Program Files\OpenOffice.org 2.0\program\

ProcessID : 1760

ThreadCreationTime : 4-12-2007 2:37:01 AM

BasePriority : Normal

FileVersion : 1.09.9069

ProductVersion : 1.09.9069

CompanyName : OpenOffice.org

FileDescription : OpenOffice.org 2.0

InternalName : SOFFICE

LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc.

OriginalFilename : SOFFICE.EXE

 

#:20 [soffice.bin]

FilePath : C:\Program Files\OpenOffice.org 2.0\program\

ProcessID : 824

ThreadCreationTime : 4-12-2007 2:37:01 AM

BasePriority : Normal

FileVersion : 1.09.9069

ProductVersion : 1.09.9069

CompanyName : OpenOffice.org

FileDescription : OpenOffice.org 2.0

InternalName : SOFFICE

LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc.

OriginalFilename : SOFFICE.EXE

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

 

#:21 [winfopvc.exe]

FilePath : C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\

ProcessID : 172

ThreadCreationTime : 4-12-2007 2:37:34 AM

BasePriority : Normal

 

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : winfopvc.exe

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\

 

 

"C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe"Process terminated successfully

"C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe"Process terminated successfully

 

#:22 [ad-aware.exe]

FilePath : C:\ADAWARE\Ad-Aware SE Personal\

ProcessID : 260

ThreadCreationTime : 4-12-2007 3:11:04 AM

BasePriority : Normal

FileVersion : 6.2.0.206

ProductVersion : VI.Second Edition

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll)

 

Win32.Sality Object Recognized!

Type : Process

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\System32\

 

 

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll)

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : Process

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\System32\

 

 

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 16

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 16

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Object "wmdrtc32.dll" found in this archive.

 

Win32.Sality Object Recognized!

Type : File

Data : backup-Wed 04.11.2007-16.22.54.68.zip

Category : Malware

Comment : Object "wmdrtc32.dll" found in this archive.

Object : C:\avenger\

 

 

Object "rgoqmn.sys" found in this archive.

 

Win32.Sality Object Recognized!

Type : File

Data : backup.zip

Category : Malware

Comment : Object "rgoqmn.sys" found in this archive.

Object : C:\avenger\

 

 

Object "wmdrtc32.dll" found in this archive.

 

Win32.Sality Object Recognized!

Type : File

Data : backup.zip

Category : Malware

Comment : Object "wmdrtc32.dll" found in this archive.

Object : C:\avenger\

 

 

 

Win32.TrojanProxy.Agent.dl Object Recognized!

Type : File

Data : wincxrh.exe

Category : Malware

Comment :

Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : rgoqmn.sys

Category : Malware

Comment :

Object : C:\WINDOWS\system32\drivers\

 

 

 

Win32.TrojanSpy.Goldun Object Recognized!

Type : File

Data : wmdconf32.dll

Category : C:\ADAWARE\Ad-Aware SE Personal\lang\

Comment :

Object : C:\WINDOWS\system32\

 

 

 

Win32.Sality Object Recognized!

Type : File

Data : wmdrtc32.dll

Category : Malware

Comment :

Object : C:\WINDOWS\system32\

 

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 23

 

 

Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 23

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 23

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 24

 

10:17:52 AM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:06:39.266

Objects scanned:131018

Objects identified:9

Objects ignored:0

New critical objects:9

[wirosari]

The SDFIX from SAFEMODE :

 

 

SDFix: Version 1.69

 

Run by TresnaTan - Thu 04/12/2007 @ 11:42:57.20

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\ADAWARE\SDFixNew

 

Safe Mode:

Checking Services:

 

 

 

 

 

Restoring Windows Registry Entries

Restoring Default Hosts File

 

 

Rebooting...

 

Normal Mode:

Checking Files:

 

No Trojan Files Found...

 

 

 

 

ADS Check:

 

C:\WINDOWS\system32

No streams found.

