wirosari Report post Posted April 9, 2007 Dear PC PITSTOP, My PC infected by Rootkit or Adware. PC status right now : - Heavy NETWORK Traffic - Cannot SAFE MODE - Vshield Mc.Afee services DISABLED Trusted Advisor urgent help needed FZWG or Jacee please come around. Thanks, Wirosari ADAWARE SE said : Ad-Aware SE Build 1.05 Logfile Created on:Monday, April 09, 2007 3:53:21 PM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R164 02.04.2007 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» MRU List(TAC index:0):10 total references Other(TAC index:5):1 total references Win32.Sality(TAC index:10):38 total references Win32.TrojanProxy.Agent.dl(TAC index:7):1 total references Win32.TrojanSpy.Goldun(TAC index:10):7 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan within archives Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 4-9-2007 3:53:21 PM - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Documents and Settings\TresnaTan\Application Data\microsoft\office\recent Description : list of recently opened documents using microsoft office MRU List Object Recognized! Location: : C:\Documents and Settings\TresnaTan\recent Description : list of recently opened documents MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru Description : list of recent documents opened by microsoft word MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru Description : list of recent documents saved by microsoft word MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\office\10.0\excel\recent files Description : list of recent files used by microsoft excel MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\search assistant\acmru Description : list of recent search terms used with the search assistant MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\nico mak computing\winzip\filemenu Description : winzip recently used archives Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 488 ThreadCreationTime : 4-9-2007 4:50:45 AM BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 544 ThreadCreationTime : 4-9-2007 4:50:48 AM BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 572 ThreadCreationTime : 4-9-2007 4:50:51 AM BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 616 ThreadCreationTime : 4-9-2007 4:50:53 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 628 ThreadCreationTime : 4-9-2007 4:50:53 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 812 ThreadCreationTime : 4-9-2007 4:50:57 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 880 ThreadCreationTime : 4-9-2007 4:50:57 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1012 ThreadCreationTime : 4-9-2007 4:50:58 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1040 ThreadCreationTime : 4-9-2007 4:50:58 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1212 ThreadCreationTime : 4-9-2007 4:50:59 AM BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [cdantsrv.exe] FilePath : C:\WINDOWS\System32\DRIVERS\ ProcessID : 1624 ThreadCreationTime : 4-9-2007 4:51:05 AM BasePriority : Normal FileVersion : 3.25.010 ProductVersion : 3.25.010 Windows NT 2002/01/07 ProductName : CD-Secure/CD-Compress Windows NT CompanyName : C-Dilla Ltd FileDescription : C-Dilla RTS Service InternalName : CDANTSRV LegalCopyright : Copyright © Macrovision 1993-2002 OriginalFilename : CDANTSRV.EXE Comments : StringFileInfo: U.S. English #:12 [inetinfo.exe] FilePath : C:\WINDOWS\System32\inetsrv\ ProcessID : 1664 ThreadCreationTime : 4-9-2007 4:51:05 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Internet Information Services CompanyName : Microsoft Corporation FileDescription : Internet Information Services InternalName : INETINFO.EXE LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : INETINFO.EXE #:13 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1688 ThreadCreationTime : 4-9-2007 4:51:06 AM BasePriority : Normal FileVersion : 6.13.10.3082 ProductVersion : 6.13.10.3082 ProductName : NVIDIA Driver Helper Service, Version 30.82 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 30.82 InternalName : NVSVC LegalCopyright : © NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:14 [tcpsvcs.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1720 ThreadCreationTime : 4-9-2007 4:51:06 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : TCP/IP Services Application InternalName : TCPSVCS.EXE LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : TCPSVCS.EXE #:15 [snmp.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1736 ThreadCreationTime : 4-9-2007 4:51:06 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : SNMP Service InternalName : snmp.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : snmp.exe #:16 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1752 ThreadCreationTime : 4-9-2007 4:51:07 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:17 [acrotray.exe] FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\ ProcessID : 840 ThreadCreationTime : 4-9-2007 4:51:16 AM BasePriority : Normal FileVersion : 5, 0, 0, 0 ProductVersion : 5, 0, 0, 0 ProductName : AcroTray - Adobe Acrobat Distiller helper application. CompanyName : Adobe Systems Inc. FileDescription : AcroTray InternalName : AcroTray LegalCopyright : Copyright © 2001 OriginalFilename : AcroTray.exe Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"Process terminated successfully #:18 [soffice.exe] FilePath : C:\Program Files\OpenOffice.org 2.0\program\ ProcessID : 1020 ThreadCreationTime : 4-9-2007 4:51:20 AM BasePriority : Normal FileVersion : 1.09.9069 ProductVersion : 1.09.9069 CompanyName : OpenOffice.org FileDescription : OpenOffice.org 2.0 InternalName : SOFFICE LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc. OriginalFilename : SOFFICE.EXE #:19 [soffice.bin] FilePath : C:\Program Files\OpenOffice.org 2.0\program\ ProcessID : 1052 ThreadCreationTime : 4-9-2007 4:51:21 AM BasePriority : Normal FileVersion : 1.09.9069 ProductVersion : 1.09.9069 CompanyName : OpenOffice.org FileDescription : OpenOffice.org 2.0 InternalName : SOFFICE LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc. OriginalFilename : SOFFICE.EXE Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ #:20 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1600 ThreadCreationTime : 4-9-2007 8:50:20 AM BasePriority : Normal FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ #:21 [ad-aware.exe] FilePath : C:\ADAWARE\Ad-Aware SE Personal\ ProcessID : 1368 ThreadCreationTime : 4-9-2007 8:53:13 AM BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 18 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 18 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 18 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 18 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Win32.TrojanProxy.Agent.dl Object Recognized! Type : File Data : winpidn.exe Category : Malware Comment : Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\ Win32.TrojanSpy.Goldun Object Recognized! Type : File Data : A0372822.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP509\ Win32.Sality Object Recognized! Type : File Data : A0372850.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\ Win32.Sality Object Recognized! Type : File Data : MFEX-16.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-18.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-21.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-22.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-23.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-24.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP510\snapshot\ Win32.Sality Object Recognized! Type : File Data : A0372896.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\ Win32.Sality Object Recognized! Type : File Data : A0372897.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\ Win32.Sality Object Recognized! Type : File Data : MFEX-16.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-18.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-21.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-22.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-23.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\ Win32.Sality Object Recognized! Type : File Data : MFEX-24.DAT Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP511\snapshot\ Win32.Sality Object Recognized! Type : File Data : A0372957.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\ Win32.Sality Object Recognized! Type : File Data : A0373002.rbf Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\ Win32.Sality Object Recognized! Type : File Data : A0373007.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\ Win32.Sality Object Recognized! Type : File Data : A0373188.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\ Win32.Sality Object Recognized! Type : File Data : A0373189.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP512\ Win32.Sality Object Recognized! Type : File Data : A0373242.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP513\ Win32.Sality Object Recognized! Type : File Data : A0373243.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP513\ Win32.Sality Object Recognized! Type : File Data : A0373283.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373444.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373445.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373461.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373539.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373540.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373541.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373548.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373549.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : A0373550.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.TrojanSpy.Goldun Object Recognized! Type : File Data : A0373655.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\ Win32.Sality Object Recognized! Type : File Data : rgoqmn.sys Category : Malware Comment : Object : C:\WINDOWS\system32\drivers\ Win32.TrojanSpy.Goldun Object Recognized! Type : File Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\system32\ Win32.Sality Object Recognized! Type : File Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\system32\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 56 Deep scanning and examining files (D:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 56 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 56 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 57 4:00:52 PM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:07:30.953 Objects scanned:136392 Objects identified:39 Objects ignored:0 New critical objects:39 HIJACKTHIS 99 said : ComboScan log is here : ComboScan v20070226.18 run by Tres on 2007-04-09 at 09:25:08 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis Clone ------------------------------------------------------------- Emulating logfile of HijackThis v1.99.1 Scan saved at 2007-04-09 09:25:29 Platform: Windows XP (5.01.2600) MSIE: Internet Explorer (6.0.2600.0000) Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\CDANTSRV.EXE C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\system32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.bin C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\inetsrv\davcdata.exe C:\Documents and Settings\TresnaTan\Local Settings\Temp\winwtqgpw.exe C:\ADAWARE\VirTools\comboscan.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar1.