Thread: [Resolved]random named .exe files in windows/temp
View Single Post
  #10 (permalink)  
Old 25-05-2009, 07:06 PM
broni's Avatar
broni broni is offline
Senior Member
  
Join Date: Nov 2004
Posts: 2,273
broni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniturebroni is beginning to become part of the furniture
re: [Resolved]random named .exe files in windows/temp
It's better to paste the logs into your reply...

ComboFix 09-05-25.01 - Filip Andronik 25.05.2009 19:32.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.306 [GMT 2:00]
Running from: c:\documents and settings\Filip Andronik\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Filip Andronik\Application Data\wiaserva.log
c:\windows\start.exe
c:\windows\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSDISK
-------\Service_MSDisk


((((((((((((((((((((((((( Files Created from 2009-04-25 to 2009-05-25 )))))))))))))))))))))))))))))))
.

2009-05-25 16:14 . 2009-05-25 16:14 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-05-21 17:14 . 2009-05-21 17:14 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-21 16:48 . 2009-05-22 05:47 117760 ----a-w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-05-21 16:47 . 2009-05-21 16:47 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-21 16:44 . 2009-05-21 16:44 -------- d-----w c:\program files\CCleaner
2009-05-21 16:42 . 2009-05-21 19:16 117760 ----a-w c:\documents and settings\Filip Andronik\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-05-21 16:41 . 2009-05-21 16:41 -------- d-----w c:\documents and settings\Filip Andronik\Application Data\Malwarebytes
2009-05-21 16:41 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-21 16:41 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-21 16:41 . 2009-05-21 16:41 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-21 16:41 . 2009-05-21 16:41 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-21 16:40 . 2009-05-21 16:40 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-21 16:40 . 2009-05-21 16:40 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-21 16:40 . 2009-05-21 16:40 -------- d-----w c:\documents and settings\Filip Andronik\Application Data\SUPERAntiSpyware.com
2009-05-20 20:39 . 2009-05-20 20:39 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-20 20:39 . 2009-05-20 20:39 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-20 20:33 . 2009-05-20 20:33 -------- d-----w c:\program files\Trend Micro
2009-05-20 18:25 . 2009-05-20 18:25 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Mozilla
2009-05-20 17:19 . 2009-05-20 17:19 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-05-05 17:25 . 2009-05-05 17:25 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-05-02 09:53 . 2009-05-02 09:53 -------- d-----w c:\documents and settings\Filip Andronik\Local Settings\Application Data\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-05-25 17:19 . 2007-03-27 07:22 8354 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-05-15 16:05 . 2007-03-26 12:03 41608 ----a-w c:\documents and settings\Filip Andronik\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-19 09:37 . 2009-04-19 09:37 -------- d-----w c:\program files\ESET
2009-04-19 09:37 . 2009-04-19 09:37 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-03-30 17:26 . 2009-03-30 17:25 -------- d-----w c:\program files\Topaz Labs
2009-03-13 17:22 . 2009-03-13 17:22 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-13 17:14 . 2009-03-13 17:14 16896 ----a-w c:\windows\system32\OLEACCRC.DLL
2009-03-13 17:14 . 2009-03-13 17:14 163328 ----a-w c:\windows\system32\OLEACC.DLL
2009-03-11 12:32 . 2009-03-11 12:32 6772736 ----a-w c:\windows\system32\tliadjust30.dll
2007-03-26 07:19 . 2007-03-26 07:19 11079 ---h--w c:\program files\folder.htt
2009-01-18 12:00 . 2009-01-16 21:49 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-01-18 12:00 . 2009-01-16 21:49 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-18 12:00 . 2009-01-16 21:49 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-01-18 12:00 . 2009-01-16 21:49 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-01-18 12:00 . 2009-01-16 21:49 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2006-02-23 06:16 . 2007-03-26 14:23 34048 ----a-w c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 06:16 . 2007-03-26 14:23 45056 ----a-w c:\program files\mozilla firefox\plugins\upd62int.dll
