System infected by worm/spyware/virus

newbie27
newbie27 used Ask the Experts™
on
Hello Experts,

It seems my machine got affected with any of the above yesterday whilst I was trying to install PDF converter. It has also booted my PC off yesterday couple of times and now I am not able to view PDF files in ADOBE acrobat reader, every time I try to open PDF I am getting attached error.

I have also tried to uninstall the ADOBE reader completely and installed a fresh copy, however the problem still coming.

Please can someone advise a fix.

Thanks
s
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
*** Hopeleonie ***IT Manager
Commented:
To remove viruses we use activescan (http://www.pandasecurity.com/activescan). Its a high recommended Antivirus Engine. But because of so many viruses i recomend to scan with many antivirus Engines as possible. So you find below a useful link.

More Free online Scanners:
http://www.itsecurity.com/features/free-online-antivirus-tools-101207/
Had you try to restore your computer to an earlier date and see if you still had the same problem
Commented:
If  the problem is still unresolved after trying the above suggestions, try running Combofix.
Download ComboFix and save to your Desktop >
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before using ComboFix please disable any realtime Anti-virus, Anti-spyware, Shields, etc. that you may have running, and remember to re-enable them later, upon completion.

Also it may be necessary to rename ComboFix.exe to Combo-Fix.exe (for example), before saving it to your desktop.  If you have difficulties downloading it, try downloading to another machine, then into a USB memory stick (or equivalent).  Rename it and connect to the problematic machine.

Double click "combofix.exe" and follow the prompts.
When it's finished it will have produced a Logfile, probably at C:\ComboFix.txt.
You could post that log together with a HijackThis log, in a reply for us.
Please do not mouseclick Combofix's window while it is running, because it may stall.  It is absolutely normal for you to see a blue screen with flashing cursor, and this can last for up to 30 mins.  Just let it run.

Ideally ComboFix should be run in normal mode, although it will work a little less efficiently in safe mode.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Commented:
Try www.malwarebytes.org

also try right clicking on a pdf and select 'open with' then choose program and select adode Reader.

If you would like a pdf printer go for:

http://www.cutepdf.com/Products/CutePDF/writer.asp

or

http://www.primopdf.com/

Author

Commented:
thanks folks...

the first 2 options did not work ... it has detected the file below

Memory:  was found in \\?\globalroot\systemroot\system32\uacwotlfimhiesngdxpu.dll on 17/07/2009 12:33:52

but its not getting deleted, i even have  tried using Zonealarm

Author

Commented:
hi Jonvee:

i have downloaded comfix however i am unable to run, i have also disabled ZoneAlarm anti virus softare..

please advise

thanks

Author

Commented:
hi houssam_ballout

i am unable to restore my computer to the previous date as i dont see any restoring point ...

thx

Commented:
newbie27  ... did you try renaming ComboFix.exe [to Combo-Fix.exe    or anything else] *before* saving it to your desktop?    

If you still have difficulties, try downloading to another computer, rename it, THEN save in a USB memory stick (or equivalent).   You can then use it on the problematic machine.

Commented:
You could try the 'Stinger' which is a utility that cleans the system of viruses, that block anti virus software. Suggest you
download the 'Stinger' and run it to make sure that 'disabling viruses' are not present.  Please note that the
filename has been changed from "stinger.exe" to "s-t-i-n-g-e-r.exe" (and more recently stng260.exe), download with details here:
                       http://vil.nai.com/vil/stinger/

Commented:
newbie27, please ignore that last comment, i should have posted this>
----------------
Incidently an infection can knock out your System Restore points.

If you are still unable to run ComboFix, try installing & running HijackThis 2.02.  At least it should give us a better idea of the type of infection:
http://majorgeeks.com/Trend_Micro_HijackThis_d5554.html

Create a folder where you would like the HijackThis file to reside and run it from there, not from the Desktop or a temporary folder.
Run the scan & save the logfile.  Then click the "Attach Code Snippet" box, paste the logfile into the "Code Snippet" page and then it can be analysed.