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12 O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O23 - Service: Alerter - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: AVSync Manager (AvSynMgr) - "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" O23 - Service: Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: C-DillaSrv - C:\WINDOWS\system32\drivers\CDANTSRV.EXE O23 - Service: Indexing Service (cisvc) - C:\WINDOWS\system32\cisvc.exe O23 - Service: ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe O23 - Service: COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} O23 - Service: Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com O23 - Service: Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService O23 - Service: Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Event Log (Eventlog) - C:\WINDOWS\system32\services.exe O23 - Service: COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Help and Support (helpsvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Human Interface Device Access (HidServ) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: IIS Admin (IISADMIN) - C:\WINDOWS\system32\inetsrv\inetinfo.exe O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - C:\WINDOWS\system32\imapi.exe O23 - Service: Infrared Monitor (Irmon) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Server (lanmanserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Workstation (lanmanworkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: TCP/IP NetBIOS Helper (LmHosts) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Macromedia Licensing Service - "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" O23 - Service: Messenger - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - C:\WINDOWS\system32\mnmsrvc.exe O23 - Service: Distributed Transaction Coordinator (MSDTC) - C:\WINDOWS\system32\msdtc.exe O23 - Service: Windows Installer (MSIServer) - C:\WINDOWS\System32\msiexec.exe /V O23 - Service: Network DDE (NetDDE) - C:\WINDOWS\system32\netdde.exe O23 - Service: Network DDE DSDM (NetDDEdsdm) - C:\WINDOWS\system32\netdde.exe O23 - Service: Net Logon (Netlogon) - C:\WINDOWS\system32\lsass.exe O23 - Service: Network Connections (Netman) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Network Location Awareness (NLA) (Nla) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: NT LM Security Support Provider (NtLmSsp) - C:\WINDOWS\system32\lsass.exe O23 - Service: Removable Storage (NtmsSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: NVIDIA Driver Helper Service (NVSvc) - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Client Service for NetWare (NWCWorkstation) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Plug and Play (PlugPlay) - C:\WINDOWS\system32\services.exe O23 - Service: IPSEC Services (PolicyAgent) - C:\WINDOWS\system32\lsass.exe O23 - Service: Protected Storage (ProtectedStorage) - C:\WINDOWS\system32\lsass.exe O23 - Service: Remote Access Auto Connection Manager (RasAuto) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Access Connection Manager (RasMan) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - C:\WINDOWS\system32\sessmgr.exe O23 - Service: Routing and Remote Access (RemoteAccess) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Remote Registry (RemoteRegistry) - C:\WINDOWS\system32\svchost.exe -k LocalService O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - C:\WINDOWS\system32\locator.exe O23 - Service: Remote Procedure Call (RPC) (RpcSs) - C:\WINDOWS\system32\svchost -k rpcss O23 - Service: QoS RSVP (RSVP) - C:\WINDOWS\system32\rsvp.exe O23 - Service: Security Accounts Manager (SamSs) - C:\WINDOWS\system32\lsass.exe O23 - Service: Smart Card Helper (SCardDrv) - C:\WINDOWS\system32\scardsvr.exe O23 - Service: Smart Card (SCardSvr) - C:\WINDOWS\system32\scardsvr.exe O23 - Service: Task Scheduler (Schedule) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Secondary Logon (seclogon) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: System Event Notification (SENS) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Windows Firewall/Internet Connection Sharing (ICS) (SharedAccess) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Shell Hardware Detection (ShellHWDetection) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Simple TCP/IP Services (SimpTcp) - C:\WINDOWS\system32\tcpsvcs.exe O23 - Service: Simple Mail Transfer Protocol (SMTP) (SMTPSVC) - C:\WINDOWS\system32\inetsrv\inetinfo.exe O23 - Service: SNMP Service (SNMP) - C:\WINDOWS\system32\snmp.exe O23 - Service: SNMP Trap Service (SNMPTRAP) - C:\WINDOWS\system32\snmptrap.exe O23 - Service: Print Spooler (Spooler) - C:\WINDOWS\system32\spoolsv.exe O23 - Service: System Restore Service (srservice) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: SSDP Discovery Service (SSDPSRV) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Windows Image Acquisition (WIA) (stisvc) - C:\WINDOWS\System32\svchost.exe -k imgsvc O23 - Service: MS Software Shadow Copy Provider (SwPrv) - C:\WINDOWS\System32\dllhost.exe /Processid:{A7A4442A-5FF2-4273-9D3D-A8DF8D6AC966} O23 - Service: Performance Logs and Alerts (SysmonLog) - C:\WINDOWS\system32\smlogsvc.exe O23 - Service: Telephony (TapiSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Terminal Services (TermService) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Themes - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Telnet (TlntSvr) - C:\WINDOWS\system32\tlntsvr.exe O23 - Service: Distributed Link Tracking Client (TrkWks) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Upload Manager (uploadmgr) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Universal Plug and Play Device Host (upnphost) - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Uninterruptible Power Supply (UPS) - C:\WINDOWS\system32\ups.exe O23 - Service: Volume Shadow Copy (VSS) - C:\WINDOWS\system32\vssvc.exe O23 - Service: Windows Time (W32Time) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: World Wide Web Publishing (W3SVC) - C:\WINDOWS\system32\inetsrv\inetinfo.exe O23 - Service: WebClient - C:\WINDOWS\System32\svchost.exe -k LocalService O23 - Service: Windows Management Instrumentation (winmgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Portable Media Serial Number (WmdmPmSp) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: Windows Management Instrumentation Driver Extensions (Wmi) - C:\WINDOWS\System32\svchost.exe -k netsvcs O23 - Service: WMI Performance Adapter (WmiApSrv) - C:\WINDOWS\system32\wbem\wmiapsrv.exe O23 - Service: Automatic Updates (wuauserv) - C:\WINDOWS\system32\svchost.exe -k netsvcs O23 - Service: Wireless Zero Configuration (WZCSVC) - C:\WINDOWS\System32\svchost.exe -k netsvcs -- Files created between 2007-03-09 and 2007-04-09 ------------------------------ 2007-04-09 09:19:22 81920 --a------ C:\WINDOWS\System32\wmdconf32.dll<WMDCON~1.DLL> 2007-04-05 16:41:26 1923046 --a------ C:\WINDOWS\System32\SBSP.dat 2007-04-05 16:41:24 5477 --a------ C:\WINDOWS\System32\drivers\rgoqmn.sys 2007-04-05 16:41:14 313 --a------ C:\WINDOWS\System32\SBRC.dat 2007-04-05 16:41:14 306 --a------ C:\WINDOWS\System32\SBFC.dat 2007-04-05 16:41:13 40960 --a------ C:\WINDOWS\System32\wmdrtc32.dll 2007-04-05 16:40:26 54200 --a------ C:\WINDOWS\System32\drivers\sbapifs.sys 2007-04-04 11:14:25 0 d-------- C:\Documents and Settings\TresnaTan\DoctorWeb<DOCTOR~1> 2007-04-04 09:50:54 0 d-------- c:\!KillBox 2007-03-21 08:08:01 0 d-------- C:\Program Files\Common Files\Nero 2007-03-21 08:07:36 241664 --a------ C:\WINDOWS\System32\mpg4dmod.dll 2007-03-21 08:07:36 384512 --a------ C:\WINDOWS\System32\mp4sdmod.dll 2007-03-21 08:07:36 316040 --a------ C:\WINDOWS\System32\mp43dmod.dll 2007-03-21 08:07:35 816264 --a------ C:\WINDOWS\System32\wmvdmod.dll 2007-03-21 08:07:35 486536 --a------ C:\WINDOWS\System32\wmspdmod.dll 2007-03-21 08:07:34 997888 --a------ C:\WINDOWS\System32\wmvdmoe2.dll 2007-03-21 08:07:34 892416 --a------ C:\WINDOWS\System32\wmspdmoe.dll 2007-03-21 08:07:34 1111040 --a------ C:\WINDOWS\System32\wmsdmoe2.dll 2007-03-21 08:07:34 760968 --a------ C:\WINDOWS\System32\wmsdmod.dll 2007-03-21 08:07:34 410248 --a------ C:\WINDOWS\System32\wmadmod.dll 2007-03-21 08:07:33 670208 --a------ C:\WINDOWS\System32\wmadmoe.dll 2007-03-21 08:07:33 241664 --a------ C:\WINDOWS\System32\qasf.dll 2007-03-21 08:07:33 6656 --a------ C:\WINDOWS\System32\laprxy.dll 2007-03-21 08:07:32 981504 --a------ C:\WINDOWS\System32\wmnetmgr.dll 2007-03-21 08:07:32 143360 --a------ C:\WINDOWS\System32\wmidx.dll 2007-03-21 08:07:32 81408 --a------ C:\WINDOWS\System32\logagent.exe 2007-03-21 08:07:31 2058888 --a------ C:\WINDOWS\System32\wmvcore.dll 2007-03-21 08:07:30 218112 --a------ C:\WINDOWS\System32\wmasf.dll 2007-03-21 08:07:28 253952 --a------ C:\WINDOWS\System32\msnetobj.dll 2007-03-21 08:07:28 232960 --a------ C:\WINDOWS\System32\blackbox.dll 2007-03-21 08:07:27 678912 --a------ C:\WINDOWS\System32\drmv2clt.dll 2007-03-21 08:07:27 82432 --a------ C:\WINDOWS\System32\drmstor.dll 2007-03-21 08:07:26 301712 --a------ C:\WINDOWS\System32\drmclien.dll 2007-03-21 08:06:12 106496 --a------ C:\WINDOWS\System32\TwnLib20.dll 2007-03-21 08:06:09 471040 -----n--- C:\WINDOWS\System32\ImagXRA7.dll 2007-03-21 08:06:08 262144 -----n--- C:\WINDOWS\System32\ImagXR7.dll 2007-03-21 08:06:08 476320 -----n--- C:\WINDOWS\System32\ImagXpr7.dll 2007-03-21 08:06:08 1568768 -----n--- C:\WINDOWS\System32\ImagX7.dll 2007-03-21 08:06:07 184320 --a------ C:\WINDOWS\System32\NeroCheck.exe<NEROCH~1.EXE> 2007-03-21 08:06:00 0 d-------- C:\Program Files\Common Files\Ahead 2007-03-13 17:57:51 0 d---s---- C:\Documents and Settings\TresnaTan\UserData -- Find3M Report ---------------------------------------------------------------- 2007-04-09 08:21:59 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\OpenOffice.org2<OPENOF~1.ORG> 2007-03-30 08:37:39 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\Identities<IDENTI~1> 2007-03-21 08:06:13 0 d-------- C:\Program Files\Ahead 2007-03-09 15:54:03 0 d-------- C:\Documents and Settings\TresnaTan\Application Data\Canon -- Registry Dump ---------------------------------------------------------------- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "SBRegRebootCleaner"="C:\\ADAWARE\\CounterSpy\\SBRC.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="msmsgs" "hkey"="HKCU" "command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RUNDLL32" "hkey"="HKLM" "command"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="nwiz" "hkey"="HKLM" "command"="nwiz.exe /install" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="winampa" "hkey"="HKLM" "command"="\"C:\\Program Files\\Winamp3\\winampa.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" SafeBoot registry key needs to be repaired. This machine cannot enter Safe Mode. [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\ NetworkService REG_MULTI_SZ DnsCache\ rpcss REG_MULTI_SZ RpcSs\ imgsvc REG_MULTI_SZ StiSvc\ termsvcs REG_MULTI_SZ TermService\ -- End of ComboScan: finished at 2007-04-09 at 09:25:39 ------------------------- Share this post Link to post Share on other sites