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe:*:Enabled:ipsec"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcmol.exe"=""

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe:*:Enabled:ipsec"

"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:ipsec"

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

 

Remaining Files:

---------------

 

 

 

Checking For Files with Hidden Attributes :

 

 

Add/Remove Programs List:

 

Ad-Aware SE Personal

Adobe Acrobat 5.0

Adobe Photoshop 6.0

Adobe SVG Viewer 3.0

AutoCAD R14.0

Canon ScanGear Toolbox 3.0

ERUNT 1.1j

HaxFix 4.39

HijackThis 1.99.1

HP DeskJet 1125C Printer

HP LaserJet 1200 Uninstaller

C-Dilla Licence Management System

Macromedia FreeHand 9

Macromedia Shockwave Player

MSN Toolbar

Nero OEM

Nero Suite

NVIDIA Windows 2000/XP Display Drivers

QuickTime

Rhinoceros 2.0

Rootkit Unhooker Uninstall

Spyware Doctor 5.0

Volo View Express

Winamp3 (remove only)

WinZip

Macromedia Dreamweaver MX 2004

Adobe Illustrator 10

eDrawings 2004 SP04.1

SolidWorks 2004 Viewer

Easy CD Creator 5 Basic

Network Utility

OpenOffice.org 2.0

3ds max 5

Microsoft Office XP Professional with FrontPage

Macromedia Extension Manager

Adobe Creative Suite

McAfee VirusScan Professional Edition

 

Finished

[wirosari]

Dear FZWG,

 

The SYSTEM.IN contents :

; for 16-bit app support

[drivers]

wave=mmdrv.dll

timer=timer.drv

[mci]

[driver32]

[386enh]

woafont=dosapp.FON

EGA80WOA.FON=EGA80WOA.FON

EGA40WOA.FON=EGA40WOA.FON

CGA80WOA.FON=CGA80WOA.FON

CGA40WOA.FON=CGA40WOA.FON

FileSysChange=off

[MCIDRV_VER]

DEVICEN1=95215658363

__h=10

__dr=12

[iDslow]

IDVer32666=988281

IDMCI32=23846878ABA233

[iDslow32]

MDCDID32=991140

[wirosari]

Dear FZWG,

 

The SPYWARE DOCTOR Free Version - Scan only

 

The result is :

1. email-worm.Warez OV! sd5

C:\doc&set\tresnatan\local setting\temp\temp.fr99A9

C:\win\sys32\WMDRTC32.dll

 

2.. Trojan-spy.goldun! sd5

C:\doc&set\tresnatan\local setting\temp\temp.fr9C34

 

 

3. Trojan - PWS- Tanspy

H_K_L_M\Software\Microsoft\Windows\CurVer\Control P...\LOAD

 

 

This info maybe useful for analyzing.

many thanks for help.

Edited April 12, 2007 by wirosari

[wirosari]

Dear FZWG,

 

After that, The Rootkit still crashing my SAFE MODE.

(I must to use the AVZ RESTORE Safe Mode)

 

Then use SDFIX displayed like below.

HJT 99 also logged below.

 

And now, installed SPYWARE DOCTOR Free Version displayed PopUp :

 

SOFFICE.BIN attemp to access a file

C:\windows\system32\wmdrtc32.dll

Email-work. warezOV! sd5

 

 

many thanks sir!

 

 

===============

SDFix: Version 1.69

 

Run by TresnaTan - Thu 04/12/2007 @ 17:54:20.00

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\ADAWARE\SDFixNew

 

Safe Mode:

Checking Services:

 

 

 

 

 

Restoring Windows Registry Entries

Restoring Default Hosts File

 

 

Rebooting...

 

Normal Mode:

Checking Files:

 

No Trojan Files Found...

 

 

 

 

ADS Check:

 

C:\WINDOWS\system32

No streams found.

