Question

Many many problems - Can't run ComboFix.exe, SDFix.exe, Cmd.exe or Regedit

Asked by: JatinHemant

Hi friends !

I have many problems in my computer. Please look at the problems&

(1) When I start the computer, it gives the following message&

NoooH&
Please Try to Open  TaskManager  now

(2) Run--->regedit doesnt open regedit.exe, I receive cmd prompt just for a second then it disappears.

(3)Regedit.exe file is there in C:\WINDOWS. When I try to run this file from this location, I receive cmd prompt just for a second then it disappears.

(4) Run--->Regedit32.exe gives the following error&

Windows cannot find regedit32.exe. Make sure you typed the name correctly and try again&

(5) When I try to open run the file Regedit32.exe from C:\WINDOWS\system32 location, I receive cmd prompt just for a second then it disappears.

(6) Run---->cmd doesnt open Command Prompt. I receive cmd prompt just for a second then it disappears.

(7) When I try to run the file from C:\WINDOWS\system32 location. It gives the same result. BUT& when I copy this file to desktop and run it, I can see cmd prompt and it remains there, it doesnt disappear.

(8) When I press Ctrl + Alt + Del, I cant receive Task Manager. It just comes for less than one second and disappears.

(9) When I open My Computer--->Tools and click on Folder Options, it also comes for less than one second and disappear so I can not change the settings through Folder Options

(10) Generally the computer works normally. BUT&any time it stops responding. The mouse moves normally. The keyboard is detected but When I click on any program it doesnt work. I find the APPLICATION ERROR&

(11) When the above APPLICATION ERROR comes, I cant shut down or restart the computer. When I click on Start--->Turn Off Computer, Only two options come either to log off or switch off. I cant hibernate it nor standby. Then I forcefully shut it down by pressing the power button. (When I restart it again it works normally)

(12) ComboFix.exe cant be run either in normal or safe mode.

(13) SDFix cant be run either in normal or safe mode.

I have not installed any antivirus software. I am going to install and update Kaspersky and then I will scan the pc. I am quite sure this is the problem of a dangerous threat.

NOTE: IN SAFE MODE, I CAN RUN BOTH CMD.EXE REGEDIT.EXE . FOLDER OPTIONS ALSO WORK THERE AND I CAN USE CTRL + ALT + DEL TO GET TASKMANAGER.

BUT SDFixs RunThis.bat FILE IS NOT RUNNING IN SAFE MODE

Before posting the HijackThis log&

(1) I have cleaned up the pc with CCleaner and now it is free from cookies, Temporary Internet files, Temporary files and unused log files.

(2) I have run Spybot  Search & Destroy. It didnt give me any error. It gave me congratulation that no problem is found.

(3) Then I tried to run SDFix and Combofix in normal as well as in safe mode but it couldnt be run. It executes and disappers just in one second.

(4) I run HijackThis and created the logs. This is the HijackThis log file...

HijackThis Log:

 Logfile of HijackThis v1.99.1
Scan saved at 3:53:19 PM, on 9/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\MAKTray.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\Web\Sys.exe
C:\Program Files\PDF Complete\pdfsaver.exe
C:\WINDOWS\MAKHKEY.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\ncscv32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\Cleaning-Fixing Tools\HijackThis\alternativ.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.5.223:8080
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [MAKTray] MAKTray.exe
O4 - HKLM\..\Run: [PDF Complete] "C:\Program Files\PDF Complete\pdfsty.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [LayoutM] KLayMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NoooH] C:\Windows\Web\Sys.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe (file missing)
O23 - Service: McAfee Task Manager (McTaskManager) - Unknown owner - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I will also send the Kaspersky log file soon.

Please see what may be the problem.

Thanking you.

Regards,

Hemant
 

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2007-09-13 at 07:10:34ID22826187
Tags

Microsoft

,

XP

,

Professional Service Pack 2

,

NoooH...Please Try to Open - TaskManager - now

Topics

HijackThis Software

,

Windows XP Operating System

,

Networking Security Vulnerabilities

Participating Experts
5
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. HijackThis log
    Can someone tell me if anything from this hijackthis log needs to be removed? Even with firewall and anti-virus running I still got hit with adware and a virus. I already removed kernels32.exe from a previous hijackthis log and ran ad-aware in safe mode. But I'm still having ...
  2. Hijackthis Log
    Ok I scanned my computer with hijack this here is the log: I get popups like crazy on this computer!!!! What needs deleted? Logfile of HijackThis v1.99.1 Scan saved at 3:08:23 AM, on 8/30/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6....
  3. what are wl.exe and cmd.exe?
    Wl.exe and cmd.exe are starting and stopping in task manager > processes. Are they spyware of some sort? They eat up processor usage 14 to 33%. The harddrive is being constantly accessed. Thanks in advance.
  4. Hijackthis Log
    I am new to hijackthis and am hopign someone can tell me what should be removed from this list. Thanks. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:51:41 PM, on 7/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: jwphillips80Posted on 2007-09-13 at 07:12:58ID: 19883797

Have you tried restoring back to a previous date or running recovery with the media disk inserted?