FZWG Report post Posted April 9, 2007 Please download HaxFix.exe Save it to the Desktop. Double click on haxfix.exe to install. Check: "Create a desktop icon" Click: "Next" When the installation is completed, make sure "Launch HaxFix" is checked. Click "Finish" A red "DOS window" opens with options:1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix Select option Option 2, Run auto fix by typing 2 and then pressing Enter Haxfix starts scanning the computer, and performs a reboot When finished, a logfile opens: haxlog.txt Please copy the contents of the logfile and provide them in your reply. (c:\haxfix.txt) ====Next, download SuperAntiSpyware Home Edition Free Version http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE Install the program Run SuperAntiSpyware and click: Check for updates Once the update is finished, on the main screen, click: Scan your computer Check: Perform Complete Scan Click Next to start the scan. Superantispyware scans the computer, and when finished, lists all the infections found. Make sure everything found has a check next to it, and press: Next Click Finish It is possible that the program asks to reboot in order to delete some files. Obtain the SuperAntiSpyware log as follows: Click: Preferences Click the Statistics/Logs tab Under Scanner Logs, double-click SuperAntiSpyware Scan Log It opens in your default text editor (such as Notepad) ==== Please post the contents of C:\haxfix.txt, the SuperAntiSpyware log, and a new HijackThis log. Share this post Link to post Share on other sites
wirosari Report post Posted April 10, 2007 (edited) Dear FZWG, Hope you still here at these hours. Here is the Log (Sorry, other log while in progress...) HAXFIX logfile - by Marckie version 4.39 Tue 04/10/2007 9:47:16.34 --- Auto Haxdoorfix --- searching for files: no infections found --- Goldunfix --- searching for files: wmdconf32.dll checking iexplore.exe iexplore.exe is not infected searching for SSODLkeys: no SSODLkeys found searching for notifykeys: no notifykeys found searching for services: no services found .....rebooting the computer..... searching for ssodlkeys not needed searching for notifykeys not needed searching for services not needed searching for safeboot services not needed searching for files wmdconf32.dll exists deleting wmdconf32.dll wmdconf32.dll has been deleted checking for other files No other files found checking for a3d files no a3d files found Finished Thank you Mr. Advisor to support us! Edited April 10, 2007 by wirosari Share this post Link to post Share on other sites
FZWG Report post Posted April 10, 2007 HaxFix did its thing. Next, post the SuperAntiSpyware log, and a new HijackThis log when you can. By the way, you have some serious infections on that system as a result of not keeping Windows updated!! The malware has exploited the security holes in an unpatched version of XP and may be impossible to fix permanently. Please go to the Windows Update site and install Service Pack 1a followed by all available critical and security patches: http://www.microsoft.com/windowsxp/downloa...p1/default.mspx Reboot after applying the update. Share this post Link to post Share on other sites
wirosari Report post Posted April 10, 2007 (edited) Dear Sir, This is the SuperAntiSpyware Log. Thanks a lot for enlightment! SUPERAntiSpyware Scan Log Generated 04/10/2007 at 10:24 AM Application Version : 3.6.1000 Core Rules Database Version : 3216 Trace Rules Database Version: 1226 Scan type : Complete Scan Total Scan Time : 00:24:45 Memory items scanned : 376 Memory threats detected : 0 Registry items scanned : 4418 Registry threats detected : 0 File items scanned : 25360 File threats detected : 5 Trojan.Unknown Origin C:\DOCUMENTS AND SETTINGS\TRESNATAN\LOCAL SETTINGS\TEMP\WINNHYMHK.EXE C:\DOCUMENTS AND SETTINGS\TRESNATAN\LOCAL SETTINGS\TEMP\WINOVGAA.EXE Spyware.PWS-Kuku/Resident C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0373911.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0374104.DLL C:\SYSTEM VOLUME INFORMATION\_RESTORE{074A976B-E603-4E1C-8513-113F3B2227E5}\RP514\A0375311.DLL Edited April 10, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 10, 2007 (edited) Dear Advisor, I try AVZ Anti Viral Toolkit by Oleg Zaytsev to Restore my Safe Mode. The PC now can be in Safe Mode. But the connection still busy/active! The HJT Log looks like this : Logfile of HijackThis v1.99.1 Scan saved at 11:06:32 AM, on 4/10/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\ADAWARE\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\ADAWARE\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\ADAWARE\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12 O20 - Winlogon Notify: !SASWinLogon - C:\ADAWARE\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing) O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Edited April 10, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 10, 2007 Dear advisor, AVZ Anti viral seems clean it, and restore registry of Safe Mode. These procedure has been done. But Ad-aware still detected these 2 files. The networks still heavy. Please advice and thanks Share this post Link to post Share on other sites
FZWG Report post Posted April 10, 2007 (edited) AdAware still detected these 2 files Which files is it detecting??? Please run the AdAware program again, and post its Full System Scan results. Also, you are still in the hole...you have not installed SP1. If you do not, we are just doing this routine for exercise. You will be infected again, and again, and again, and again, and again, and again...... Edited April 10, 2007 by FZWG Share this post Link to post Share on other sites
wirosari Report post Posted April 11, 2007 Which files is it detecting??? Dear advisor, the file is : File : c:\windows\system32\WMDRTC32.DLL File : c:\windows\system32\drivers\RGOQMN.SYS I will update the hole, but since the traffic crowded, it is rather difficult Thanks for support. The Ad-Aware mention this : Ad-Aware SE Build 1.05 Logfile Created on:Wednesday, April 11, 2007 9:59:20 AM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R164 02.04.2007 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Win32.Sality(TAC index:10):8 total references Win32.TrojanSpy.Goldun(TAC index:10):1 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan within archives Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 4-11-2007 9:59:20 AM - Scan started. (Full System Scan) Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 480 ThreadCreationTime : 4-11-2007 2:54:37 AM BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 536 ThreadCreationTime : 4-11-2007 2:54:39 AM BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 568 ThreadCreationTime : 4-11-2007 2:54:42 AM BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 616 ThreadCreationTime : 4-11-2007 2:54:43 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 628 ThreadCreationTime : 4-11-2007 2:54:43 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 796 ThreadCreationTime : 4-11-2007 2:54:43 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 864 ThreadCreationTime : 4-11-2007 2:54:43 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 996 ThreadCreationTime : 4-11-2007 2:54:44 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1112 ThreadCreationTime : 4-11-2007 2:54:48 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1248 ThreadCreationTime : 4-11-2007 2:54:49 AM BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [cdantsrv.exe] FilePath : C:\WINDOWS\System32\DRIVERS\ ProcessID : 1404 ThreadCreationTime : 4-11-2007 2:54:53 AM BasePriority : Normal FileVersion : 3.25.010 ProductVersion : 3.25.010 Windows NT 2002/01/07 ProductName : CD-Secure/CD-Compress Windows NT CompanyName : C-Dilla Ltd FileDescription : C-Dilla RTS Service InternalName : CDANTSRV LegalCopyright : Copyright © Macrovision 1993-2002 OriginalFilename : CDANTSRV.EXE Comments : StringFileInfo: U.S. English #:12 [inetinfo.exe] FilePath : C:\WINDOWS\System32\inetsrv\ ProcessID : 1436 ThreadCreationTime : 4-11-2007 2:54:53 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Internet Information Services CompanyName : Microsoft Corporation FileDescription : Internet Information Services InternalName : INETINFO.EXE LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : INETINFO.EXE #:13 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1468 ThreadCreationTime : 4-11-2007 2:54:53 AM BasePriority : Normal FileVersion : 6.13.10.3082 ProductVersion : 6.13.10.3082 ProductName : NVIDIA Driver Helper Service, Version 30.82 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 30.82 InternalName : NVSVC LegalCopyright : © NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:14 [tcpsvcs.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1508 ThreadCreationTime : 4-11-2007 2:54:53 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : TCP/IP Services Application InternalName : TCPSVCS.EXE LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : TCPSVCS.EXE #:15 [snmp.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1524 ThreadCreationTime : 4-11-2007 2:54:53 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : SNMP Service InternalName : snmp.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : snmp.exe #:16 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1560 ThreadCreationTime : 4-11-2007 2:54:53 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:17 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 540 ThreadCreationTime : 4-11-2007 2:55:13 AM BasePriority : High FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ "C:\WINDOWS\Explorer.EXE"Process terminated successfully #:18 [ad-aware.exe] FilePath : C:\ADAWARE\Ad-Aware SE Personal\ ProcessID : 688 ThreadCreationTime : 4-11-2007 2:55:13 AM BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 2 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Win32.Sality Object Recognized! Type : File Data : temp.fr22C3 Category : Malware Comment : Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\ Win32.Sality Object Recognized! Type : File Data : temp.frA8D6 Category : Malware Comment : Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\ Win32.TrojanSpy.Goldun Object Recognized! Type : File Data : A0376288.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\ Win32.Sality Object Recognized! Type : File Data : A0376296.sys Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\ Win32.Sality Object Recognized! Type : File Data : A0376297.dll Category : Malware Comment : Object : C:\System Volume Information\_restore{074A976B-E603-4E1C-8513-113F3B2227E5}\RP515\ Win32.Sality Object Recognized! Type : File Data : rgoqmn.sys Category : Malware Comment : Object : C:\WINDOWS\system32\drivers\ Win32.Sality Object Recognized! Type : File Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\system32\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 9 Deep scanning and examining files (D:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 9 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 9 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 9 10:08:19 AM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:08:58.937 Objects scanned:137676 Objects identified:7 Objects ignored:0 New critical objects:7 Share this post Link to post Share on other sites
FZWG Report post Posted April 11, 2007 Let's get rid of what is in this Temp folder: C:\Documents and Settings\TresnaTan\Local Settings\Temp Please launch Notepad, (Start > Run, type in: notepad) Copy/paste the blue text below to it: del %windir%\temp\*.* /f del C:\Documents and Settings\*\local settings\temp\*.* /f In Notepad, go to File (upper menu bar), and select: Save as In the Save as prompt: Save in: Desktop File Name: clean.bat Save as Type: All files Click: Save Exit out of Notepad. Next, on the Desktop, double click on clean.bat ==== To remove the bogus driver and file: 1. Please download The Avenger by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to the Desktop 2. Copy the blue text below by highlighting it and pressing (Ctrl+C): Files to Delete C:\WINDOWS\system32\wmdrtc32.dll Drivers to delete rgoqmn.sys 3. Now, start The Avenger program by clicking on its icon on the Desktop. Under "Script file to execute" choose "Input Script Manually". Now click on the Magnifying Glass icon which opens a new window titled "View/edit script" Paste the blue text copied into this window by pressing (Ctrl+V). Click Done Now click on the Green Light to begin execution of the script Answer "Yes" twice when prompted. 4. The Avenger automatically does the following:It restarts the computer, and in cases where the code to execute contains Drivers to Unload, the Avenger actually restarts the system twice. On reboot, it briefly opens a black command window on the Desktop, and this is normal. After the restart, it creates and opens a log file with the results of Avenger’s actions. This log file is located at C:\avenger.txt The Avenger also backs up all the files, etc., it deletes, and zips them and moves the zip archives to C:\avenger\backup.zip Please provide the content of C:\avenger.txt in your reply along with a new HJT log . Share this post Link to post Share on other sites