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe:*:Enabled:ipsec"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcmol.exe"=""

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe:*:Enabled:ipsec"

"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:ipsec"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winjfamv.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winjfamv.exe:*:Enabled:ipsec"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winsujeew.exe"=""

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcbvya.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcbvya.exe:*:Enabled:ipsec"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winwddb.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winwddb.exe:*:Enabled:ipsec"

"C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winppmogd.exe"=""

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

 

Remaining Files:

---------------

 

 

 

Checking For Files with Hidden Attributes :

 

 

Add/Remove Programs List:

 

Ad-Aware SE Personal

Adobe Acrobat 5.0

Adobe Photoshop 6.0

Adobe SVG Viewer 3.0

AutoCAD R14.0

Canon ScanGear Toolbox 3.0

ERUNT 1.1j

HaxFix 4.39

HijackThis 1.99.1

HP DeskJet 1125C Printer

HP LaserJet 1200 Uninstaller

C-Dilla Licence Management System

Macromedia FreeHand 9

Macromedia Shockwave Player

MSN Toolbar

Nero OEM

Nero Suite

NVIDIA Windows 2000/XP Display Drivers

QuickTime

Rhinoceros 2.0

Rootkit Unhooker Uninstall

Spyware Doctor 5.0

Volo View Express

Winamp3 (remove only)

WinZip

Macromedia Dreamweaver MX 2004

Adobe Illustrator 10

eDrawings 2004 SP04.1

SolidWorks 2004 Viewer

Easy CD Creator 5 Basic

Network Utility

OpenOffice.org 2.0

3ds max 5

Microsoft Office XP Professional with FrontPage

Macromedia Extension Manager

Adobe Creative Suite

McAfee VirusScan Professional Edition

 

Finished

 

 

HJT 99 logged after SDFIX restarting the PC :

 

Logfile of HijackThis v1.99.1

Scan saved at 6:14:19 PM, on 4/12/2007

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\ADAWARE\Spyware Doctor\svcntaux.exe

C:\ADAWARE\Spyware Doctor\swdsvc.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\ADAWARE\Spyware Doctor\SDTrayApp.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.exe

C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN

C:\ADAWARE\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe

O4 - HKLM\..\Run: [sDTray] "C:\ADAWARE\Spyware Doctor\SDTrayApp.exe"

O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12

O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing)

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\ADAWARE\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\ADAWARE\Spyware Doctor\swdsvc.exe

[FZWG]

Well, here is a sign of Sality:

[MCIDRV_VER]

DEVICEN1=95215658363

 

Then, there is Troj/Spmbot-B:

[iDslow]

IDVer32666=988281

 

And whatever these are, maybe the same Spmbot-B:

IDMCI32=23846878ABA233

[iDslow32]

MDCDID32=991140

 

Editing system.ini is an option, but if the infection is active, there may be serious results...

 

====

If this ’thing’ is residing in memory, it may have the capability to disable any virus or spyware protection. So let’s go with online-scanners. However, boot to Safe Mode with Networking to download and use the scans:

 

Panda ActiveScan:

http://www.pandasoftware.com/products/ActiveScan.htm

 

BitDefender Online Scanner:

http://www.bitdefender.com/

 

Please post the results for both online scans.

 

====

Also download Clean.zip to the Desktop

http://www.malekal.com/download/clean.zip,

Right click and Extract

In the Clean folder created, click on clean.cmd

When the command window (black screen) opens, select Option 1, and press: Enter

 

Allow the scan to complete, press any key, and post the contents of the Clean text in you reply.

 

====

Next, download RustBFix by ejvindh:

http://www.uploads.ejvindh.net/rustbfix.exe

Save it to the Desktop.

 

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you are asked to reboot the computer.

The reboot will probably take a while, and perhaps 2 reboots are needed, but this happens automatically.

 

After the reboot(s) 2 log files open: Avenger.txt and a Pelog.txt

Please post both log files in your reply.

 

====

Also, click here to download AVG Anti Rootkit and save it to the Desktop.

• Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it.
• Click "I Agree" to agree to the EULA.
• By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta".
• Click "Next" to begin the installation then click "Install".
• It will then ask you to reboot now to finish the installation.
• Click "Finish" and your computer will reboot.
• After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on the Desktop.
• Click on the "Perform in-depth search" button to begin the scan.
• The scan will take a while so be patient and let it complete.
• When the scan is finished, click the "Save result to file" button.

Save the scan results to the Desktop, and provide the AVG_AntiRootkit results in your reply.

 

====

One last item, can you install a software Firewall?

Some good free choices are:

 

ZoneAlarm:

http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za

 

Sunbelt Kerio:

http://www.sunbelt-software.com/Kerio.cfm

 

OutPost:

http://www.agnitum.com/products/outpostfree/download.php

 

 

 

In summary, need the following in your reply:

The Panda ActiveScan results

The BitDefender results

The contents of the Clean report

The RustBFix Avenger.txt and a Pelog.txt

The AVG_AntiRootkit results

Edited April 12, 2007 by FZWG

[wirosari]

Dear FZWG,

 

This Panda Online run under SAFE MODE with Network.

It seems SALITY infect ALL the Exe File

 

The log even exceeded the 102400 char allowed.

 

These file Not Disinfected :

Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\SDFix\apps\Process.exe

 

These file is other viruses :

Virus:Trj/Shutdown.Z Disinfected C:\ADAWARE\VirTools\SmitfraudFix.zip[smitfraudFix/restart.exe]

Virus:Trj/Goldun.OF Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.fr9C34

Edited PANDA LOG - All found is Virus:W32/Sality.Y

 

Virus:W32/Sality.Y

 

Status Location

Disinfected C:\3dsmax5\3dsmax.exe

Disinfected C:\3dsmax5\adlmswitch.exe

Disinfected C:\3dsmax5\backburner2\backburnercfg.exe

Disinfected C:\3dsmax5\backburner2\manager.exe

Disinfected C:\3dsmax5\backburner2\managersvc.exe

Disinfected C:\3dsmax5\backburner2\monitor.exe

Disinfected C:\3dsmax5\backburner2\server.exe

Disinfected C:\3dsmax5\backburner2\serversvc.exe

Disinfected C:\3dsmax5\MaxFind.exe

Disinfected C:\3dsmax5\maxunzip.exe

Disinfected C:\3dsmax5\maxzip.exe

Disinfected C:\3dsmax5\PMAN32.EXE

Disinfected C:\3dsmax5\swl\CdRemove.exe

Disinfected C:\3dsmax5\swl\CdSet32.exe

Disinfected C:\ADAWARE\Ad-Aware SE Personal\Ad-Aware.exe

Disinfected C:\ADAWARE\Ad-Aware SE Personal\unregaaw.exe

Disinfected C:\ADAWARE\Ad-Aware SE Personal\UNWISE.EXE

Disinfected C:\ADAWARE\AVZ_GeektoGo\avz.exe

Disinfected C:\ADAWARE\Cleanup.exe

Disinfected C:\ADAWARE\ERUNT\4-11-2007\ERDNT.EXE

Disinfected C:\ADAWARE\ERUNT\AUTOBACK.EXE

Disinfected C:\ADAWARE\ERUNT\ERUNT.EXE

Disinfected C:\ADAWARE\ERUNT\NTREGOPT.EXE

Disinfected C:\ADAWARE\fixwareout\FindT\dumphive.exe

Disinfected C:\ADAWARE\fixwareout\FindT\nircmd.exe

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ADAWARE\fixwareout\FindT\nircmd.exe