 

by: rpggamergirlPosted on 2007-09-13 at 07:27:39ID: 19883917

Please go to Start Menu > Run > then copy and paste the following line:

%systemdrive%\SDFix\apps\FixPath.exe /Q

Reboot and then run SDFix again in safe mode.

Combofix should run too afterwards, let us know if SDFix still won't run.

 

by: rpggamergirlPosted on 2007-09-13 at 07:49:35ID: 19884143

Can we look at the Kaspersky log?
http://vil.nai.com/vil/content/v_142400.htm

These are bad:
O4 - HKLM\..\Run: [NoooH] C:\Windows\Web\Sys.exe
O4 - HKCU\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe

Delete these files:
C:\Windows\Web\Sys.exe
C:\WINDOWS\system32\drivers\ncscv32.exe

 

by: JatinHemantPosted on 2007-09-14 at 00:03:57ID: 19889474

Thanks for reply...

You were exactly right. And the link (http://vil.nai.com/vil/content/v_142400.htm) gives complete information for NoooH virus. I scanned the pc with Kaspersky Antivirus and posting the log taken in gape of 30 minutes.

(Note:  I have deleted the Sys.exe and ncscv32.exe files when Kaspersky gave me option to delete them. And now after performing the Full Scan, My Computer is not showing any threat. Kaspersky shows that pc is free of threats.)

Here is the log:

Ist Log:

Untreated:      0
Start time:      9/14/2007 8:40:37 AM
Duration:      00:05:13


Detected
--------
Status      Object
------      ------
disinfected: virus Virus.Boot.Malmo      Physical disk sector: \Device\Harddisk0\DR0
detected: riskware Worm.generic      Running process: C:\WINDOWS\system32\drivers\ncscv32.exe
not found: virus Virus.Win32.AutoRun.ad      Running module: Sys.exe\Sys.exe
deleted: virus Virus.Win32.AutoRun.ad      File: C:\Windows\Web\Sys.exe
deleted: virus Worm.Win32.Fujack.aa      File: C:\PROGRA~1\MICROS~2\OFFICE11\FRONTPG.EXE
deleted: virus Worm.Win32.Fujack.aa      File: c:\program files\microsoft office\office11\mstore.exe
deleted: virus Worm.Win32.Fujack.aa      File: c:\program files\spybot - search & destroy\blindman.exe
deleted: virus Worm.Win32.Fujack.aa      File: C:\PROGRA~1\MICROS~2\OFFICE11\OIS.EXE
deleted: virus Virus.Win32.AutoRun.ad      File: C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP82\A0047389.exe
deleted: virus Virus.Win32.AutoRun.ad      File: C:\Sys.exe
deleted: virus Virus.Win32.AutoRun.ad      Running module: Sys.exe\Sys.exe
deleted: virus Worm.Win32.Fujack.aa      File: C:\Games.exe
deleted: virus Worm.Win32.Fujack.bd      File: C:\claudien\Curriculum Implementation.htm
deleted: virus Worm.Win32.Fujack.aa      File: C:\Cleaning-Fixing Tools\ComboFix from BeepingComputers\ComboFix.exe
deleted: virus Worm.Win32.Fujack.aa      File: C:\Cleaning-Fixing Tools\ComboFix from TechSupportForum\ComboFix.exe
disinfected: virus Worm.Win32.Fujack.aa      File: C:\Cleaning-Fixing Tools\SDFix\SDFix.exe
disinfected: virus Worm.Win32.Fujack.aa      File: C:\ComboFix\ntp.exe
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Arabic\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Brazil\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Danish\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Dutch\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\English\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Finnish\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\French\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\German\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Hebrew\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Italian\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Japanese\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Korean\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Norwegan\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Russian\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\SimpChin\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Spanish\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Swedish\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\Thai\SMaxFAQ.htm
disinfected: virus Worm.Win32.Fujack.bd      File: C:\Compaq\Audio\ADI\SM_Panel\Sys\TradChin\SMaxFAQ.htm