2007-03-27 07:22 . 2007-03-27 07:20 56 --sh--r c:\windows\SYSTEM32\B6142D7E3A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shelliconoverlayidentifiers\Sl owFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2006-07-13 13:46 8353280 ----a-w c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-07-31 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"NVRaidService"="c:\windows\System32\nvraidservice .exe" [2004-06-11 83968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"MULTIMEDIA KEYBOARD"="c:\program files\Keymaestro\Multimedia Keyboard\MMKeybd.exe" [2002-07-29 176128]
"NeroCheck"="c:\windows\system32\NeroCheck.exe " [2001-07-09 155648]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-23 487424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-13 155648]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2005-09-27 2635472]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-3-26 25214]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
"IrMon"=IrMon.exe
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [6.2.2009 14:23 106208]
R1 epfwtdir;epfwtdir;c:\windows\SYSTEM32\DRIVERS\epfw tdir.sys [6.2.2009 14:24 93336]
R1 msikbd2k;Multimedia Keyboard Filter Driver;c:\windows\SYSTEM32\DRIVERS\Msikbd2k.sys [27.3.2007 10:41 6656]
R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [14.5.2009 14:22 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14.5.2009 14:22 72944]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6.2.2009 14:23 727720]
R2 nhksrv;Netropa NHK Server;c:\program files\Keymaestro\Multimedia Keyboard\nhksrv.exe [27.3.2007 10:41 28672]
S3 nmwcdsa;Samsung USB Phone Parent;c:\windows\SYSTEM32\DRIVERS\nmwcdsa.sys [28.11.2008 20:58 135680]
S3 nmwcdsac;Samsung USB Generic;c:\windows\SYSTEM32\DRIVERS\nmwcdsac.sys [28.11.2008 20:58 8320]
S3 nmwcdsacj;Samsung USB Port;c:\windows\SYSTEM32\DRIVERS\nmwcdsacj.sys [28.11.2008 20:58 12288]
S3 nmwcdsacm;Samsung USB Modem;c:\windows\SYSTEM32\DRIVERS\nmwcdsacm.sys [28.11.2008 20:58 12288]
S3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\SYSTEM32\DRIVERS\RMSPPPOE.SYS [30.1.2008 17:10 31424]
S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [14.5.2009 14:22 7408]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;c:\program files\MSN Messenger\usnsvc.exe [19.1.2007 12:54 97136]
S4 WinSoft Service Controler;WinSoft Service Controler;"c:\windows\system32\drivers\WinMgmt.exe " --> c:\windows\system32\drivers\WinMgmt.exe [?]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-internat.exe - internat.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mLocal Page = c:\windows\SYSTEM\blank.htm
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
TCP: {FD584E62-639B-4B6C-9EC5-8BE8B5936AF0} = 195.222.32.10 195.222.32.20
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Filip Andronik\Application Data\Mozilla\Firefox\Profiles\c1f09r0t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-25 19:37
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\v sdatant]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(496)
c:\windows\system32\ODBC32.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\SSSensor.dll

- - - - - - - > 'lsass.exe'(552)
c:\windows\System32\dssenh.dll
c:\windows\system32\MSVCIRT.dll

- - - - - - - > 'explorer.exe'(4080)
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\System32\SSSensor.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\NVIDIA CORPORATION\NTUNE\NTUNESERVICE.EXE
c:\program files\SYGATE\SPF\SMC.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\program files\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
c:\program files\ADOBE\ACROBAT 7.0\ACROBAT\ACROBAT_SL.EXE
c:\program files\KEYMAESTRO\ONSCREEN DISPLAY\OSD.EXE
c:\windows\System32\wbem\unsecapp.exe
c:\program files\ATI TECHNOLOGIES\ATI.ACE\CLI.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
.
************************************************** ************************
.
Completion time: 2009-05-25 19:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-25 17:40

Pre-Run: 4.695.597.056 bytes free
Post-Run: 4.636.565.504 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect

199
__________________
My Home Page
Reply With Quote