Disinfected C:\ADAWARE\fixwareout\FindT\RestartIt.exe

Disinfected C:\ADAWARE\fixwareout\FindT\swreg.exe

Disinfected C:\ADAWARE\fixwareout\FindT\vfind.exe

Disinfected C:\ADAWARE\HijackThis.exe

Disinfected C:\ADAWARE\HijackThis888.exe

Disinfected C:\ADAWARE\HP1125\win98usb\U2PCMh01.exe

Disinfected C:\ADAWARE\HP1125\win98usb\uninst.exe

Disinfected C:\ADAWARE\RkUnhooker\p3W40Wclw38302xYkiJ8gMU.exe

Disinfected C:\ADAWARE\RkUnhooker\uninstall.exe

Disinfected C:\ADAWARE\SDFix\apps\cliptext.exe

Disinfected C:\ADAWARE\SDFix\apps\download.exe

Disinfected C:\ADAWARE\SDFix\apps\LS.exe

Disinfected C:\ADAWARE\SDFix\apps\MoveEx.exe

Disinfected C:\ADAWARE\SDFix\apps\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\SDFix\apps\Process.exe

Disinfected C:\ADAWARE\SDFix\apps\RegDACL.exe

Disinfected C:\ADAWARE\SDFix\apps\Replace\W2K.exe

Disinfected C:\ADAWARE\SDFix\apps\Replace\XP.exe

Disinfected C:\ADAWARE\SDFix\apps\RestartIt!.exe

Disinfected C:\ADAWARE\SDFix\apps\sc.exe

Disinfected C:\ADAWARE\SDFix\apps\SF.exe

Disinfected C:\ADAWARE\SDFix\apps\sha160.exe

Disinfected C:\ADAWARE\SDFix\apps\swreg.exe

Virus:W32/Sality.Y Disinfected C:\ADAWARE\SDFix\apps\swsc.exe

Disinfected C:\ADAWARE\SDFix\apps\unzip.exe

Disinfected C:\ADAWARE\SDFixNew\apps\cliptext.exe

Disinfected C:\ADAWARE\SDFixNew\apps\download.exe

Disinfected C:\ADAWARE\SDFixNew\apps\LS.exe

Disinfected C:\ADAWARE\SDFixNew\apps\MoveEx.exe

Disinfected C:\ADAWARE\SDFixNew\apps\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\SDFixNew\apps\Process.exe

Disinfected C:\ADAWARE\SDFixNew\apps\RegDACL.exe

Disinfected C:\ADAWARE\SDFixNew\apps\Replace\W2K.exe

Disinfected C:\ADAWARE\SDFixNew\apps\Replace\XP.exe

Disinfected C:\ADAWARE\SDFixNew\apps\RestartIt!.exe

Disinfected C:\ADAWARE\SDFixNew\apps\sc.exe

Disinfected C:\ADAWARE\SDFixNew\apps\SF.exe

Disinfected C:\ADAWARE\SDFixNew\apps\sha160.exe

Disinfected C:\ADAWARE\SDFixNew\apps\swreg.exe

Disinfected C:\ADAWARE\SDFixNew\apps\swsc.exe

Disinfected C:\ADAWARE\SDFixNew\apps\unzip.exe

Disinfected C:\ADAWARE\SDFixNew\apps\zip.exe

Disinfected C:\ADAWARE\sting260.exe

Disinfected C:\ADAWARE\Tools_Registry\avenger.exe

Disinfected C:\ADAWARE\Tools_Registry\KillBox_NEW.exe

Disinfected C:\ADAWARE\VirTools\ATF-CleanerIDEM.exe

Disinfected C:\ADAWARE\VirTools\avenger.exe

Disinfected C:\ADAWARE\VirTools\ComboFix_JANGANPAKAI.exe

Disinfected C:\ADAWARE\VirTools\Copy (2) of ATF-CleanerIDEM.exe

Disinfected C:\ADAWARE\VirTools\Copy (3) of ATF-CleanerIDEM.exe

Disinfected C:\ADAWARE\VirTools\Copy of ATF-CleanerIDEM.exe

Disinfected C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe

Disinfected C:\ADAWARE\VirTools\KillBox.exe

Disinfected C:\ADAWARE\VirTools\LSPFix.exe

Disinfected C:\ADAWARE\VirTools\PrevxFixGrom.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SDFix.exe[sDFix\apps\Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SDFix_NEW.zip[sDFix.exe][sDFix\apps\Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SDFix_OLD.exe[sDFix\apps\Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SmitfraudFix.zip[smitfraudFix/Process.exe]