wirosari Report post Posted April 11, 2007 Dear advisor, It seem that, even in the SAFE MODE. the file WMDRTC32DLL still active! The log is like this : ÿþL o g f i l e o f T h e A v e n g e r v e r s i o n 1 , b y S w a n d o g 4 6 R u n n i n g f r o m r e g i s t r y k e y : \ R e g i s t r y \ M a c h i n e \ S y s t e m \ C u r r e n t C o n t r o l S e t \ S e r v i c e s \ k l a n p s u g * * * * * * * * * * * * * * * * * * * S c r i p t f i l e l o c a t e d a t : \ ? ? \ C : \ W I N D O W S \ b x n w i o u m . t x t S c r i p t f i l e o p e n e d s u c c e s s f u l l y . S c r i p t f i l e r e a d s u c c e s s f u l l y B a c k u p s d i r e c t o r y o p e n e d s u c c e s s f u l l y a t C : \ A v e n g e r * * * * * * * * * * * * * * * * * * * B e g i n n i n g t o p r o c e s s s c r i p t f i l e : F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ w m d r t c 3 2 . d l l d e l e t e d s u c c e s s f u l l y . F i l e D r i v e r s t o d e l e t e : n o t f o u n d ! D e l e t i o n o f f i l e D r i v e r s t o d e l e t e : f a i l e d ! C o u l d n o t p r o c e s s l i n e : D r i v e r s t o d e l e t e : S t a t u s : 0 x c 0 0 0 0 0 3 4 F i l e C : \ W I N D O W S \ s y s t e m 3 2 \ d r i v e r s \ r g o q m n . s y s d e l e t e d s u c c e s s f u l l y . C o m p l e t e d s c r i p t p r o c e s s i n g . * * * * * * * * * * * * * * * * * * * F i n i s h e d ! T e r m i n a t e . the HJT log is : Logfile of HijackThis v1.99.1 Scan saved at 4:26:06 PM, on 4/11/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\ADAWARE\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12 O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing) O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe Share this post Link to post Share on other sites
FZWG Report post Posted April 11, 2007 (edited) Looks as if this infection has an entry that hides, so, please do the following: Open HijackThis Click on Open Misc Tools Section Make sure that both boxes beside "Generate StartupList Log" are checked: --List all minor sections(Full) --List Empty Sections(Complete) Click: Generate StartupList Log Click Yes at the prompt. A text file opens. Please provide the entire contents of the StartupList. ==== Also, please post another AdAware report. ==== Also, download SDFix and save it to the Desktop. Right click the SDFix.zip folder Select: Extract All to extract it to its own folder on the Desktop. ~~~~ Start the computer in Safe Mode : -When the machine first starts again, tap the F8 key before Windows starts -You are presented with a Windows XP Advanced Options menu. -Select the option for Safe Mode using the arrow keys. -Press Enter to boot into Safe Mode. ~~~~ Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script. Type Y to begin the cleanup process. The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot. Press any key to restart the PC. When the PC restarts the SDFix will run again and complete the removal process It then displays Finished Press any key to end the script and load the Desktop icons. Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt. ~~~~ Please provide the StartupList, another AdAware report, and the contents of the SDFix Report.txt. Edited April 11, 2007 by FZWG Share this post Link to post Share on other sites
wirosari Report post Posted April 12, 2007 Dear fzwg, While scanning the other tools. Here is the HJT : With thanks for analyzing. StartupList report, 4/12/2007, 9:38:34 AM StartupList version: 1.52.2 Started from : C:\ADAWARE\HijackThis.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options * Including empty and uninteresting sections * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winkcmol.exe C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe C:\ADAWARE\HijackThis.exe -------------------------------------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\TresnaTan\Start Menu\Programs\Startup] OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe Shell folders AltStartup: *Folder not found* User shell folders Startup: *Folder not found* User shell folders AltStartup: *Folder not found* Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Shell folders Common AltStartup: *Folder not found* User shell folders Common Startup: *Folder not found* User shell folders Alternate Common Startup: *Folder not found* -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] *Registry value not found* [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon] *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SBRegRebootCleaner = C:\ADAWARE\CounterSpy\SBRC.exe -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No values found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\Run *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices *No subkeys found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- Autorun entries in Registry subkeys of: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run *Registry key not found* -------------------------------------------------- File association entry for .EXE: HKEY_CLASSES_ROOT\exefile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .COM: HKEY_CLASSES_ROOT\comfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .BAT: HKEY_CLASSES_ROOT\batfile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .PIF: HKEY_CLASSES_ROOT\piffile\shell\open\command (Default) = "%1" %* -------------------------------------------------- File association entry for .SCR: HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command (Default) = C:\WINDOWS\NOTEPAD.EXE "%1" -------------------------------------------------- File association entry for .HTA: HKEY_CLASSES_ROOT\htafile\shell\open\command (Default) = C:\WINDOWS\system32\mshta.exe "%1" %* -------------------------------------------------- File association entry for .TXT: HKEY_CLASSES_ROOT\txtfile\shell\open\command (Default) = %SystemRoot%\system32\NOTEPAD.EXE %1 -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] * StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [{5945c046-1e7d-11d1-bc44-00c04fd912be}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser [{6BF52A52-394A-11d3-B153-00C04F79FAA6}] * StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe [{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] * StubPath = rundll32 iesetup.dll,IEAccessUserInst -------------------------------------------------- Enumerating ICQ Agent Autostart apps: HKCU\Software\Mirabilis\ICQ\Agent\Apps *Registry key not found* -------------------------------------------------- Load/Run keys from C:\WINDOWS\WIN.INI: load=*INI section not found* run=*INI section not found* Load/Run keys from Registry: HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found* HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found* HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found* HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found* HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs= -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Verifying REGEDIT.EXE integrity: - Regedit.exe found in C:\WINDOWS - .reg open command is normal (regedit.exe %1) - Company name OK: 'Microsoft Corporation' - Original filename OK: 'REGEDIT.EXE' - File description: 'Registry Editor' Registry check passed -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -------------------------------------------------- Enumerating Task Scheduler jobs: *No jobs found* -------------------------------------------------- Enumerating Download Program Files: [shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab [MsnMessengerSetupDownloadControl Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx CODEBASE = http://messenger.msn.com/download/MsnMesse...pDownloader.cab [instaFred] InProcServer32 = C:\WINDOWS\DOWNLO~1\InstFred.ocx CODEBASE = file://C:\Program Files\AutoCAD 2002\InstFred.ocx [shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash8b.ocx CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab [AcPreview Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\ACPREV~1.OCX CODEBASE = file://C:\Program Files\AutoCAD 2002\AcPreview.ocx -------------------------------------------------- Enumerating Winsock LSP files: NameSpace #1: C:\WINDOWS\System32\mswsock.dll NameSpace #2: C:\WINDOWS\System32\winrnr.dll NameSpace #3: C:\WINDOWS\System32\mswsock.dll NameSpace #4: C:\WINDOWS\System32\nwprovau.dll Protocol #1: C:\WINDOWS\system32\mswsock.dll Protocol #2: C:\WINDOWS\system32\mswsock.dll Protocol #3: C:\WINDOWS\system32\mswsock.dll Protocol #4: C:\WINDOWS\system32\rsvpsp.dll Protocol #5: C:\WINDOWS\system32\rsvpsp.dll Protocol #6: C:\WINDOWS\system32\mswsock.dll Protocol #7: C:\WINDOWS\system32\mswsock.dll Protocol #8: C:\WINDOWS\system32\mswsock.dll Protocol #9: C:\WINDOWS\system32\mswsock.dll Protocol #10: C:\WINDOWS\system32\mswsock.dll Protocol #11: C:\WINDOWS\system32\mswsock.dll Protocol #12: C:\WINDOWS\system32\mswsock.dll Protocol #13: C:\WINDOWS\system32\mswsock.dll Protocol #14: C:\WINDOWS\system32\mswsock.dll Protocol #15: C:\WINDOWS\system32\mswsock.dll Protocol #16: C:\WINDOWS\system32\mswsock.dll Protocol #17: C:\WINDOWS\system32\mswsock.dll Protocol #18: C:\WINDOWS\system32\mswsock.dll Protocol #19: C:\WINDOWS\system32\mswsock.dll -------------------------------------------------- Enumerating Windows NT/2000/XP services Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system) Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start) AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start) Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system) ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start) AVSync Manager: "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe" (autostart) Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) C-Dilla: \??