Events
------
Time      Event
----      -----
9/13/2007 4:16:54 PM      A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
9/13/2007 4:17:02 PM      Process  (PID 564) tried to access Kaspersky Anti-Virus process (PID 1644), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
9/13/2007 4:17:17 PM      Real-time protection started.
9/13/2007 4:17:32 PM      Update error: proxy connection error, invalid or inaccessible address.
9/13/2007 4:17:32 PM      The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/13/2007 4:19:58 PM      Physical disk sector \Device\Harddisk0\DR0: detected virus 'Virus.Boot.Malmo'.
9/13/2007 4:19:58 PM      Security threats have been detected. You are advised to neutralize them immediately.
9/13/2007 4:19:58 PM      Physical disk sector \Device\Harddisk0\DR0: is still infected, postponed.
9/13/2007 4:19:58 PM      Physical disk sector \Device\Harddisk0\DR0: detected virus 'Virus.Boot.Malmo'.
9/13/2007 4:20:42 PM      Physical disk sector \Device\Harddisk0\DR0: is still infected, skipped by user.
9/13/2007 4:27:54 PM      Running process C:\WINDOWS\system32\drivers\ncscv32.exe: detected modification of riskware 'Worm.generic'.
9/13/2007 4:42:53 PM      Process C:\WINDOWS\system32\drivers\ncscv32.exe (PID 1220) successfully terminated.
9/13/2007 4:46:44 PM      The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/13/2007 5:07:57 PM      Quarantine: File C:\WINDOWS\system32\drivers\ncscv32.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/13/2007 5:08:03 PM      Update error: internal error.
9/13/2007 5:11:57 PM      Quarantine: File C:\WINDOWS\system32\drivers\ncscv32.exe: is still infected, skipped by user.
9/13/2007 5:12:09 PM      Real-time protection is not running. You are advised to resume protection.
9/14/2007 7:37:37 AM      A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
9/14/2007 7:37:42 AM      Real-time protection started.
9/14/2007 7:38:02 AM      Security threats have been detected. You are advised to neutralize them immediately.
9/14/2007 7:38:18 AM      Process  (PID 740) tried to access Kaspersky Anti-Virus process (PID 1632), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
9/14/2007 7:38:46 AM      Process  (PID 1824) tried to access Kaspersky Anti-Virus process (PID 1632), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
9/14/2007 7:40:03 AM      Running module Sys.exe\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 7:40:03 AM      Running module Sys.exe\Sys.exe: is still infected, postponed.
9/14/2007 7:40:03 AM      File C:\Windows\Web\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 7:40:03 AM      File C:\Windows\Web\Sys.exe: is still infected, postponed.
9/14/2007 7:40:11 AM      File c:\program files\microsoft office\office11\frontpg.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 7:40:11 AM      File c:\program files\microsoft office\office11\frontpg.exe: is still infected, postponed.
9/14/2007 7:40:12 AM      File c:\program files\microsoft office\office11\mstore.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 7:40:12 AM      File c:\program files\microsoft office\office11\mstore.exe: is still infected, postponed.
9/14/2007 7:40:12 AM      File c:\program files\spybot - search & destroy\blindman.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 7:40:12 AM      File c:\program files\spybot - search & destroy\blindman.exe: is still infected, postponed.
9/14/2007 7:40:14 AM      File c:\windows\web\sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 7:40:14 AM      File c:\windows\web\sys.exe: is still infected, postponed.
9/14/2007 7:40:27 AM      File c:\program files\microsoft office\office11\ois.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 7:40:27 AM      File c:\program files\microsoft office\office11\ois.exe: is still infected, postponed.
9/14/2007 7:41:13 AM      File C:\WINDOWS\Web\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 7:41:13 AM      File C:\WINDOWS\Web\Sys.exe: is still infected, postponed.
9/14/2007 7:41:55 AM      Physical disk sector \Device\Harddisk0\DR0: detected virus 'Virus.Boot.Malmo'.