Another option is to run the 'Stinger', which is a utility that cleans the system of viruses that block anti virus software.
http://vil.nai.com/vil/stinger/
------------------

Author

Commented:
combibox log


ComboFix 09-07-14.08 - web 17/07/2009 13:03.1.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.3518.2862 [GMT 1:00]
Running from: c:\documents and settings\web\Desktop\Combo-Fix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
 * Resident AV is active
 
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\docume~1\web\LOCALS~1\Temp\svchost.exe
c:\windows\Installer\25692fc.msp
c:\windows\Installer\29725.msp
c:\windows\Installer\31b9e615.msi
c:\windows\Installer\443f765.msp
c:\windows\Installer\896c1d.msp
c:\windows\Installer\9f09def.msp
c:\windows\system32\drivers\UACtspimfavbkyccyjjw.sys
c:\windows\system32\UACejdporsufrthmhtyn.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACrxkkieeggrwiwhwpc.dll
c:\windows\system32\UACuwjtxfsvbekvovatj.dat
c:\windows\system32\UACwotlfimhiesngdxpu.dll
c:\windows\system32\UACwpkfukcohdqerjlmo.dll
c:\windows\system32\UACyhtvfruhfinoagvka.db
c:\windows\system32\UACyykaicrhxaeqbqbtr.dll
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Service_UACd.sys
 
 
(((((((((((((((((((((((((   Files Created from 2009-06-17 to 2009-07-17  )))))))))))))))))))))))))))))))
.
 