\C:\WINDOWS\System32\drivers\CDANT.SYS (manual start) C-DillaSrv: C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE (autostart) CD-ROM Driver: System32\DRIVERS\cdrom.sys (system) Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start) ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start) COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Disk Driver: System32\DRIVERS\disk.sys (system) Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start) dmboot: System32\drivers\dmboot.sys (disabled) Logical Disk Manager Driver: System32\drivers\dmio.sys (system) dmload: System32\drivers\dmload.sys (system) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start) Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start) Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start) Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start) Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start) Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system) Game Port Enumerator: System32\DRIVERS\gameenum.sys (manual start) Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system) IIS Admin: C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart) IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start) IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start) IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start) IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start) IPSEC driver: System32\DRIVERS\ipsec.sys (system) IrDA Protocol: System32\DRIVERS\irda.sys (autostart) IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start) Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Microsoft Serial Infrared Driver: System32\DRIVERS\irsir.sys (manual start) PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system) Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system) Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Macromedia Licensing Service: "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe" (disabled) Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start) Mouse Class Driver: System32\DRIVERS\mouclass.sys (system) WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start) MRXSMB: System32\DRIVERS\mrxsmb.sys (system) Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start) Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start) Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start) Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start) Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start) Microsoft MPU-401 MIDI UART Driver: system32\drivers\msmpu401.sys (manual start) NaiFiltr: System32\DRIVERS\NaiFiltr.sys (manual start) NdisFileServices32: \??\C:\WINDOWS\System32\drivers\rgoqmn.sys (disabled) Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start) NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start) Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start) NetBIOS Interface: System32\DRIVERS\netbios.sys (system) NetBT: System32\DRIVERS\netbt.sys (system) Network DDE: %SystemRoot%\system32\netdde.exe (manual start) Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start) Net Logon: %SystemRoot%\System32\lsass.exe (autostart) Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start) Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start) nv: System32\DRIVERS\nv4_mini.sys (manual start) NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart) Client Service for NetWare: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start) IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start) NWLink IPX/SPX/NetBIOS Compatible Transport Protocol: System32\DRIVERS\nwlnkipx.sys (autostart) NWLink NetBIOS: System32\DRIVERS\nwlnknb.sys (autostart) NWLink SPX/SPXII Protocol: System32\DRIVERS\nwlnkspx.sys (autostart) NetWare Rdr: System32\DRIVERS\nwrdr.sys (manual start) Parallel port driver: System32\DRIVERS\parport.sys (manual start) PCI Bus Driver: System32\DRIVERS\pci.sys (system) PCIIde: System32\DRIVERS\pciide.sys (system) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start) Processor Driver: System32\DRIVERS\processr.sys (system) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start) Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start) Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system) Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WAN Miniport (IrDA): System32\DRIVERS\rasirda.sys (manual start) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start) Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start) Direct Parallel: System32\DRIVERS\raspti.sys (manual start) Rdbss: System32\DRIVERS\rdbss.sys (system) RDPCDD: System32\DRIVERS\RDPCDD.sys (system) Terminal Server Device Redirector Driver: System32\DRIVERS\rdpdr.sys (manual start) Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start) Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system) Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start) Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secdrv: System32\DRIVERS\secdrv.sys (manual start) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start) Serial port driver: System32\DRIVERS\serial.sys (system) Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Simple TCP/IP Services: %SystemRoot%\System32\tcpsvcs.exe (autostart) SIS AGP Bus Filter: System32\DRIVERS\sisagp.sys (system) SiS PCI Fast Ethernet Adapter Driver: System32\DRIVERS\sisnic.sys (manual start) Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart) SNMP Service: %SystemRoot%\System32\snmp.exe (autostart) SNMP Trap Service: %SystemRoot%\System32\snmptrap.exe (manual start) Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start) Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Filter Driver: \SystemRoot\System32\DRIVERS\sr.sys (disabled) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Srv: System32\DRIVERS\srv.sys (manual start) SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart) Software Bus Driver: System32\DRIVERS\swenum.sys (manual start) Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start) MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{A7A4442A-5FF2-4273-9D3D-A8DF8D6AC966} (manual start) Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start) Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start) Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system) Terminal Device Driver: System32\DRIVERS\termdd.sys (system) Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Telnet: C:\WINDOWS\System32\tlntsvr.exe (manual start) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Microcode Update Driver: System32\DRIVERS\update.sys (manual start) Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start) Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start) USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start) Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start) Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start) USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start) USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start) VgaSave: \SystemRoot\System32\drivers\vga.sys (system) Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start) Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (autostart) Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start) Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Management Instrumentation Driver Extensions: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start) Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled) Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: *Registry value not found* -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll UPnPMonitor: C:\WINDOWS\System32\upnpui.dll -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *No values found* -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run *No values found* -------------------------------------------------- End of report, 30,791 bytes Report generated in 0.109 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only Share this post Link to post Share on other sites
FZWG Report post Posted April 12, 2007 (edited) Did not see what I was looking for... This infection may have an entry that hides in system.ini Please go to Start > Run, and type: System.ini Click: OK The System.ini file text is displayed. Please provide its contents in your reply. Also,need the results of SDFix. Edited April 12, 2007 by FZWG Share this post Link to post Share on other sites
wirosari Report post Posted April 12, 2007 Here is the AD AWARE log : Ad-Aware SE Build 1.05 Logfile Created on:Thursday, April 12, 2007 10:11:13 AM Created with Ad-Aware SE Personal, free for private use. Using definitions file:SE1R164 02.04.2007 »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» References detected during the scan: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» MRU List(TAC index:0):7 total references Other(TAC index:5):1 total references Win32.Sality(TAC index:10):9 total references Win32.TrojanProxy.Agent.dl(TAC index:7):1 total references Win32.TrojanSpy.Goldun(TAC index:10):6 total references »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Ad-Aware SE Settings =========================== Set : Search for negligible risk entries Set : Safe mode (always request confirmation) Set : Scan active processes Set : Scan registry Set : Deep-scan registry Set : Scan my IE Favorites for banned URLs Set : Scan within archives Set : Scan my Hosts file Extended Ad-Aware SE Settings =========================== Set : Unload recognized processes & modules during scan Set : Scan registry for all users instead of current user only Set : Always try to unload modules before deletion Set : During removal, unload Explorer and IE if necessary Set : Let Windows remove files in use at next reboot Set : Delete quarantined objects after restoring Set : Include basic Ad-Aware settings in log file Set : Include additional Ad-Aware settings in log file Set : Include reference summary in log file Set : Include alternate data stream details in log file Set : Play sound at scan completion if scan locates critical objects 4-12-2007 10:11:13 AM - Scan started. (Full System Scan) MRU List Object Recognized! Location: : C:\Documents and Settings\TresnaTan\recent Description : list of recently opened documents MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\search assistant\acmru Description : list of recent search terms used with the search assistant MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru Description : list of recent programs opened MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru Description : list of recently saved files, stored according to file extension MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\recentdocs Description : list of recent documents opened MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\microsoft\windows\currentversion\explorer\runmru Description : mru list for items opened in start | run MRU List Object Recognized! Location: : S-1-5-21-1547161642-764733703-839522115-1012\software\nico mak computing\winzip\filemenu Description : winzip recently used archives Listing running processes »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» #:1 [smss.exe] FilePath : \SystemRoot\System32\ ProcessID : 476 ThreadCreationTime : 4-12-2007 1:30:43 AM BasePriority : Normal #:2 [csrss.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 532 ThreadCreationTime : 4-12-2007 1:30:45 AM BasePriority : Normal #:3 [winlogon.exe] FilePath : \??\C:\WINDOWS\system32\ ProcessID : 560 ThreadCreationTime : 4-12-2007 1:30:48 AM BasePriority : High #:4 [services.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 608 ThreadCreationTime : 4-12-2007 1:30:48 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Services and Controller app InternalName : services.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : services.exe #:5 [lsass.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 620 ThreadCreationTime : 4-12-2007 1:30:48 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : LSA Shell (Export Version) InternalName : lsass.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : lsass.exe #:6 [svchost.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 792 ThreadCreationTime : 4-12-2007 1:30:49 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:7 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 860 ThreadCreationTime : 4-12-2007 1:30:49 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:8 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 992 ThreadCreationTime : 4-12-2007 1:30:49 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:9 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1040 ThreadCreationTime : 4-12-2007 1:30:50 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:10 [spoolsv.exe] FilePath : C:\WINDOWS\system32\ ProcessID : 1200 ThreadCreationTime : 4-12-2007 1:30:50 AM BasePriority : Normal FileVersion : 5.1.2600.0 (XPClient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Spooler SubSystem App InternalName : spoolsv.