i think my laptop is infected with a malaware. on startup, a message is displayed:
setting personalized settings:
c:\system\S-1-5-21-1482476501-1644491937-6820
and then explorer.exe displays an error.
please find below my combofix log. if anyone can help me remove the infected files.
ComboFix 09-04-04.01 - Administrator 2009-04-07 12:09:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1482 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe
.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.
2009-04-07 10:09 . 2009-04-07 10:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Windows Search
2009-04-06 18:37 . 2009-04-06 18:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-04-06 18:36 . 2009-04-07 10:58 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2009-04-06 18:35 . 2009-04-06 18:35 <DIR> d-------- c:\windows\Sun
2009-04-06 17:53 . 2005-04-13 03:48 49,265 --a------ c:\windows\system32\jpicpl32.cpl
2009-04-06 17:52 . 2009-04-06 17:53 <DIR> d-------- c:\program files\Java
2009-04-06 17:50 . 2009-04-06 17:50 <DIR> d-------- c:\program files\Common Files\Java
2009-04-06 17:43 . 2009-04-06 17:55 <DIR> d-------- c:\program files\Windows Defender
2009-04-06 17:31 . 2009-04-06 17:40 <DIR> d-------- c:\program files\Microsoft AntiSpyware
2009-04-06 17:30 . 2009-04-06 17:30 <DIR> d-------- c:\windows\Downloaded Installations
2009-04-06 17:24 . 2009-04-06 17:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-04-06 15:31 . 2009-04-06 15:31 <DIR> d-------- c:\documents and settings\Administrator.BEYWL028\Application Data\Malwarebytes
2009-04-06 15:22 . 2009-04-06 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-06 15:22 . 2009-04-06 15:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-31 11:11 . 2009-03-31 11:11 45,641 --a------ c:\documents and settings\schicha\dada.exe
2009-03-30 11:56 . 2009-03-30 12:53 45,641 --a------ c:\documents and settings\schicha\update.exe
2009-03-30 11:50 . 2009-03-30 11:52 45,641 --a------ c:\documents and settings\schicha\fdadsa.exe
2009-03-20 16:16 . 2009-03-20 18:02 328 --a------ c:\documents and settings\schicha\DDxDDD.EXE
2009-03-20 15:19 . 2008-02-11 15:00 <DIR> d-------- c:\documents and settings\Administrator.BEYWL028\Application Data\Intel
2009-03-20 15:19 . 2009-03-20 15:19 <DIR> d-------- c:\documents and settings\Administrator.BEYWL028
2009-03-20 15:14 . 2009-03-20 15:14 328 --a------ c:\documents and settings\schicha\DDDDD.EXE
2009-03-16 15:37 . 2009-03-16 15:37 0 --a------ c:\documents and settings\schicha\explorery.exe
2009-03-16 15:21 . 2009-03-16 15:21 0 --a------ c:\documents and settings\schicha\explore.exe
2009-03-16 15:00 . 2009-03-16 15:00 <DIR> dr-hs---- C:\RESTORE
2009-03-16 15:00 . 2009-03-16 15:00 0 --a------ c:\documents and settings\schicha\explorer1.exe
2009-03-13 13:03 . 2009-04-07 12:13 <DIR> dr-hs---- C:\SYSTEM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 11:14 256 ----a-w c:\documents and settings\schicha\pool.bin
2009-03-06 18:28 --------- d-----w c:\program files\Common Files\Adobe
2009-02-27 11:55 --------- d-----w c:\documents and settings\schicha\Application Data\Microsoft Shared
2009-02-27 11:55 --------- d-----w c:\documents and settings\schicha\Application Data\Microsoft Office
2009-02-27 11:55 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-09-26 07:49 6 ----a-w c:\documents and settings\schicha\Application Data\Web MeetingDocConv.dat
2008-10-26 16:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102620081027\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-04-23 5723656]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-01 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]
c:\documents and settings\schicha\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2008-04-11 153352]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
iBurst_Modem UTL.lnk - c:\program files\iBurst\iBurst_UTL.EXE [2008-07-13 311296]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2008-02-26 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-02-11 15:48:23 13560]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe [2008-08-14 64888]
R2 TestTuner;Test-Tuner;c:\program files\marimba\tuner\Tuner.exe [2005-10-06 32871]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-01 23888]
S3 iBcT0201;iBurst Modem Type02-01;c:\windows\system32\drivers\iBcT0201.sys [2008-07-13 37907]
S3 iBurst;iBurst Modem;c:\windows\system32\drivers\iBurst.sys [2008-07-13 36957]
S3 iBurstu;iBurst Terminal;c:\windows\system32\DRIVERS\iBurstu.sys --> c:\windows\system32\DRIVERS\iBurstu.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D157322}]
c:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}]
c:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Easy SpyRemover - c:\program files\Easy SpyRemover\EasySpyRemover.exe
HKLM-Run-virx - meme.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://pepsicopvt.corp.pep.pvt/eportal/site/pepsicopvt/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://pbsg.on.intercall.com/confmgr/i ... nstall.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxp://magic.mea.pi.pvt/SCRsde/Reports/ ... viewer.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 12:14:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
Completion time: 2009-04-07 12:15:35
ComboFix-quarantined-files.txt 2009-04-07 09:15:32
Pre-Run: 52,470,050,816 bytes free
Post-Run: 53,648,355,328 bytes free
148 --- E O F --- 2009-03-13 16:08:36
Thanks