9/14/2007 7:41:55 AM      Physical disk sector \Device\Harddisk0\DR0: is still infected, postponed.
9/14/2007 7:41:55 AM      Running module Sys.exe\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 7:47:11 AM      The application  cannot establish connection with server 192.168.5.223. Please check your internet connection settings. If you have a firewall installed, check that the application avp.exe is allowed internet access.
9/14/2007 7:51:34 AM      File C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP82\A0047389.exe: detected virus 'Virus.Win32.AutoRun.ad'. User: EDUCATION\CLAUDINE$, computer: localhost.
9/14/2007 7:56:18 AM      Quarantine: File C:\WINDOWS\system32\drivers\ncscv32.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 7:56:19 AM      Please restart your computer to complete the installation of new or updated protection components.
9/14/2007 7:56:19 AM      Please restart your computer to complete the installation of new or updated protection components.
9/14/2007 7:56:27 AM      Update completed successfully.
9/14/2007 8:01:41 AM      File C:\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'. User: CLAUDINE\Administrator, computer: localhost.
9/14/2007 8:34:12 AM      Running module Sys.exe\Sys.exe: is still infected, skipped by user.
9/14/2007 8:34:12 AM      File c:\windows\web\sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:34:12 AM      File C:\System Volume Information\_restore{8D290BB5-E59C-462B-A0EE-E8949A1E4344}\RP82\A0047389.exe: is still infected, skipped by user.
9/14/2007 8:34:18 AM      File c:\windows\web\sys.exe: is still infected, skipped by user.
9/14/2007 8:34:18 AM      Quarantine: File C:\WINDOWS\system32\drivers\ncscv32.exe: is still infected, skipped by user.
9/14/2007 8:34:18 AM      File C:\Sys.exe: is still infected, skipped by user.
9/14/2007 8:34:18 AM      File C:\WINDOWS\Web\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'. User: CLAUDINE\Administrator, computer: localhost.
9/14/2007 8:34:18 AM      File C:\WINDOWS\Web\Sys.exe: is still infected, skipped by user.
9/14/2007 8:34:18 AM      File C:\PROGRA~1\MICROS~2\OFFICE11\FRONTPG.EXE: detected virus 'Worm.Win32.Fujack.aa'. User: CLAUDINE\Administrator, computer: localhost.
9/14/2007 8:34:18 AM      File C:\PROGRA~1\MICROS~2\OFFICE11\FRONTPG.EXE: is still infected, skipped by user.
9/14/2007 8:34:18 AM      File c:\program files\microsoft office\office11\frontpg.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:34:18 AM      File c:\program files\microsoft office\office11\frontpg.exe: is still infected, skipped by user.
9/14/2007 8:34:18 AM      File c:\program files\microsoft office\office11\mstore.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:34:18 AM      File c:\program files\microsoft office\office11\mstore.exe: is still infected, skipped by user.
9/14/2007 8:34:19 AM      File c:\program files\spybot - search & destroy\blindman.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:34:19 AM      File c:\program files\spybot - search & destroy\blindman.exe: is still infected, skipped by user.
9/14/2007 8:34:19 AM      File c:\program files\microsoft office\office11\ois.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:34:19 AM      File c:\program files\microsoft office\office11\ois.exe: is still infected, skipped by user.
9/14/2007 8:34:19 AM      Physical disk sector \Device\Harddisk0\DR0: detected virus 'Virus.Boot.Malmo'.
9/14/2007 8:34:19 AM      Physical disk sector \Device\Harddisk0\DR0: is still infected, skipped by user.
9/14/2007 8:34:28 AM      Real-time protection is not running. You are advised to resume protection.
9/14/2007 8:35:20 AM      A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
9/14/2007 8:35:34 AM      Process  (PID 540) tried to access Kaspersky Anti-Virus process (PID 1488), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
9/14/2007 8:35:40 AM      Security threats have been detected. You are advised to neutralize them immediately.
9/14/2007 8:35:40 AM      Real-time protection started.
9/14/2007 8:36:23 AM      Quarantine: File C:\WINDOWS\system32\drivers\ncscv32.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:36:31 AM      Quarantine: File C:\WINDOWS\system32\drivers\ncscv32.exe: deleted.