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : spoolsv.exe #:11 [cdantsrv.exe] FilePath : C:\WINDOWS\System32\DRIVERS\ ProcessID : 1420 ThreadCreationTime : 4-12-2007 1:30:54 AM BasePriority : Normal FileVersion : 3.25.010 ProductVersion : 3.25.010 Windows NT 2002/01/07 ProductName : CD-Secure/CD-Compress Windows NT CompanyName : C-Dilla Ltd FileDescription : C-Dilla RTS Service InternalName : CDANTSRV LegalCopyright : Copyright © Macrovision 1993-2002 OriginalFilename : CDANTSRV.EXE Comments : StringFileInfo: U.S. English #:12 [inetinfo.exe] FilePath : C:\WINDOWS\System32\inetsrv\ ProcessID : 1452 ThreadCreationTime : 4-12-2007 1:30:54 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Internet Information Services CompanyName : Microsoft Corporation FileDescription : Internet Information Services InternalName : INETINFO.EXE LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : INETINFO.EXE #:13 [nvsvc32.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1488 ThreadCreationTime : 4-12-2007 1:30:54 AM BasePriority : Normal FileVersion : 6.13.10.3082 ProductVersion : 6.13.10.3082 ProductName : NVIDIA Driver Helper Service, Version 30.82 CompanyName : NVIDIA Corporation FileDescription : NVIDIA Driver Helper Service, Version 30.82 InternalName : NVSVC LegalCopyright : © NVIDIA Corporation. All rights reserved. OriginalFilename : nvsvc32.exe #:14 [tcpsvcs.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1532 ThreadCreationTime : 4-12-2007 1:30:54 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : TCP/IP Services Application InternalName : TCPSVCS.EXE LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : TCPSVCS.EXE #:15 [snmp.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1588 ThreadCreationTime : 4-12-2007 1:30:54 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : SNMP Service InternalName : snmp.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : snmp.exe #:16 [svchost.exe] FilePath : C:\WINDOWS\System32\ ProcessID : 1612 ThreadCreationTime : 4-12-2007 1:30:54 AM BasePriority : Normal FileVersion : 5.1.2600.0 (xpclient.010817-1148) ProductVersion : 5.1.2600.0 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Generic Host Process for Win32 Services InternalName : svchost.exe LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : svchost.exe #:17 [explorer.exe] FilePath : C:\WINDOWS\ ProcessID : 1852 ThreadCreationTime : 4-12-2007 2:36:55 AM BasePriority : Normal FileVersion : 6.00.2600.0000 (xpclient.010817-1148) ProductVersion : 6.00.2600.0000 ProductName : Microsoft® Windows® Operating System CompanyName : Microsoft Corporation FileDescription : Windows Explorer InternalName : explorer LegalCopyright : © Microsoft Corporation. All rights reserved. OriginalFilename : EXPLORER.EXE Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ #:18 [acrotray.exe] FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\ ProcessID : 388 ThreadCreationTime : 4-12-2007 2:36:59 AM BasePriority : Normal FileVersion : 5, 0, 0, 0 ProductVersion : 5, 0, 0, 0 ProductName : AcroTray - Adobe Acrobat Distiller helper application. CompanyName : Adobe Systems Inc. FileDescription : AcroTray InternalName : AcroTray LegalCopyright : Copyright © 2001 OriginalFilename : AcroTray.exe Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ "C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe"Process terminated successfully #:19 [soffice.exe] FilePath : C:\Program Files\OpenOffice.org 2.0\program\ ProcessID : 1760 ThreadCreationTime : 4-12-2007 2:37:01 AM BasePriority : Normal FileVersion : 1.09.9069 ProductVersion : 1.09.9069 CompanyName : OpenOffice.org FileDescription : OpenOffice.org 2.0 InternalName : SOFFICE LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc. OriginalFilename : SOFFICE.EXE #:20 [soffice.bin] FilePath : C:\Program Files\OpenOffice.org 2.0\program\ ProcessID : 824 ThreadCreationTime : 4-12-2007 2:37:01 AM BasePriority : Normal FileVersion : 1.09.9069 ProductVersion : 1.09.9069 CompanyName : OpenOffice.org FileDescription : OpenOffice.org 2.0 InternalName : SOFFICE LegalCopyright : Copyright © 2005 by Sun Microsystems, Inc. OriginalFilename : SOFFICE.EXE Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ #:21 [winfopvc.exe] FilePath : C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\ ProcessID : 172 ThreadCreationTime : 4-12-2007 2:37:34 AM BasePriority : Normal Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : winfopvc.exe Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\ "C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe"Process terminated successfully "C:\DOCUME~1\TRESNA~1\LOCALS~1\Temp\winfopvc.exe"Process terminated successfully #:22 [ad-aware.exe] FilePath : C:\ADAWARE\Ad-Aware SE Personal\ ProcessID : 260 ThreadCreationTime : 4-12-2007 3:11:04 AM BasePriority : Normal FileVersion : 6.2.0.206 ProductVersion : VI.Second Edition ProductName : Lavasoft Ad-Aware SE CompanyName : Lavasoft Sweden FileDescription : Ad-Aware SE Core application InternalName : Ad-Aware.exe LegalCopyright : Copyright © Lavasoft Sweden OriginalFilename : Ad-Aware.exe Comments : All Rights Reserved Warning! Win32.Sality Object found in memory(C:\WINDOWS\System32\wmdrtc32.dll) Win32.Sality Object Recognized! Type : Process Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\System32\ Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\System32\wmdconf32.dll) Win32.TrojanSpy.Goldun Object Recognized! Type : Process Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\System32\ Memory scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 16 Started registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Registry Scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 16 Started deep registry scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Deep registry scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 16 Started Tracking Cookie scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Tracking cookie scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 16 Deep scanning and examining files (C:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Object "wmdrtc32.dll" found in this archive. Win32.Sality Object Recognized! Type : File Data : backup-Wed 04.11.2007-16.22.54.68.zip Category : Malware Comment : Object "wmdrtc32.dll" found in this archive. Object : C:\avenger\ Object "rgoqmn.sys" found in this archive. Win32.Sality Object Recognized! Type : File Data : backup.zip Category : Malware Comment : Object "rgoqmn.sys" found in this archive. Object : C:\avenger\ Object "wmdrtc32.dll" found in this archive. Win32.Sality Object Recognized! Type : File Data : backup.zip Category : Malware Comment : Object "wmdrtc32.dll" found in this archive. Object : C:\avenger\ Win32.TrojanProxy.Agent.dl Object Recognized! Type : File Data : wincxrh.exe Category : Malware Comment : Object : C:\Documents and Settings\TresnaTan\Local Settings\Temp\ Win32.Sality Object Recognized! Type : File Data : rgoqmn.sys Category : Malware Comment : Object : C:\WINDOWS\system32\drivers\ Win32.TrojanSpy.Goldun Object Recognized! Type : File Data : wmdconf32.dll Category : C:\ADAWARE\Ad-Aware SE Personal\lang\ Comment : Object : C:\WINDOWS\system32\ Win32.Sality Object Recognized! Type : File Data : wmdrtc32.dll Category : Malware Comment : Object : C:\WINDOWS\system32\ Disk Scan Result for C:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 23 Deep scanning and examining files (D:) »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Disk Scan Result for D:\ »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 0 Objects found so far: 23 Scanning Hosts file...... Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts". »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Hosts file scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 1 entries scanned. New critical objects:0 Objects found so far: 23 Performing conditional scans... »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Conditional scan result: »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» New critical objects: 1 Objects found so far: 24 10:17:52 AM Scan Complete Summary Of This Scan »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» Total scanning time:00:06:39.266 Objects scanned:131018 Objects identified:9 Objects ignored:0 New critical objects:9 Share this post Link to post Share on other sites
wirosari Report post Posted April 12, 2007 The SDFIX from SAFEMODE : SDFix: Version 1.69 Run by TresnaTan - Thu 04/12/2007 @ 11:42:57.20 Microsoft Windows XP [Version 5.1.2600] Running From: C:\ADAWARE\SDFixNew Safe Mode: Checking Services: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found... ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe:*:Enabled:ipsec" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcmol.exe"="" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe:*:Enabled:ipsec" "C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:ipsec" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Checking For Files with Hidden Attributes : Add/Remove Programs List: Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Photoshop 6.0 Adobe SVG Viewer 3.0 AutoCAD R14.0 Canon ScanGear Toolbox 3.0 ERUNT 1.1j HaxFix 4.39 HijackThis 1.99.1 HP DeskJet 1125C Printer HP LaserJet 1200 Uninstaller C-Dilla Licence Management System Macromedia FreeHand 9 Macromedia Shockwave Player MSN Toolbar Nero OEM Nero Suite NVIDIA Windows 2000/XP Display Drivers QuickTime Rhinoceros 2.0 Rootkit Unhooker Uninstall Spyware Doctor 5.0 Volo View Express Winamp3 (remove only) WinZip Macromedia Dreamweaver MX 2004 Adobe Illustrator 10 eDrawings 2004 SP04.1 SolidWorks 2004 Viewer Easy CD Creator 5 Basic Network Utility OpenOffice.org 2.0 3ds max 5 Microsoft Office XP Professional with FrontPage Macromedia Extension Manager Adobe Creative Suite McAfee VirusScan Professional Edition Finished Share this post Link to post Share on other sites
wirosari Report post Posted April 12, 2007 Dear FZWG, The SYSTEM.IN contents : ; for 16-bit app support [drivers] wave=mmdrv.dll timer=timer.drv [mci] [driver32] [386enh] woafont=dosapp.FON EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON FileSysChange=off [MCIDRV_VER] DEVICEN1=95215658363 __h=10 __dr=12 [iDslow] IDVer32666=988281 IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 Share this post Link to post Share on other sites