Virus:Trj/Shutdown.Z Disinfected C:\ADAWARE\VirTools\SmitfraudFix.zip[smitfraudFix/restart.exe]

Disinfected C:\ADAWARE\VirTools\TrendMicro_RootkitBuster.exe

Disinfected C:\ADAWARE\VirTools\VundoFix.exe

Disinfected C:\C_DILLA\setup\cdremove.exe

Disinfected C:\Documents and Settings\All Users\Documents\FTP\ws_ftple.exe

Disinfected C:\Documents and Settings\TresnaTan\Desktop\converter.exe

Disinfected C:\Documents and Settings\TresnaTan\Desktop\s-t-i-n-g-e-r.exe

Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.fr99A9

Virus:Trj/Goldun.OF Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.fr9C34

Virus:W32/Sality.X.drp Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.frEB59

Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winbxktxg.exe

Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe

Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe

Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe

Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winvdprjm.exe

Disinfected C:\Documents and Settings\TresnaTan\OpenOfficeInstall\OpenOffice.org 2.0 Installation Files\setup.exe

Disinfected C:\ERUNT\4-11-2007\ERDNT.EXE

Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe

Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Scandisc.exe

Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\udfrchk.exe

Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\Easy CD Creator\CDCopier.exe

Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\Easy CD Creator\Creatr50.exe

Disinfected C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe

Disinfected C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrodist.exe

Disinfected C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe

Virus:W32/Sality.Y Disinfected C:\Program Files\Adobe\Adobe Illustrator CS\Support Files\Contents\Windows\Illustrator.exe

Disinfected C:\Program Files\Adobe\Illustrator 10\Support Files\Contents\Windows\Illustrator.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\ImageReady.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Required\Droplet Template.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Constrain 350, Make JPG 30.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Constrain to 200x200 pixels.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Constrain to 64X64 pixels.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make Button.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make GIF (128 colors).exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make GIF (32, no dither).exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make GIF (64 colors).exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make JPEG (quality 10).exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make JPEG (quality 30).exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make JPEG (quality 60).exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Multi-Size Save.exe

Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Unsharp Mask.exe

Disinfected C:\Program Files\AutoCAD R14\acad.exe

Disinfected C:\Program Files\AutoCAD R14\SAMPLE\ACTIVEX\Facility\Facility.Exe

Disinfected C:\Program Files\AutoCAD R14\SAMPLE\ACTIVEX\TimeLog\TimeLog.exe

Disinfected C:\Program Files\AutoCAD R14\SUPPORT\EBATCHP\ebatchp.exe

Disinfected C:\Program Files\AutoCAD R14\SUPPORT\EBATCHP\ebph.exe

Disinfected C:\Program Files\AutoCAD R14\SUPPORT\l_acla.exe

Disinfected C:\Program Files\Canon\ScanGear Toolbox Ver3\CHREG.EXE

Disinfected C:\Program Files\Canon\ScanGear Toolbox Ver3\SGTBox.exe

Disinfected C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe

Disinfected C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Disinfected C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe

Disinfected C:\Program Files\Common Files\Adobe\Web\AOM.exe

Virus:W32/Sality.Y Disinfected C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Disinfected C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\knlwrap.exe

Disinfected C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Disinfected C:\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRV10.EXE

Disinfected C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\SrchAdmStp.exe

Disinfected C:\Program Files\Common Files\Microsoft Shared\Office10\MSOICONS.EXE

Disinfected C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE

Disinfected C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\fpsrvadm.exe

Disinfected C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\fpcount.exe

Disinfected C:\Program Files\Common Files\Nero\Uninstall\setup.exe

Disinfected C:\Program Files\Common Files\Network Associates\Alert Manager\amgrcnfg.exe