9/14/2007 8:37:14 AM      File C:\PROGRA~1\MICROS~2\OFFICE11\FRONTPG.EXE: detected virus 'Worm.Win32.Fujack.aa'. User: CLAUDINE\Administrator, computer: localhost.
9/14/2007 8:37:19 AM      Update completed successfully.
9/14/2007 8:37:22 AM      File C:\PROGRA~1\MICROS~2\OFFICE11\FRONTPG.EXE: deleted.
9/14/2007 8:37:53 AM      Running module Sys.exe\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:37:53 AM      Running module Sys.exe\Sys.exe: is still infected, postponed.
9/14/2007 8:37:53 AM      File C:\Windows\Web\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:37:53 AM      File C:\Windows\Web\Sys.exe: is still infected, postponed.
9/14/2007 8:37:56 AM      File c:\program files\microsoft office\office11\mstore.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:37:56 AM      File c:\program files\microsoft office\office11\mstore.exe: is still infected, postponed.
9/14/2007 8:37:57 AM      File c:\program files\spybot - search & destroy\blindman.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:37:57 AM      File c:\program files\spybot - search & destroy\blindman.exe: is still infected, postponed.
9/14/2007 8:37:57 AM      File c:\windows\web\sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:37:57 AM      File c:\windows\web\sys.exe: is still infected, postponed.
9/14/2007 8:37:58 AM      File c:\program files\microsoft office\office11\ois.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:37:58 AM      File c:\program files\microsoft office\office11\ois.exe: is still infected, postponed.
9/14/2007 8:37:58 AM      File C:\WINDOWS\Web\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:37:58 AM      File C:\WINDOWS\Web\Sys.exe: is still infected, postponed.
9/14/2007 8:38:11 AM      Physical disk sector \Device\Harddisk0\DR0: detected virus 'Virus.Boot.Malmo'.
9/14/2007 8:38:11 AM      Physical disk sector \Device\Harddisk0\DR0: is still infected, postponed.
9/14/2007 8:38:11 AM      Running module Sys.exe\Sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:38:28 AM      File C:\PROGRA~1\MICROS~2\OFFICE11\OIS.EXE: detected virus 'Worm.Win32.Fujack.aa'. User: CLAUDINE\Administrator, computer: localhost.
9/14/2007 8:38:28 AM      File C:\PROGRA~1\MICROS~2\OFFICE11\OIS.EXE: deleted.
9/14/2007 8:38:42 AM      Running module Sys.exe\Sys.exe: deleted.
9/14/2007 8:38:42 AM      File c:\windows\web\sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:38:49 AM      File c:\windows\web\sys.exe: detected virus 'Virus.Win32.AutoRun.ad'.
9/14/2007 8:38:50 AM      File c:\windows\web\sys.exe: deleted.
9/14/2007 8:38:52 AM      File c:\program files\microsoft office\office11\mstore.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:38:59 AM      File c:\program files\microsoft office\office11\mstore.exe: deleted.
9/14/2007 8:38:59 AM      File c:\program files\spybot - search & destroy\blindman.exe: detected virus 'Worm.Win32.Fujack.aa'.
9/14/2007 8:39:00 AM      File c:\program files\spybot - search & destroy\blindman.exe: deleted.
9/14/2007 8:39:11 AM      Real-time protection is not running. You are advised to resume protection.
9/14/2007 8:40:13 AM      A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
9/14/2007 8:40:26 AM      Process  (PID 768) tried to access Kaspersky Anti-Virus process (PID 1636), but the action has been blocked by the Self-Defense component. No action on your part is necessary.
9/14/2007 8:40:37 AM      Real-time protection started.
9/14/2007 8:41:17 AM      Security threats have been detected. You are advised to neutralize them immediately.
9/14/2007 8:43:11 AM      Physical disk sector \Device\Harddisk0\DR0: detected virus 'Virus.Boot.Malmo'.
9/14/2007 8:43:11 AM      Physical disk sector \Device\Harddisk0\DR0: is still infected, postponed.
9/14/2007 8:43:11 AM      Physical disk sector \Device\Harddisk0\DR0: detected virus 'Virus.Boot.Malmo'.
9/14/2007 8:43:18 AM      Physical disk sector \Device\Harddisk0\DR0: disinfected.
9/14/2007 8:43:18 AM      Physical disk sector \Device\Harddisk0\DR0: disinfected.