wirosari Report post Posted April 12, 2007 (edited) Dear FZWG, The SPYWARE DOCTOR Free Version - Scan only The result is : 1. email-worm.Warez OV! sd5 C:\doc&set\tresnatan\local setting\temp\temp.fr99A9 C:\win\sys32\WMDRTC32.dll 2.. Trojan-spy.goldun! sd5 C:\doc&set\tresnatan\local setting\temp\temp.fr9C34 3. Trojan - PWS- Tanspy H_K_L_M\Software\Microsoft\Windows\CurVer\Control P...\LOAD This info maybe useful for analyzing. many thanks for help. Edited April 12, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 12, 2007 Dear FZWG, After that, The Rootkit still crashing my SAFE MODE. (I must to use the AVZ RESTORE Safe Mode) Then use SDFIX displayed like below. HJT 99 also logged below. And now, installed SPYWARE DOCTOR Free Version displayed PopUp : SOFFICE.BIN attemp to access a file C:\windows\system32\wmdrtc32.dll Email-work. warezOV! sd5 many thanks sir! =============== SDFix: Version 1.69 Run by TresnaTan - Thu 04/12/2007 @ 17:54:20.00 Microsoft Windows XP [Version 5.1.2600] Running From: C:\ADAWARE\SDFixNew Safe Mode: Checking Services: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found... ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\wincxrh.exe:*:Enabled:ipsec" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcmol.exe"="" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winfopvc.exe:*:Enabled:ipsec" "C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:ipsec" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winjfamv.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winjfamv.exe:*:Enabled:ipsec" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winsujeew.exe"="" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcbvya.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winkcbvya.exe:*:Enabled:ipsec" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winwddb.exe"="C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winwddb.exe:*:Enabled:ipsec" "C:\\DOCUME~1\\TRESNA~1\\LOCALS~1\\Temp\\winppmogd.exe"="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- Checking For Files with Hidden Attributes : Add/Remove Programs List: Ad-Aware SE Personal Adobe Acrobat 5.0 Adobe Photoshop 6.0 Adobe SVG Viewer 3.0 AutoCAD R14.0 Canon ScanGear Toolbox 3.0 ERUNT 1.1j HaxFix 4.39 HijackThis 1.99.1 HP DeskJet 1125C Printer HP LaserJet 1200 Uninstaller C-Dilla Licence Management System Macromedia FreeHand 9 Macromedia Shockwave Player MSN Toolbar Nero OEM Nero Suite NVIDIA Windows 2000/XP Display Drivers QuickTime Rhinoceros 2.0 Rootkit Unhooker Uninstall Spyware Doctor 5.0 Volo View Express Winamp3 (remove only) WinZip Macromedia Dreamweaver MX 2004 Adobe Illustrator 10 eDrawings 2004 SP04.1 SolidWorks 2004 Viewer Easy CD Creator 5 Basic Network Utility OpenOffice.org 2.0 3ds max 5 Microsoft Office XP Professional with FrontPage Macromedia Extension Manager Adobe Creative Suite McAfee VirusScan Professional Edition Finished HJT 99 logged after SDFIX restarting the PC : Logfile of HijackThis v1.99.1 Scan saved at 6:14:19 PM, on 4/12/2007 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE C:\ADAWARE\Spyware Doctor\svcntaux.exe C:\ADAWARE\Spyware Doctor\swdsvc.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\System32\svchost.exe C:\ADAWARE\Spyware Doctor\SDTrayApp.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.exe C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN C:\ADAWARE\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll O4 - HKLM\..\Run: [sBRegRebootCleaner] C:\ADAWARE\CounterSpy\SBRC.exe O4 - HKLM\..\Run: [sDTray] "C:\ADAWARE\Spyware Doctor\SDTrayApp.exe" O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O17 - HKLM\System\CCS\Services\Tcpip\..\{E50FF651-161B-40E5-A27A-BEE26DCA64DA}: NameServer = 10.1.1.11,10.1.1.12 O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe (file missing) O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\ADAWARE\Spyware Doctor\svcntaux.exe O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\ADAWARE\Spyware Doctor\swdsvc.exe Share this post Link to post Share on other sites
FZWG Report post Posted April 12, 2007 (edited) Well, here is a sign of Sality: [MCIDRV_VER] DEVICEN1=95215658363 Then, there is Troj/Spmbot-B: [iDslow] IDVer32666=988281 And whatever these are, maybe the same Spmbot-B: IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 Editing system.ini is an option, but if the infection is active, there may be serious results... ==== If this ’thing’ is residing in memory, it may have the capability to disable any virus or spyware protection. So let’s go with online-scanners. However, boot to Safe Mode with Networking to download and use the scans: Panda ActiveScan: http://www.pandasoftware.com/products/ActiveScan.htm BitDefender Online Scanner: http://www.bitdefender.com/ Please post the results for both online scans. ==== Also download Clean.zip to the Desktop http://www.malekal.com/download/clean.zip, Right click and Extract In the Clean folder created, click on clean.cmd When the command window (black screen) opens, select Option 1, and press: Enter Allow the scan to complete, press any key, and post the contents of the Clean text in you reply. ==== Next, download RustBFix by ejvindh: http://www.uploads.ejvindh.net/rustbfix.exe Save it to the Desktop. Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you are asked to reboot the computer. The reboot will probably take a while, and perhaps 2 reboots are needed, but this happens automatically. After the reboot(s) 2 log files open: Avenger.txt and a Pelog.txt Please post both log files in your reply. ==== Also, click here to download AVG Anti Rootkit and save it to the Desktop. Double-click on the AVG_AntiRootkit_1.0.0.13.exe file to run it. Click "I Agree" to agree to the EULA. By default it will install to "G:\Program Files\GRISOFT\AVG Anti-Rootkit Beta". Click "Next" to begin the installation then click "Install". It will then ask you to reboot now to finish the installation. Click "Finish" and your computer will reboot. After it reboots, double-click on the AVG Anti-Rootkit Beta shortcut that is now on the Desktop. Click on the "Perform in-depth search" button to begin the scan. The scan will take a while so be patient and let it complete. When the scan is finished, click the "Save result to file" button. Save the scan results to the Desktop, and provide the AVG_AntiRootkit results in your reply. ==== One last item, can you install a software Firewall? Some good free choices are: ZoneAlarm: http://www.zonelabs.com/store/content/cata...lid=dbtopnav_za Sunbelt Kerio: http://www.sunbelt-software.com/Kerio.cfm OutPost: http://www.agnitum.com/products/outpostfree/download.php In summary, need the following in your reply: The Panda ActiveScan results The BitDefender results The contents of the Clean report The RustBFix Avenger.txt and a Pelog.txt The AVG_AntiRootkit results Edited April 12, 2007 by FZWG Share this post Link to post Share on other sites
wirosari Report post Posted April 13, 2007 (edited) Dear FZWG, This Panda Online run under SAFE MODE with Network. It seems SALITY infect ALL the Exe File The log even exceeded the 102400 char allowed. These file Not Disinfected : Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\SDFix\apps\Process.exe These file is other viruses : Virus:Trj/Shutdown.Z Disinfected C:\ADAWARE\VirTools\SmitfraudFix.zip[smitfraudFix/restart.exe] Virus:Trj/Goldun.OF Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.fr9C34 Edited PANDA LOG - All found is Virus:W32/Sality.Y Virus:W32/Sality.Y Status Location Disinfected C:\3dsmax5\3dsmax.exe Disinfected C:\3dsmax5\adlmswitch.exe Disinfected C:\3dsmax5\backburner2\backburnercfg.exe Disinfected C:\3dsmax5\backburner2\manager.exe Disinfected C:\3dsmax5\backburner2\managersvc.exe Disinfected C:\3dsmax5\backburner2\monitor.exe Disinfected C:\3dsmax5\backburner2\server.exe Disinfected C:\3dsmax5\backburner2\serversvc.exe Disinfected C:\3dsmax5\MaxFind.exe Disinfected C:\3dsmax5\maxunzip.exe Disinfected C:\3dsmax5\maxzip.exe Disinfected C:\3dsmax5\PMAN32.EXE Disinfected C:\3dsmax5\swl\CdRemove.exe Disinfected C:\3dsmax5\swl\CdSet32.exe Disinfected C:\ADAWARE\Ad-Aware SE Personal\Ad-Aware.exe Disinfected C:\ADAWARE\Ad-Aware SE Personal\unregaaw.exe Disinfected C:\ADAWARE\Ad-Aware SE Personal\UNWISE.EXE Disinfected C:\ADAWARE\AVZ_GeektoGo\avz.exe Disinfected C:\ADAWARE\Cleanup.exe Disinfected C:\ADAWARE\ERUNT\4-11-2007\ERDNT.EXE Disinfected C:\ADAWARE\ERUNT\AUTOBACK.EXE Disinfected C:\ADAWARE\ERUNT\ERUNT.EXE Disinfected C:\ADAWARE\ERUNT\NTREGOPT.EXE Disinfected C:\ADAWARE\fixwareout\FindT\dumphive.exe Disinfected C:\ADAWARE\fixwareout\FindT\nircmd.exe Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ADAWARE\fixwareout\FindT\nircmd.exe Disinfected C:\ADAWARE\fixwareout\FindT\RestartIt.exe Disinfected C:\ADAWARE\fixwareout\FindT\swreg.exe Disinfected C:\ADAWARE\fixwareout\FindT\vfind.exe Disinfected C:\ADAWARE\HijackThis.exe Disinfected C:\ADAWARE\HijackThis888.exe Disinfected C:\ADAWARE\HP1125\win98usb\U2PCMh01.exe Disinfected C:\ADAWARE\HP1125\win98usb\uninst.exe Disinfected C:\ADAWARE\RkUnhooker\p3W40Wclw38302xYkiJ8gMU.exe Disinfected C:\ADAWARE\RkUnhooker\uninstall.exe Disinfected C:\ADAWARE\SDFix\apps\cliptext.exe Disinfected C:\ADAWARE\SDFix\apps\download.exe Disinfected C:\ADAWARE\SDFix\apps\LS.exe Disinfected C:\ADAWARE\SDFix\apps\MoveEx.exe Disinfected C:\ADAWARE\SDFix\apps\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\SDFix\apps\Process.exe Disinfected C:\ADAWARE\SDFix\apps\RegDACL.exe Disinfected C:\ADAWARE\SDFix\apps\Replace\W2K.exe Disinfected C:\ADAWARE\SDFix\apps\Replace\XP.exe Disinfected C:\ADAWARE\SDFix\apps\RestartIt!.exe Disinfected C:\ADAWARE\SDFix\apps\sc.exe Disinfected C:\ADAWARE\SDFix\apps\SF.exe Disinfected C:\ADAWARE\SDFix\apps\sha160.exe Disinfected C:\ADAWARE\SDFix\apps\swreg.exe Virus:W32/Sality.Y Disinfected C:\ADAWARE\SDFix\apps\swsc.exe Disinfected C:\ADAWARE\SDFix\apps\unzip.exe Disinfected C:\ADAWARE\SDFixNew\apps\cliptext.exe Disinfected C:\ADAWARE\SDFixNew\apps\download.exe Disinfected C:\ADAWARE\SDFixNew\apps\LS.exe Disinfected C:\ADAWARE\SDFixNew\apps\MoveEx.exe Disinfected C:\ADAWARE\SDFixNew\apps\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\SDFixNew\apps\Process.exe Disinfected C:\ADAWARE\SDFixNew\apps\RegDACL.exe Disinfected C:\ADAWARE\SDFixNew\apps\Replace\W2K.exe Disinfected C:\ADAWARE\SDFixNew\apps\Replace\XP.exe Disinfected C:\ADAWARE\SDFixNew\apps\RestartIt!.exe Disinfected C:\ADAWARE\SDFixNew\apps\sc.exe Disinfected C:\ADAWARE\SDFixNew\apps\SF.exe Disinfected C:\ADAWARE\SDFixNew\apps\sha160.exe Disinfected C:\ADAWARE\SDFixNew\apps\swreg.exe Disinfected C:\ADAWARE\SDFixNew\apps\swsc.exe Disinfected C:\ADAWARE\SDFixNew\apps\unzip.exe Disinfected C:\ADAWARE\SDFixNew\apps\zip.exe Disinfected C:\ADAWARE\sting260.exe Disinfected C:\ADAWARE\Tools_Registry\avenger.exe Disinfected C:\ADAWARE\Tools_Registry\KillBox_NEW.exe Disinfected C:\ADAWARE\VirTools\ATF-CleanerIDEM.exe Disinfected C:\ADAWARE\VirTools\avenger.exe Disinfected C:\ADAWARE\VirTools\ComboFix_JANGANPAKAI.exe Disinfected C:\ADAWARE\VirTools\Copy (2) of ATF-CleanerIDEM.exe Disinfected C:\ADAWARE\VirTools\Copy (3) of ATF-CleanerIDEM.exe Disinfected C:\ADAWARE\VirTools\Copy of ATF-CleanerIDEM.exe Disinfected C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe Disinfected C:\ADAWARE\VirTools\KillBox.exe Disinfected C:\ADAWARE\VirTools\LSPFix.exe Disinfected C:\ADAWARE\VirTools\PrevxFixGrom.exe Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SDFix.exe[sDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SDFix_NEW.zip[sDFix.exe][sDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SDFix_OLD.exe[sDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\ADAWARE\VirTools\SmitfraudFix.zip[smitfraudFix/Process.exe] Virus:Trj/Shutdown.Z Disinfected C:\ADAWARE\VirTools\SmitfraudFix.zip[smitfraudFix/restart.exe] Disinfected C:\ADAWARE\VirTools\TrendMicro_RootkitBuster.exe Disinfected C:\ADAWARE\VirTools\VundoFix.exe Disinfected C:\C_DILLA\setup\cdremove.exe Disinfected C:\Documents and Settings\All Users\Documents\FTP\ws_ftple.exe Disinfected C:\Documents and Settings\TresnaTan\Desktop\converter.exe Disinfected C:\Documents and Settings\TresnaTan\Desktop\s-t-i-n-g-e-r.exe Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.fr99A9 Virus:Trj/Goldun.OF Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.fr9C34 Virus:W32/Sality.X.drp Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\temp.frEB59 Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winbxktxg.exe Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe Disinfected C:\Documents and Settings\TresnaTan\Local Settings\Temp\winvdprjm.exe Disinfected C:\Documents and Settings\TresnaTan\OpenOfficeInstall\OpenOffice.org 2.0 Installation Files\setup.exe Disinfected C:\ERUNT\4-11-2007\ERDNT.EXE Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Scandisc.exe Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\udfrchk.exe Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\Easy CD Creator\CDCopier.exe Disinfected C:\Program Files\Adaptec\Easy CD Creator 5\Easy CD Creator\Creatr50.exe Disinfected C:\Program Files\Adobe\Acrobat 5.0\Acrobat\Acrobat.exe Disinfected C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrodist.exe Disinfected C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe Virus:W32/Sality.Y Disinfected C:\Program Files\Adobe\Adobe Illustrator CS\Support Files\Contents\Windows\Illustrator.exe Disinfected C:\Program Files\Adobe\Illustrator 10\Support Files\Contents\Windows\Illustrator.