Disinfected C:\Program Files\Common Files\Network Associates\Alert Manager\VirNotfy.exe

Disinfected C:\Program Files\Common Files\Network Associates\LWI\lwi.exe

Disinfected C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Disinfected C:\Program Files\Common Files\SolidWorks Shared\eDrawings\EModelViewer.exe

Disinfected C:\Program Files\Fuji Xerox\Network Utility\Fxnetutl.exe

Disinfected C:\Program Files\GNUGS\GSWIN32C.EXE

Disinfected C:\Program Files\HaxFix\moveex.exe

Disinfected C:\Program Files\HaxFix\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\HaxFix\Process.exe

Disinfected C:\Program Files\HaxFix\RegDACL.exe

Disinfected C:\Program Files\HaxFix\swsc.exe

Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppsoftconfigpage.exe

Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\EnvSetup.exe

Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\setup.exe

Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\_isdel.exe

Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\WebReg\webreg.exe

Disinfected C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe

Disinfected C:\Program Files\InstallShield Installation Information\{412033BC-44CF-48D9-B813-4B835101F4D3}\Setup.exe

Disinfected C:\Program Files\InstallShield Installation Information\{606D713C-B60C-11D6-A47A-00B0D03E4223}\Setup.exe

Disinfected C:\Program Files\InstallShield Installation Information\{70B7022C-74ED-11D4-8AB9-00C04F872469}\Setup.exe

Disinfected C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\Setup.exe

Disinfected C:\Program Files\InstallShield Installation Information\{D52ECEBC-9B20-41A5-81C4-A62DE2367419}\setup.exe

Virus:W32/Sality.Y Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\java.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\javac.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\javaw.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\keytool.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\policytool.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\rmid.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\rmiregistry.exe

Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\tnameserv.exe

Disinfected C:\Program Files\Macromedia\Extension Manager\Extension Manager.exe

Disinfected C:\Program Files\Macromedia\Extension Manager\Replace.exe

Disinfected C:\Program Files\Macromedia\FreeHand 9\Flash 4 Player.exe

Disinfected C:\Program Files\Macromedia\FreeHand 9\FreeHand 9 Clipart Viewer.exe

Disinfected C:\Program Files\Macromedia\FreeHand 9\FreeHand 9.exe

Disinfected C:\Program Files\McAfee\McAfee Shared Components\Central\CLaunch.exe

Disinfected C:\Program Files\McAfee\McAfee Shared Components\QuickClean Lite\QClean.exe

Disinfected C:\Program Files\McAfee\McAfee Shared Components\Shredder\shred32.exe

Disinfected C:\Program Files\McAfee\McAfee VirusScan\BrowseVS.exe

Disinfected C:\Program Files\McAfee\McAfee VirusScan\config32.exe

Disinfected C:\Program Files\McAfee\McAfee VirusScan\EDisk.exe

Disinfected C:\Program Files\McAfee\McAfee VirusScan\SendVir.exe

Disinfected C:\Program Files\McAfee\McAfee VirusScan\VsMain.exe

Disinfected C:\Program Files\McAfee\VirusScan Wireless\McEPOC.exe

Disinfected C:\Program Files\McAfee\VirusScan Wireless\McEPOCfg.exe

Disinfected C:\Program Files\McAfee\VirusScan Wireless\McPalmCfg.EXE

Virus:W32/Sality.Y Disinfected C:\Program Files\McAfee\VirusScan Wireless\McWCE.exe

Virus:W32/Sality.Y Disinfected C:\Program Files\McAfee\VirusScan Wireless\McWCECfg.exe

Edited April 13, 2007 by wirosari

[FZWG]

I am assuming you only posted part of the report, but that is OK.

 

You are dealing with the Sality virus, which can infect legit executables in your system.

The damage it causes is extensive:

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=52797

 

Legit and necessary executables cannot be deleted like malware files. The executables need to be disinfected. However, it may happen that after the exe's are disinfected, some programs may no longer work. If you wish to do a format and install a clean Operating System ana the programs you use, it is a good idea.

 

However, you can also press on and run another online scan with Kasperski, and provide its results. It has a good track record for this infection, and may pick up anything left over. The log produced should not be as large.

 

The following is a link to several online scanners, including Kasperski:

http://dir.yahoo.com/Computers_and_Interne...Virus_Scanners/

 

Also, please provide the contents of system.ini once again. Need to know if the disinfection had any effect on it.

[wirosari]

Dear FZWG,,

 

Here is the BITDEFENDER online scan :

EDITED from HTML format.

 

The files in this folders still a concern :

C:\Documents and Settings\TresnaTan\Local Settings\Temp\

 

Thanks in advance!

 

 

BitDefender Online Scanner

 

Scan report generated at: Fri, Apr 13, 2007 - 11:42:52

 

Scan path: C:\;D:\;

 

Statistics

 

Time 00:43:09

Files 228709

Folders 3666

Boot Sectors 3

Archives 33484

Packed Files 23647

 

Results

Identified Viruses 1

 

Infected Files 1

 

Suspect Files 5

 

Warnings 0

 

Disinfected 0

 

Deleted Files 7

 

Engines Info

 

Virus Definitions 485681

 

Engine build AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

 

Scan plugins 13

 

Archive plugins 31

 

Unpack plugins 5

 

E-mail plugins 6

 

System plugins 1

 

Scan Settings

 

First Action Disinfect

 

Second Action Delete

 

Heuristics Yes

 

Enable Warnings Yes

 

Scanned Extensions *;

 

Exclude Extensions

 

Scan Emails Yes

 

Scan Archives Yes

 

Scan PackedYes

 

Scan Files Yes

 

Scan Boot Yes

 

 

Scanned File Status

 

C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe

Suspected of: Generic.Malware.GS.578DA1E6

 

C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe

Disinfection failed

 

C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe

Deleted

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe

Suspected of: Generic.Malware.Yd.0347DF9B

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe

Disinfection failed

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe

Deleted

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe

Suspected of: Generic.Malware.Yd.0347DF9B

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe

Disinfection failed

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe

Deleted

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe

Suspected of: Generic.Malware.Yd.0347DF9B

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe

Disinfection failed

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe

Deleted

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe

Suspected of: Generic.Malware.Yd.0347DF9B

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe

Disinfection failed

 

C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe

Deleted

 

C:\Program Files\McAfee\McAfee VirusScan\QUARANT\Panda Crack.zip.exe_.MCQ=>(Quarantine-PE)

Infected with: Win32.Lovgate.R@mm

 

C:\Program Files\McAfee\McAfee VirusScan\QUARANT\Panda Crack.zip.exe_.MCQ=>(Quarantine-PE)

Deleted

Edited April 13, 2007 by wirosari

[wirosari]

Dear sir,

 

Here is the SYSTEM.INI

after BITDEFENDER.

 

FYI, the PANDA is ALL files. (about 200's) Only virus-name (per line) deleted.

 

; for 16-bit app support

[drivers]

wave=mmdrv.dll

timer=timer.drv

[mci]

[driver32]

[386enh]

woafont=dosapp.FON

EGA80WOA.FON=EGA80WOA.FON

EGA40WOA.FON=EGA40WOA.FON

CGA80WOA.FON=CGA80WOA.FON

CGA40WOA.FON=CGA40WOA.FON

FileSysChange=off

[MCIDRV_VER]

DEVICEN1=95215658363

__h=18

__dr=12

[iDslow]

IDVer32666=988281

IDMCI32=23846878ABA233

[iDslow32]

MDCDID32=991140

[wirosari]

Very Dangerous...

 

I not yet restart the PC.

(after 2 online scan)

Stuill n Safe Mode w Network.

 

What should I do FIRST now sir?

pls help and advide

 

Note: Kapersky is running 5% now..

thx

Edited April 13, 2007 by wirosari