2009-07-17 10:20 . 2009-07-17 11:32	--------	d-----w-	c:\docume~1\ALLUSE~1\APPLIC~1\NOS
2009-07-17 10:20 . 2009-07-17 11:32	--------	d-----w-	c:\program files\NOS
2009-07-17 09:27 . 2008-06-19 16:24	28544	----a-w-	c:\windows\system32\drivers\pavboot.sys
2009-07-17 09:26 . 2009-07-17 09:26	--------	d-----w-	c:\program files\Panda Security
2009-07-16 12:55 . 2009-07-16 12:55	--------	d-----w-	c:\documents and settings\web\Application Data\ABBYY
2009-07-16 12:38 . 2009-07-16 12:38	--------	d-----w-	c:\program files\Common Files\ABBYY
2009-07-16 12:34 . 2009-07-17 10:42	--------	d-----w-	c:\program files\ABBYY FineReader 9.0
2009-07-16 12:34 . 2009-07-16 13:02	--------	d-----w-	c:\documents and settings\web\Local Settings\Application Data\ABBYY
2009-07-16 12:34 . 2009-07-16 12:57	--------	d-----w-	c:\docume~1\ALLUSE~1\APPLIC~1\ABBYY
2009-07-16 12:29 . 2009-07-16 12:30	--------	d-----w-	c:\temp\FR90PE
2009-07-16 12:23 . 2009-07-16 12:23	67072	----a-w-	c:\windows\system32\drivers\geyekreutpacoi.sys
2009-07-16 10:44 . 2009-07-16 10:44	--------	d-----w-	c:\program files\Investintech.com Inc
2009-07-16 10:38 . 2009-07-16 10:38	--------	d-----w-	c:\program files\BCL Technologies
2009-07-16 10:24 . 2009-07-16 10:24	--------	d-----w-	c:\docume~1\ALLUSE~1\APPLIC~1\A-PDF
2009-07-16 09:48 . 2009-07-16 10:11	--------	d-----w-	c:\program files\VERTX Systems
2009-07-15 15:48 . 2009-07-15 16:25	--------	d-----w-	c:\documents and settings\web\Application Data\SolidDocuments
2009-07-15 15:47 . 2009-01-30 17:51	13568	----a-w-	c:\windows\system32\solidlocalui.dll
2009-07-15 15:47 . 2009-01-30 17:51	21248	----a-w-	c:\windows\system32\solidlocalmon.dll
2009-07-15 15:46 . 2009-07-15 15:46	--------	d-----w-	c:\docume~1\ALLUSE~1\APPLIC~1\SolidDocuments
2009-07-15 15:36 . 2009-07-16 10:27	1024	----a-w-	c:\windows\system32\Image2PDF.dat
2009-07-15 15:36 . 2009-07-16 11:05	--------	d-----w-	c:\program files\Image2PDF OCR v3.2
2009-07-09 09:52 . 2009-07-09 09:52	--------	d-----w-	c:\program files\Traction Software
2009-07-02 10:24 . 2009-07-02 10:24	--------	d-----w-	c:\program files\Microsoft
2009-07-02 09:40 . 2009-07-02 09:40	10134	----a-r-	c:\documents and settings\web\Application Data\Microsoft\Installer\{855E53EB-5E80-43E4-AEDB-DA0CD4734612}\_DD813491A2B470B372CD8E.exe
2009-06-30 15:11 . 2009-06-30 15:11	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\ICS
2009-06-30 15:10 . 2009-07-09 21:07	--------	d-----w-	c:\windows\LMIBDE.tmp
2009-06-30 09:38 . 2009-06-30 09:38	--------	d-----w-	C:\usr
2009-06-26 11:07 . 2008-10-31 14:37	540672	----a-w-	c:\windows\system32\softcoin.dll
2009-06-26 11:07 . 2008-10-31 14:37	360448	----a-w-	c:\windows\system32\gencoin.dll
2009-06-19 16:51 . 2009-06-19 16:51	--------	d-----w-	c:\program files\www.freewordexcelpassword.com
2009-06-19 16:05 . 2009-06-19 16:48	--------	d-----w-	c:\documents and settings\web\Application Data\Intelore
2009-06-18 11:57 . 2009-05-15 08:19	453784	----a-w-	C:\dotNetConfigWizard.zip
2009-06-18 11:06 . 2009-06-18 16:37	--------	d-----w-	C:\_Vadim
2009-06-17 13:13 . 2009-06-17 13:13	10134	----a-r-	c:\documents and settings\web\Application Data\Microsoft\Installer\{D9383241-8535-45CF-93BC-FF826D8C972B}\_C8B671AA92DF53B1F09D7B.exe
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 11:57 . 2007-04-13 16:44	--------	d-----w-	c:\docume~1\ALLUSE~1\APPLIC~1\VMware
2009-07-17 11:57 . 2007-04-18 13:16	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\VMware
2009-07-17 09:13 . 2007-04-11 14:14	--------	d-----w-	c:\program files\Common Files\Adobe
2009-07-17 00:08 . 2008-08-19 09:55	--------	d-----w-	c:\program files\LogMeIn
2009-07-16 13:33 . 2009-07-16 13:35	1555968	----a-w-	c:\windows\Internet Logs\xDB1C.tmp
2009-07-16 12:32 . 2007-04-18 08:29	--------	d-----w-	c:\docume~1\ALLUSE~1\APPLIC~1\Microsoft Help
2009-07-16 12:22 . 2007-04-09 16:02	222976800	--sha-w-	c:\windows\system32\drivers\fidbox.dat
2009-07-16 11:52 . 2008-08-20 15:00	--------	d-----w-	c:\program files\FlashGet
2009-07-14 10:06 . 2007-09-17 16:04	--------	d-----w-	c:\documents and settings\web\Application Data\gr
2009-07-14 08:13 . 2008-04-22 13:58	--------	d---a-w-	c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-14 08:12 . 2007-04-09 16:13	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-07-10 09:55 . 2007-05-10 11:19	--------	d-----w-	c:\documents and settings\web\Application Data\FileZilla
2009-07-09 21:07 . 2007-04-09 16:02	2678564	--sha-w-	c:\windows\system32\drivers\fidbox.idx
2009-07-02 14:15 . 2007-08-25 08:58	--------	d-----w-	c:\documents and settings\web\Application Data\Apple Computer
2009-06-25 18:08 . 2007-04-16 14:58	--------	d-----w-	c:\documents and settings\web\Application Data\VMware
2009-06-20 09:11 . 2009-06-20 09:13	947200	----a-w-	c:\windows\Internet Logs\xDB1B.tmp
2009-06-18 08:13 . 2008-03-12 13:07	--------	d-----w-	c:\program files\WinSCP
2009-06-17 07:10 . 2007-04-07 11:27	4212	---ha-w-	c:\windows\system32\zllictbl.dat
2009-06-16 14:36 . 2006-02-28 12:00	81920	----a-w-	c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00	119808	----a-w-	c:\windows\system32\t2embed.dll
2009-06-16 07:59 . 2009-06-16 08:02	689152	----a-w-	c:\windows\Internet Logs\xDB1A.tmp
2009-06-03 19:09 . 2006-02-28 12:00	1291264	----a-w-	c:\windows\system32\quartz.dll
2009-06-03 09:11 . 2009-06-03 09:22	2422272	----a-w-	c:\windows\Internet Logs\xDB19.tmp
2009-06-03 08:13 . 2007-04-10 13:48	108208	----a-w-	c:\documents and settings\web\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-02 14:52 . 2007-11-08 09:29	--------	d-----w-	c:\program files\Wasp Bar Code
2009-06-02 10:43 . 2007-07-20 08:08	--------	d-----w-	c:\program files\MSECache
2009-05-20 15:48 . 2009-05-20 15:35	--------	d-----w-	c:\program files\nLite
2009-05-13 10:55 . 2009-05-13 09:52	46304	----a-w-	c:\windows\Fonts\w39hc.ttf
2009-05-07 15:32 . 2006-02-28 12:00	345600	----a-w-	c:\windows\system32\localspl.dll
2009-05-07 13:18 . 1997-01-15 23:00	71680	-c--a-w-	c:\windows\ST5UNST.EXE
2009-05-01 10:41 . 2009-05-01 11:15	292352	-c--a-w-	c:\windows\Internet Logs\xDB18.tmp
2009-04-29 04:56 . 2006-02-28 12:00	827392	----a-w-	c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2006-02-28 12:00	78336	----a-w-	c:\windows\system32\ieencode.dll
2009-04-27 08:12 . 2009-04-27 08:15	456192	-c--a-w-	c:\windows\Internet Logs\xDB16.tmp
2009-04-24 08:43 . 2009-04-24 08:42	80134	----a-w-	c:\windows\Internet Logs\vsmon_2nd_2009_04_24_09_32_24_small.dmp.zip
2009-04-20 08:51 . 2009-04-20 08:57	2867712	-c--a-w-	c:\windows\Internet Logs\xDB15.tmp
2009-06-15 08:07 . 2008-08-12 12:19	134648	----a-w-	c:\program files\mozilla firefox\components\brwsrcmp.dll
.
 