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\ImageReady.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Required\Droplet Template.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Constrain 350, Make JPG 30.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Constrain to 200x200 pixels.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Constrain to 64X64 pixels.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make Button.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make GIF (128 colors).exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make GIF (32, no dither).exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make GIF (64 colors).exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make JPEG (quality 10).exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make JPEG (quality 30).exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Make JPEG (quality 60).exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Multi-Size Save.exe Disinfected C:\Program Files\Adobe\Photoshop 6.0\Samples\Droplets\ImageReady Droplets\Unsharp Mask.exe Disinfected C:\Program Files\AutoCAD R14\acad.exe Disinfected C:\Program Files\AutoCAD R14\SAMPLE\ACTIVEX\Facility\Facility.Exe Disinfected C:\Program Files\AutoCAD R14\SAMPLE\ACTIVEX\TimeLog\TimeLog.exe Disinfected C:\Program Files\AutoCAD R14\SUPPORT\EBATCHP\ebatchp.exe Disinfected C:\Program Files\AutoCAD R14\SUPPORT\EBATCHP\ebph.exe Disinfected C:\Program Files\AutoCAD R14\SUPPORT\l_acla.exe Disinfected C:\Program Files\Canon\ScanGear Toolbox Ver3\CHREG.EXE Disinfected C:\Program Files\Canon\ScanGear Toolbox Ver3\SGTBox.exe Disinfected C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe Disinfected C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Disinfected C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe Disinfected C:\Program Files\Common Files\Adobe\Web\AOM.exe Virus:W32/Sality.Y Disinfected C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe Disinfected C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32\knlwrap.exe Disinfected C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe Disinfected C:\Program Files\Common Files\Microsoft Shared\MSInfo\OFFPRV10.EXE Disinfected C:\Program Files\Common Files\Microsoft Shared\MSSearch\Bin\SrchAdmStp.exe Disinfected C:\Program Files\Common Files\Microsoft Shared\Office10\MSOICONS.EXE Disinfected C:\Program Files\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE Disinfected C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\fpsrvadm.exe Disinfected C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\fpcount.exe Disinfected C:\Program Files\Common Files\Nero\Uninstall\setup.exe Disinfected C:\Program Files\Common Files\Network Associates\Alert Manager\amgrcnfg.exe Disinfected C:\Program Files\Common Files\Network Associates\Alert Manager\VirNotfy.exe Disinfected C:\Program Files\Common Files\Network Associates\LWI\lwi.exe Disinfected C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe Disinfected C:\Program Files\Common Files\SolidWorks Shared\eDrawings\EModelViewer.exe Disinfected C:\Program Files\Fuji Xerox\Network Utility\Fxnetutl.exe Disinfected C:\Program Files\GNUGS\GSWIN32C.EXE Disinfected C:\Program Files\HaxFix\moveex.exe Disinfected C:\Program Files\HaxFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\HaxFix\Process.exe Disinfected C:\Program Files\HaxFix\RegDACL.exe Disinfected C:\Program Files\HaxFix\swsc.exe Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppsoftconfigpage.exe Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\EnvSetup.exe Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\setup.exe Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\Uninstall\1200\_isdel.exe Disinfected C:\Program Files\Hewlett-Packard\LaserJet All-in-one\WebReg\webreg.exe Disinfected C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe Disinfected C:\Program Files\InstallShield Installation Information\{412033BC-44CF-48D9-B813-4B835101F4D3}\Setup.exe Disinfected C:\Program Files\InstallShield Installation Information\{606D713C-B60C-11D6-A47A-00B0D03E4223}\Setup.exe Disinfected C:\Program Files\InstallShield Installation Information\{70B7022C-74ED-11D4-8AB9-00C04F872469}\Setup.exe Disinfected C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\Setup.exe Disinfected C:\Program Files\InstallShield Installation Information\{D52ECEBC-9B20-41A5-81C4-A62DE2367419}\setup.exe Virus:W32/Sality.Y Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\java.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\javac.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\javaw.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\keytool.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\policytool.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\rmid.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\rmiregistry.exe Disinfected C:\Program Files\Macromedia\Dreamweaver MX 2004\JVM\bin\tnameserv.exe Disinfected C:\Program Files\Macromedia\Extension Manager\Extension Manager.exe Disinfected C:\Program Files\Macromedia\Extension Manager\Replace.exe Disinfected C:\Program Files\Macromedia\FreeHand 9\Flash 4 Player.exe Disinfected C:\Program Files\Macromedia\FreeHand 9\FreeHand 9 Clipart Viewer.exe Disinfected C:\Program Files\Macromedia\FreeHand 9\FreeHand 9.exe Disinfected C:\Program Files\McAfee\McAfee Shared Components\Central\CLaunch.exe Disinfected C:\Program Files\McAfee\McAfee Shared Components\QuickClean Lite\QClean.exe Disinfected C:\Program Files\McAfee\McAfee Shared Components\Shredder\shred32.exe Disinfected C:\Program Files\McAfee\McAfee VirusScan\BrowseVS.exe Disinfected C:\Program Files\McAfee\McAfee VirusScan\config32.exe Disinfected C:\Program Files\McAfee\McAfee VirusScan\EDisk.exe Disinfected C:\Program Files\McAfee\McAfee VirusScan\SendVir.exe Disinfected C:\Program Files\McAfee\McAfee VirusScan\VsMain.exe Disinfected C:\Program Files\McAfee\VirusScan Wireless\McEPOC.exe Disinfected C:\Program Files\McAfee\VirusScan Wireless\McEPOCfg.exe Disinfected C:\Program Files\McAfee\VirusScan Wireless\McPalmCfg.EXE Virus:W32/Sality.Y Disinfected C:\Program Files\McAfee\VirusScan Wireless\McWCE.exe Virus:W32/Sality.Y Disinfected C:\Program Files\McAfee\VirusScan Wireless\McWCECfg.exe Edited April 13, 2007 by wirosari Share this post Link to post Share on other sites
FZWG Report post Posted April 13, 2007 I am assuming you only posted part of the report, but that is OK. You are dealing with the Sality virus, which can infect legit executables in your system. The damage it causes is extensive: http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=52797 Legit and necessary executables cannot be deleted like malware files. The executables need to be disinfected. However, it may happen that after the exe's are disinfected, some programs may no longer work. If you wish to do a format and install a clean Operating System ana the programs you use, it is a good idea. However, you can also press on and run another online scan with Kasperski, and provide its results. It has a good track record for this infection, and may pick up anything left over. The log produced should not be as large. The following is a link to several online scanners, including Kasperski: http://dir.yahoo.com/Computers_and_Interne...Virus_Scanners/ Also, please provide the contents of system.ini once again. Need to know if the disinfection had any effect on it. Share this post Link to post Share on other sites
wirosari Report post Posted April 13, 2007 (edited) Dear FZWG,, Here is the BITDEFENDER online scan : EDITED from HTML format. The files in this folders still a concern : C:\Documents and Settings\TresnaTan\Local Settings\Temp\ Thanks in advance! BitDefender Online Scanner Scan report generated at: Fri, Apr 13, 2007 - 11:42:52 Scan path: C:\;D:\; Statistics Time 00:43:09 Files 228709 Folders 3666 Boot Sectors 3 Archives 33484 Packed Files 23647 Results Identified Viruses 1 Infected Files 1 Suspect Files 5 Warnings 0 Disinfected 0 Deleted Files 7 Engines Info Virus Definitions 485681 Engine build AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08) Scan plugins 13 Archive plugins 31 Unpack plugins 5 E-mail plugins 6 System plugins 1 Scan Settings First Action Disinfect Second Action Delete Heuristics Yes Enable Warnings Yes Scanned Extensions *; Exclude Extensions Scan Emails Yes Scan Archives Yes Scan PackedYes Scan Files Yes Scan Boot Yes Scanned File Status C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe Suspected of: Generic.Malware.GS.578DA1E6 C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe Disinfection failed C:\ADAWARE\VirTools\GMER_ROOTKIT_SCANNER_catchme.exe Deleted C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe Suspected of: Generic.Malware.Yd.0347DF9B C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe Disinfection failed C:\Documents and Settings\TresnaTan\Local Settings\Temp\windmelju.exe Deleted C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe Suspected of: Generic.Malware.Yd.0347DF9B C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe Disinfection failed C:\Documents and Settings\TresnaTan\Local Settings\Temp\winkcmol.exe Deleted C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe Suspected of: Generic.Malware.Yd.0347DF9B C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe Disinfection failed C:\Documents and Settings\TresnaTan\Local Settings\Temp\winppmogd.exe Deleted C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe Suspected of: Generic.Malware.Yd.0347DF9B C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe Disinfection failed C:\Documents and Settings\TresnaTan\Local Settings\Temp\winsujeew.exe Deleted C:\Program Files\McAfee\McAfee VirusScan\QUARANT\Panda Crack.zip.exe_.MCQ=>(Quarantine-PE) Infected with: Win32.Lovgate.R@mm C:\Program Files\McAfee\McAfee VirusScan\QUARANT\Panda Crack.zip.exe_.MCQ=>(Quarantine-PE) Deleted Edited April 13, 2007 by wirosari Share this post Link to post Share on other sites
wirosari Report post Posted April 13, 2007 Dear sir, Here is the SYSTEM.INI after BITDEFENDER. FYI, the PANDA is ALL files. (about 200's) Only virus-name (per line) deleted. ; for 16-bit app support [drivers] wave=mmdrv.dll timer=timer.drv [mci] [driver32] [386enh] woafont=dosapp.FON EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON FileSysChange=off [MCIDRV_VER] DEVICEN1=95215658363 __h=18 __dr=12 [iDslow] IDVer32666=988281 IDMCI32=23846878ABA233 [iDslow32] MDCDID32=991140 Share this post Link to post Share on other sites
wirosari Report post Posted April 13, 2007 (edited) Very Dangerous... I not yet restart the PC. (after 2 online scan) Stuill n Safe Mode w Network. What should I do FIRST now sir? pls help and advide Note: Kapersky is running 5% now.. thx Edited April 13, 2007 by wirosari Share this post Link to post Share on other sites