Reports
-------
Component      Status      Start      Finish      Size
---------      ------      -----      ------      ----
Proactive Defense      running      9/14/2007 8:40:37 AM            0 bytes
File Anti-Virus      running      9/14/2007 8:40:37 AM            246.3 KB
Mail Anti-Virus      running      9/14/2007 8:40:37 AM            0 bytes
Web Anti-Virus      running      9/14/2007 8:40:38 AM            10 KB
Scan      running      9/14/2007 8:42:12 AM            265.0 KB
Scan startup objects      completed      9/14/2007 8:42:42 AM      9/14/2007 8:43:18 AM      498.5 KB


Quarantine
----------
Status      Object      Size      Added
------      ------      ----      -----


Backup
------
Status      Object      Size
------      ------      ----
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\danish\smaxfaq.htm      16.9 KB
Infected: virus Worm.Win32.Fujack.aa      c:\cleaning-fixing tools\combofix from techsupportforum\combofix.exe      1.5 MB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\simpchin\smaxfaq.htm      12.5 KB
Infected: virus Worm.Win32.Fujack.aa      c:\program files\microsoft office\office11\mstore.exe      189.4 KB
Infected: virus Worm.Win32.Fujack.aa      C:\PROGRA~1\MICROS~2\OFFICE11\OIS.EXE      344.4 KB
Infected: virus Virus.Win32.AutoRun.ad      Sys.exe\Sys.exe      40 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\thai\smaxfaq.htm      15.0 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\russian\smaxfaq.htm      16.6 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\brazil\smaxfaq.htm      18.9 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\dutch\smaxfaq.htm      16 KB
Infected: virus Worm.Win32.Fujack.aa      c:\cleaning-fixing tools\sdfix\sdfix.exe      1.2 MB
Infected: virus Worm.Win32.Fujack.bd      c:\claudien\curriculum implementation.htm      10.2 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\korean\smaxfaq.htm      15.3 KB
Infected: virus Worm.Win32.Fujack.aa      c:\combofix\ntp.exe      109.2 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\hebrew\smaxfaq.htm      59.6 KB
Infected: virus Worm.Win32.Fujack.aa      c:\cleaning-fixing tools\combofix from beepingcomputers\combofix.exe      1.5 MB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\french\smaxfaq.htm      19.4 KB
Infected: virus Virus.Win32.AutoRun.ad      c:\windows\web\sys.exe      40 KB
Infected: virus Worm.Win32.Fujack.aa      c:\program files\spybot - search & destroy\blindman.exe      113.5 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\swedish\smaxfaq.htm      17.8 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\english\smaxfaq.htm      15.8 KB
Infected: virus Virus.Win32.AutoRun.ad      c:\sys.exe      40 KB
Infected: virus Worm.Win32.Fujack.aa      C:\WINDOWS\system32\drivers\ncscv32.exe      67.3 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\japanese\smaxfaq.htm      15.7 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\tradchin\smaxfaq.htm      12.7 KB
Infected: virus Virus.Win32.AutoRun.ad      c:\system volume information\_restore{8d290bb5-e59c-462b-a0ee-e8949a1e4344}\rp82\a0047389.exe      40 KB
Infected: virus Worm.Win32.Fujack.aa      C:\PROGRA~1\MICROS~2\OFFICE11\FRONTPG.EXE      4.3 MB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\italian\smaxfaq.htm      17.7 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\norwegan\smaxfaq.htm      16.3 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\finnish\smaxfaq.htm      18.2 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\arabic\smaxfaq.htm      62.2 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\german\smaxfaq.htm      18 KB
Infected: virus Worm.Win32.Fujack.bd      c:\compaq\audio\adi\sm_panel\sys\spanish\smaxfaq.htm      18.8 KB
Infected: virus Worm.Win32.Fujack.aa      c:\games.exe      67.3 KB

Now I can do everything previously I failed to do. BUT....

There  another problem raised. When I try to open C: volume by double clicking it, I find the following message...

Windows cannot find 'Sys.exe'. Make sure you typed the name correctly, and then try again. To search for a file, Click the Start button, and then click Search.

In the link (http://vil.nai.com/vil/content/v_142400.htm), I read out that virus W32/Hooon.Worm Alias Virus.Win32.AutoRun.ad (Kaspersky Antivirus) copies two files to removable media...Sys.exe (Worm) and autorun.inf.

While scanning Kaspersky Antivirus gave me option to either disinfect or delete this file. I deleted this file as it is a worm. Now When I double click on C: volume, I receive the above message I told you about.

Please check it what is the cause of this message. How can I be able to open the C: volume again normally. SHOULD I TRY SDFIX AND COMBOFIX AGAIN ?

Thanks...

Hemant

 

by: rpggamergirlPosted on 2007-09-14 at 04:11:23ID: 19890389

You need to also fix the entries in Hijackthis if still present.
O4 - HKLM\..\Run: [NoooH] C:\Windows\Web\Sys.exe
O4 - HKCU\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe

Can you show us the log from combofix and SDFix please.
Can you also run this tool, I want to check if a file infector is infecting your legit files.

Download FindAWF.exe.
http://noahdfear.net/downloads/FindAWF.exe
and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".

You will be presented with the following Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT

Select 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in Notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

 

by: JatinHemantPosted on 2007-09-14 at 06:06:21ID: 19891036

Thanks for your suggestions.

I removed the following entries from registry :

O4 - HKLM\..\Run: [NoooH] C:\Windows\Web\Sys.exe
O4 - HKCU\..\Run: [nvscv32] C:\WINDOWS\system32\drivers\ncscv32.exe

and then I run SDFix and ComboFix. They both worked together. And now I can open the volume normally. Everything is OK and this is because of you.

By the way I didn't run the FindAWF.exe but thanks for giving me this tool. I request you if in future you can explain me about this tool and other tool VundoFix.exe also.

For your perusal I am sending ComboFix and SDFix log files :

ComboFix Log File:

ComboFix 07-09-10.6 - "Administrator" 2007-09-14 14:50:09.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.240 [GMT 3:00]
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Cleaning-Fixing Tools\Coolpixs Remover\BFU.exe\Desktop_.ini
C:\Cleaning-Fixing Tools\Coolpixs Remover\Desktop_.ini
C:\Documents and Settings\Administrator\Desktop\Cleaning-Fixing Tools\Coolpixs Remover\BFU.exe\Desktop_.ini
C:\Documents and Settings\Administrator\Desktop\Cleaning-Fixing Tools\Coolpixs Remover\Desktop_.ini
c:\RECYCLER\Desktop__.ini


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


(((((((((((((((((((((((((   Files Created from 2007-08-14 to 2007-09-14  )))))))))))))))))))))))))))))))
.

2007-09-14 14:49      51,200      --a------      C:\WINDOWS\NirCmd.exe
2007-09-14 14:42      <DIR>      d--------      C:\WINDOWS\ERUNT
2007-09-13 16:07      20,512      --ahs----      C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-13 16:07      1,356,576      --ahs----      C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-13 16:07      <DIR>      d--------      C:\Program Files\Kaspersky Lab
2007-09-13 16:07      <DIR>      d--------      C:\kav
2007-09-13 16:07      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-13 15:15      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 14:45      <DIR>      d--------      C:\Program Files\CCleaner
2007-09-13 14:39      <DIR>      d--------      C:\Cleaning-Fixing Tools
2007-09-07 07:17      <DIR>      d--------      C:\AGNES DOCUMENT
2007-09-03 16:09      118,784      --a------      C:\DOCUME~1\ADMINI~1\WZQKPICK.EXE.exe
2007-08-30 15:35      <DIR>      d-a------      C:\Maths (2nd year marks) Epi
2007-08-29 12:28      1,495,552      --a------      C:\WINDOWS\system32\epoPGPsdk.dll
2007-08-29 12:28      <DIR>      d--------      C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-08-29 12:18      2,781,184      --a------      C:\DOCUME~1\ADMINI~1\WINZIP32.EXE.exe
2007-08-27 16:33      10,073,144      --a------      C:\DOCUME~1\ADMINI~1\EXCEL.EXE.exe
2007-08-16 14:54      525,824      --a------      C:\DOCUME~1\ADMINI~1\SetRefresh.exe.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 14:56      ---------      d--------      C:\DOCUME~1\ADMINI~1\APPLIC~1\Skype
2007-09-14 14:53      22208      --ahs----      C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-14 14:53      20696      --ahs----      C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-14 09:14      ---------      d--------      C:\Program Files\Altiris
2007-09-13 16:17      ---------      d--------      C:\DOCUME~1\ADMINI~1\APPLIC~1\AdobeUM
2007-09-13 15:52      ---------      d--------      C:\Program Files\McAfee
2007-09-13 11:19      ---------      d--------      C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-09-13 07:27      9      -r-hs----      C:\Program Files\Desktop__.ini
2007-08-29 12:59      ---------      d--------      C:\Program Files\PDF Complete
2007-08-29 12:59      ---------      d--------      C:\Program Files\HPMAK
2007-08-16 14:17      ---------      d--------      C:\Program Files\Skype
2007-08-16 14:17      ---------      d--------      C:\Program Files\Real
2007-08-16 14:17      ---------      d--------      C:\Program Files\Program Shortcuts
2007-08-16 14:17      ---------      d--------      C:\Program Files\Microsoft.NET
2007-08-16 14:17      ---------      d--------      C:\Program Files\Microsoft Works
2007-08-16 14:16      ---------      d--------      C:\Program Files\Microsoft ActiveSync
2007-08-16 14:16      ---------      d--------      C:\Program Files\HPQ
2007-08-16 14:16      ---------      d--------      C:\Program Files\Hewlett-Packard
2007-08-16 14:15      ---------      d--------      C:\Program Files\Google
2007-08-16 14:15      ---------      d--------      C:\Program Files\Compaq
2007-08-16 14:15      ---------      d--------      C:\Program Files\Broadcom
2007-08-16 14:15      ---------      d--------      C:\Program Files\Analog Devices
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-09-30 19:41]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-09-30 19:37]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-07-30 19:08]
"MAKTray"="MAKTray.exe" [2004-08-28 03:07 C:\WINDOWS\MAKTray.exe]
"PDF Complete"="C:\Program Files\PDF Complete\pdfsty.exe" [2006-01-03 22:30]
"SetRefresh"="C:\Program Files\Compaq\SetRefresh\SetRefresh.exe" []
"LayoutM"="KLayMgr.exe" [2004-08-17 06:46 C:\WINDOWS\KLayMgr.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-09 16:50]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-11-08 18:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-02-22 23:31]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 07:53]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 13:06]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetTaskbar"=0 (0x0)