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52	80384	----a-w-	c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"8169Diag"="c:\program files\D-Link\Diagnostics Utility\8169Diag" [X]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-03-31 982408]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 08:32	87352	----a-w-	c:\windows\system32\LMIinit.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^web^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\web\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
 
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Crystal FTP Pro\\crystalftp.exe"=
"c:\\Program Files\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla Client\\filezilla.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Smartwizard Discovery\\Smartwizard Discovery.exe"=
 
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [17/07/2009 10:27 28544]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 PE Licensing Service;c:\program files\Common Files\ABBYY\FineReader\9.00\Licensing\PE\NetworkLicenseServer.exe [27/10/2008 18:03 759072]
R2 LANPkt;Realtek LANPkt Protocol Driver;c:\windows\system32\drivers\LANPkt.sys [08/04/2008 18:56 8399]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [28/02/2008 15:31 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [19/08/2008 10:55 47640]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [27/05/2009 13:38 185640]
S3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [08/04/2008 18:56 11003]
S3 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [03/03/2007 23:12 202096]
S3 MSSQL$GRWEB;SQL Server (GRWEB);c:\program files\Microsoft SQL Server\MSSQL.3\MSSQL\Binn\sqlservr.exe [24/11/2008 23:31 29263712]
S3 RTLVLAN;D-Link VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [08/04/2008 18:56 16384]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;c:\program files\Ufasoft\Sniffer\usft_sn4.sys [11/05/2007 11:26 15760]
S4 Gift Republic Drop Ship Email Service;Gift Republic Drop Ship Email Service;c:\program files\gr\DropShipEmailServiceSetup\DropShipEmailService.exe [06/11/2007 19:13 28672]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [02/12/2006 06:17 2805000]
.
- - - - ORPHANS REMOVED - - - -
 
HKLM-Run-WinSSHD Activation State Checker - c:\program files\Bitvise WinSSHD\WinsshdActStateCheck.exe
 
 
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.giftrepublic.com/
uInternet Settings,ProxyServer = 192.168.5.10:8080
uInternet Settings,ProxyOverride = 192.168.5;<local>
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
TCP: {E02086D1-5152-4A01-960E-6DB3268B6090} = 192.168.1.1
FF - ProfilePath - c:\docume~1\web\APPLIC~1\Mozilla\Firefox\Profiles\hhygrim1.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.giftrepublic.com/
FF - component: c:\documents and settings\web\Application Data\Mozilla\Firefox\Profiles\hhygrim1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\web\Application Data\Mozilla\Firefox\Profiles\hhygrim1.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\web\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.
 
