Malware-gen !!! how to remove ? - Free Antivirus Forum

Malware-gen !!! how to remove ?

BullGuard Antivirus Forum > Virus > Alerts & New Threats > Malware-gen !!! how to remove ?

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

sumit
New Member

Date Joined May 2008
Total Posts : 1

Posted 5-25-2008 8:46 (GMT +2)

h there,
my log file contains following

ComboFix 08-05-24.1 - sumit 2008-05-25 23:54:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT 5.5:30]
Running from: C:\Documents and Settings\sumit\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 22:34 . 2008-05-25 22:34 <DIR> d-------- C:\Program Files\PrevxCSI
2008-05-25 22:34 . 2008-05-25 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-25 22:34 . 2008-05-25 22:34 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-05-21 22:31 . 2008-05-21 22:34 <DIR> d-------- C:\CAESAR
2008-05-21 22:24 . 2005-03-17 13:19 67,936 --a------ C:\WINDOWS\system32\drivers\HL_MULL.SYS
2008-05-21 22:24 . 2005-03-17 13:19 57,344 --a------ C:\WINDOWS\system32\drivers\WDREG.EXE
2008-05-21 22:17 . 2001-08-17 20:43 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-05-21 22:17 . 2008-05-21 22:17 2,673 --a------ C:\WINDOWS\system32\config.hsp
2008-05-12 21:42 . 2008-05-12 23:40 <DIR> d-------- C:\Program Files\nLite
2008-05-09 22:44 . 2008-05-09 22:46 <DIR> d-------- C:\WINDOWS\NV34763480.TMP
2008-05-07 22:34 . 2008-05-07 22:34 <DIR> d-------- C:\Program Files\NovaLogic
2008-05-07 22:27 . 2008-05-07 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-07 22:23 . 2008-05-25 23:29 73,296 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-07 22:22 . 2008-05-09 22:46 <DIR> d-------- C:\WINDOWS\nview
2008-05-07 22:22 . 2008-05-07 22:26 <DIR> d-------- C:\WINDOWS\NV18362304.TMP
2008-05-07 22:18 . 2008-05-07 22:21 <DIR> d-------- C:\WINDOWS\NV12283220.TMP
2008-04-26 12:51 . 2008-04-26 12:51 11,394 -rahs---- C:\WINDOWS\system32\VirusRemoval.vbs
2008-04-26 12:27 . 2008-04-26 12:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 05:53 --------- d-----w C:\Documents and Settings\sumit\Application Data\Broadband
2008-05-07 17:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-07 17:14 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-16 16:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-16 16:58 --------- d-----w C:\Program Files\DART Karaoke Studio CDG
2008-04-14 15:25 --------- d-----w C:\Program Files\Clash N Slash
2008-04-13 17:21 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-04-13 17:19 --------- d-----w C:\Program Files\Avanquest update
2008-04-13 17:19 --------- d-----w C:\Documents and Settings\sumit\Application Data\InstallShield
2008-03-29 06:30 --------- d-----w C:\Program Files\EphPod
2008-03-22 12:34 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-08 16:18 54,840 ----a-w C:\Documents and Settings\sumit\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 16:37 92,064 ----a-w C:\Documents and Settings\sumit\mqdmmdm.sys
2008-02-28 16:37 9,232 ----a-w C:\Documents and Settings\sumit\mqdmmdfl.sys
2008-02-28 16:37 79,328 ----a-w C:\Documents and Settings\sumit\mqdmserd.sys
2008-02-28 16:37 66,656 ----a-w C:\Documents and Settings\sumit\mqdmbus.sys
2008-02-28 16:37 6,208 ----a-w C:\Documents and Settings\sumit\mqdmcmnt.sys
2008-02-28 16:37 5,936 ----a-w C:\Documents and Settings\sumit\mqdmwhnt.sys
2008-02-28 16:37 4,048 ----a-w C:\Documents and Settings\sumit\mqdmcr.sys
2008-02-28 16:37 25,600 ----a-w C:\Documents and Settings\sumit\usbsermptxp.sys
2008-02-28 16:37 22,768 ----a-w C:\Documents and Settings\sumit\usbsermpt.sys
2007-10-11 10:35 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 18:12 16,384 --sha-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
2007-08-27 18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2007-08-27 18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012007082720070828\index.dat
2007-08-27 18:12 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:26 15360]
"SifyBB"="C:\Program Files\Sify Broadband\BBImpSec.exe" [2006-04-21 20:04 127085]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-04-15 23:25 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2006-10-24 16:10 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 04:49 79224]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe" [2004-12-06 21:31 36975]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 06:41 925696]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-22 18:20 53248]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 16:30 249856]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-13 10:49 7626752]
"nwiz"="nwiz.exe" [2006-07-13 10:49 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-07-13 10:49 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="regsvr32 /s /n /i:u shell32" []

C:\Documents and Settings\sumit\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-03-19 20:44:26 344064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=C:\WINDOWS\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^sumit^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\sumit\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 13:49 153136 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 05:26 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2007-04-16 02:52 61952 C:\WINDOWS\system32\HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 16:30 249856 c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 16:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2007-04-15 23:25 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 18:53 153136 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-07-13 10:49 7626752 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-07-13 10:49 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-07-13 10:49 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SifyBB]
--a------ 2006-04-21 20:04 127085 C:\Program Files\Sify Broadband\BBImpSec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a------ 2005-09-07 15:35 716800 C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
-ra------ 2005-05-20 06:41 925696 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-05-25 22:34]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 04:50]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 04:46]
R2 CSIScanner;CSIScanner;"C:\Program Files\PrevxCSI\prevxcsi.exe" /service []
R2 hl_mull;hl_mull;C:\WINDOWS\system32\drivers\hl_mull.SYS [2005-03-17 13:19]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\DRIVERS\RMSPPPOE.SYS [2000-01-08 04:20]
S3 CENIXFMC;Cenix Digicom Digital Voice Recorder Service;C:\WINDOWS\system32\Drivers\CENIXFMC.sys [2002-10-07 13:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{080a8d56-83cb-11dc-9d38-0017318fcfec}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cac9cd0-7675-11dc-bd07-0017318fcfec}]
\Shell\Auto\command - J:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65e06600-13bb-11dd-9e53-0017318fcfec}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ccfd5649-a9a5-11dc-9d97-0017318fcfec}]
\Shell\Auto\command - J:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6b88924-72f1-11dc-bcf4-0017318fcfec}]
\Shell\AutoRun\command - wscript.exe VirusRemoval.vbs
\Shell\open\Command - wscript.exe VirusRemoval.vbs

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 23:55:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-25 23:56:10
ComboFix-quarantined-files.txt 2008-05-25 18:26:06
ComboFix2.txt 2008-05-25 17:52:51

Pre-Run: 7,080,239,104 bytes free
Post-Run: 7,812,173,824 bytes free

171

now what to do next?

Forum Information

Currently it is Tuesday, October 07, 2008 1:42 AM (GMT +2)
There are a total of 62.539 posts in 15.594 threads.
In the last 3 days there were 12 new threads and 47 reply posts. View Active Threads