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2139a016-ffc6-11db-96e4-000ffe4b2b45}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2141f85a-0dab-11dc-9708-000ffe4b2b45}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26d583c6-52d4-11dc-97b9-000ffe4b2b45}]
Auto\command- E:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36796976-5ba0-11dc-97f1-000ffe4b2b45}]
Auto\command- E:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41314abc-2b8c-11dc-9755-000ffe4b2b45}]
Auto\command- E:\bittorrent.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4dc8eda6-293c-11dc-9751-000ffe4b2b45}]
Auto\command- E:\boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f73faba-2b8d-11dc-9756-000ffe4b2b45}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bb02cbc-0859-11dc-96f3-000ffe4b2b45}]
Auto\command- bittorrent.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65c548f9-fe30-11db-96df-000ffe4b2b45}]
AutoRun\command- E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7249909c-3077-11dc-9764-000ffe4b2b45}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{844de992-3134-11dc-9765-000ffe4b2b45}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{844de995-3134-11dc-9765-000ffe4b2b45}]
Auto\command- E:\boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8bb54078-0507-11dc-96eb-000ffe4b2b45}]
Auto\command- OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91fece9c-5c4c-11dc-97f5-000ffe4b2b45}]
AutoRun\command- E:\ntde1ect.com
explore\Command- E:\ntde1ect.com
open\Command- E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9265b936-44b1-11dc-9793-000ffe4b2b45}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9bdb455f-2466-11dc-9743-000ffe4b2b45}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcee610c-508b-11dc-97b0-000ffe4b2b45}]
AutoRun\command- E:\ntde1ect.com
explore\Command- E:\ntde1ect.com
open\Command- E:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca99c9a6-45b2-11dc-9798-000ffe4b2b45}]
Auto\command- E:\bittorrent.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cad82f17-17d8-11dc-9723-000ffe4b2b45}]
Auto\command- E:\bittorrent.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bittorrent.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cca45514-fc64-11db-96d9-000ffe4b2b45}]
Auto\command- E:\OSO.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL OSO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d91e448a-1ee9-11dc-9735-000ffe4b2b45}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e355ca10-260f-11dc-974a-000ffe4b2b45}]
Auto\command- boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5966a0a-02a7-11dc-96e6-000ffe4b2b45}]
Auto\command- E:\boot.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e762441c-4c7b-11dc-97a8-000ffe4b2b45}]
Auto\command- E:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef773770-5c57-11dc-97f6-000ffe4b2b45}]
Auto\command- E:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 14:55:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 14:56:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 14:56
.
      --- E O F ---

SDFix Log File:

SDFix: Version 1.104

Run by Administrator on Fri 09/14/2007 at 02:43 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\AcroRd32Info.exe.exe - Deleted
C:\WINDOWS\system32\FrameworkService.exe.exe - Deleted
C:\WINDOWS\system32\FrmInst.exe.exe - Deleted
C:\WINDOWS\system32\OUTLOOK.EXE.exe - Deleted
C:\WINDOWS\system32\UdaterUI.exe.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.
 
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


                                 Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Cleaning-Fixing Tools\Coolpixs Remover\BFU.exe\Desktop_.ini
C:\Cleaning-Fixing Tools\Coolpixs Remover\BFU.exe\Desktop__.ini
C:\Documents and Settings\Administrator\Application Data\U3\temp\Launchpad Removal.exe
C:\Documents and Settings\Administrator\Desktop\Cleaning-Fixing Tools\Coolpixs Remover\BFU.exe\Desktop_.ini
C:\Documents and Settings\Administrator\Desktop\Cleaning-Fixing Tools\Coolpixs Remover\BFU.exe\Desktop__.ini
C:\AGNES DOCUMENT\~WRL0274.tmp
C:\Documents and Settings\Administrator\My Documents\~WRL0005.tmp
C:\Documents and Settings\Administrator\My Documents\~WRL3561.tmp

Finished!


Thanks...

Regards,

Hemant

 

by: rpggamergirlPosted on 2007-09-14 at 07:02:39ID: 19891531

>>By the way I didn't run the FindAWF.exe but thanks for giving me this tool. I request you if in future you can explain me about this tool and other tool VundoFix.exe also.<<

Vundofix.exe is a tool for removal of vundo infections which you do not have. Your logs did not show any signs of vundo so there's no need to use vundofix at the moment.

You need my guidance when using FindAWF.exe because it's not like any normal scanners, the whole process is done in steps.
The first step is just scanning the system for bak files. I then analyze the log before you can proceed to the next step.
What prompted me to suggest FindAWF.exe is because Kaspersky's log was showing legit programs as being infected.

Are these programs working?
Microsoft Office, Frontpage in particular
Spybot S&D

Combofix deleted files from flashdrive infections, the log also shows some bad registry entries.
You might like to run this tool too. Though the tool hasn't been updated since July. Still just try and run it.
http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Thanks!

 

by: cpsitechPosted on 2008-07-03 at 07:54:17ID: 21926048

User Desktop Profile Compromised.  Workaround as follows:
Just rename ComboFix.exe to Combo-Fix.exe
SDFix.exe to SD-Fix.exe
Both should run properly and remove the bad stuff.
Continue with the above suggestions.

 

by: itsallgood24Posted on 2009-01-08 at 15:37:10ID: 23331397

cpsitech - your comment was right on....thanks for the comment!

 

by: Inbox360Posted on 2009-02-11 at 21:58:21ID: 23619486

combo-fix trick worked great. thanks

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...