**************************************************************************
 
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 13:17
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\msftesql]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:MSSQLSERVER"
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(976)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-07-17 13:21
ComboFix-quarantined-files.txt  2009-07-17 12:21
 
Pre-Run: 42,200,494,080 bytes free
Post-Run: 44,466,880,512 bytes free
 
249	--- E O F ---	2009-07-16 12:32

Open in new window

Commented:
Thanks for the Combo log, clearly there have been several deletions of infection (named "Other Deletions")!

Don't worry about the System Restore points, when you are later asked to uninstall ComboFix, it will reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.

It's going to take quite a while to study this log, but i'll get back to you ...
Thanks for the Combo log, clearly there have been several deletions of infection (named "Other Deletions")!

Don't worry about the System Restore points, when you are later asked to uninstall ComboFix, it will reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.

Matter of interest, are the error symptoms still the same?

It's going to take quite a while to study this log, but i'll get back to you ...

Commented:
sorry about the repetition ... seem to have problems of my own   :)

Author

Commented:
Hello Jonvee:

Thank you so much for your help.

It seems Combo has deleted the files which were causing Adobe and few other applications to fail.

I can now able to view PDF with no problem.

thanks all for your help

I think I can now close this question.

Regards
S

Commented:
That's great, but quite honestly i was in the process of composing a Script that you can run on ComboFix ...

May i therefore suggest the following ...  

i'll still post a script to you in the next three hours, IF YOU WISH  ... it's proving difficult because of the many entries to wade through in your Combo logfile.

If i get no reply from you, i'll assume you are content with the result this far.

However,  ComboFix should now be uninstalled, IF you need it no more ... just for completion!

You can uninstall ComboFix as follows >
Start > Run > then type "ComboFix /u" (with no quotes, and space between x and / )
Then hit enter.  This will uninstall ComboFix, reset your clock settings, re-hide system hidden files, re-hide the file extensions and reset System Restore.

Thank you ...

Author

Commented:
Hi Jonvee

I think it got fix by Combofix itself. I honestly appreciate your help and efforts, but please do not write any script for now if you have not already done so.

However, when I try to run ComboFix /u its giving me an "windows cant find" error message.

When I went to system restore, its asking to me restore my computer to earlier time.

should i restore to earlier time?

please advise

thanks

Commented:
>> run ComboFix /u <<
You need to insert a space between x and /      

>>should i restore to earlier time?<<
No, it could undo all our efforts.    

But see if you can create a System Restore point >
Start>All Programs>Accessories>System Tools>System Restore

If the System restore appears to be of no use then i suggest you turn it off, then turn it back on again, as explained below.   This will eject any virus that may be in the _Restore folder.

Then try again to create a new Restore point.  If it doesn't work, the Restore functionality has probably been damaged by the Malware/virus.  
http://www.pchell.com/virus/systemrestore.shtml

Let me know what you find, and we can hopefully repair the Restore circuit, as explained here>
http://windowsxp.mvps.org/repairsr.htm

Author

Commented:

>>You need to insert a space between x and /      

Yes I did give space earlier, its not finding it.

>>But see if you can create a System Restore point >

Yes, I can and I have created a new restore point

Commented:
Good, so your System Restore is probably 'alive and kicking'!

Commented:
With hindsight it would be a good idea to turn it off, then turn it back on again, as explained earlier, just in case there is an infection within the _Restore folder.  
It's contained and harmless if that's where it stays, and will eventually get rejected as more Restore points are automatically generated(for MS updates, for example).  But if someone forgets within the next month or two, and does a "System Restore", out will come the infection!   Choice really is yours  :)

If you do this, create another Restore point then occasionally check whether RPs continue to be generated, into the future ...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial