Task Manager opens for a couple seconds then closes.

[jtracker]

Combofix log.


ComboFix 08-01-07.5 - Jeanine 2008-01-10 8:36:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.100 [GMT -5:00]
Running from: C:\Documents and Settings\Jeanine\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jeanine\Desktop\CFScript
* Created a new restore point

FILE
C:\Program Files\Ciy1.exe
C:\Program Files\Ed1.exe
C:\Program Files\Jxw1.exe
C:\Program Files\Lgr1.exe
C:\Program Files\Lrx1.exe
C:\Program Files\Qjo1.exe
C:\Program Files\Ted31.exe
C:\Program Files\Tln1.exe
C:\Program Files\Xre1.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Ciy1.exe
C:\Program Files\Ed1.exe
C:\Program Files\Jxw1.exe
C:\Program Files\Lgr1.exe
C:\Program Files\Lrx1.exe
C:\Program Files\Qjo1.exe
C:\Program Files\Ted31.exe
C:\Program Files\Tln1.exe
C:\Program Files\Xre1.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-08 08:40 . 2008-01-08 08:40 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-01-08 08:40 . 2008-01-08 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-07 13:17 . 2000-08-31 08:00 51,200 --a------ C:\WINNT\NirCmd.exe
2008-01-07 12:53 . 2008-01-07 12:53 <DIR> d-------- C:\WINNT\ERUNT
2008-01-07 12:27 . 2008-01-07 12:27 72 --a------ C:\Documents and Settings\Jeanine\servstop.bat
2008-01-02 11:14 . 2008-01-02 11:50 <DIR> d-------- C:\Documents and Settings\Jeanine\Contacts
2008-01-02 11:14 . 2008-01-02 11:14 268 --ah----- C:\sqmdata00.sqm
2008-01-02 11:14 . 2008-01-02 11:14 244 --ah----- C:\sqmnoopt00.sqm
2008-01-02 09:52 . 2008-01-02 10:19 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-02 09:50 . 2008-01-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-30 22:23 . 2004-05-14 16:53 462,848 --a------ C:\WINNT\system32\ltkrn13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 450,560 --a------ C:\WINNT\system32\ltimg13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 401,408 --a------ C:\WINNT\system32\lfcmp13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 299,008 --a------ C:\WINNT\system32\ltdis13n.dll
2007-12-30 22:23 . 2004-01-12 02:09 206,336 --a------ C:\WINNT\system32\ltefx13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 163,840 --a------ C:\WINNT\system32\ltfil13n.dll
2007-12-30 22:23 . 2003-11-04 15:11 159,744 --a------ C:\WINNT\system32\lfpng13n.dll
2007-12-30 22:23 . 2003-11-04 15:10 69,632 --a------ C:\WINNT\system32\lfgif13n.dll
2007-12-30 22:23 . 2004-05-14 16:53 57,344 --a------ C:\WINNT\system32\lfbmp13n.dll
2007-12-30 18:05 . 2007-12-30 18:06 <DIR> d-------- C:\Documents and Settings\Jeanine\Application Data\Snapfish
2007-12-28 14:01 . 2007-12-28 14:01 <DIR> d-------- C:\Documents and Settings\Jeanine\Application Data\Ulead Systems
2007-12-28 13:15 . 2007-12-28 13:15 <DIR> d-------- C:\Program Files\Nova Development
2007-12-28 13:13 . 2007-12-28 13:39 <DIR> d-------- C:\Program Files\Web Publish
2007-12-25 14:35 . 2007-12-25 14:49 <DIR> d-------- C:\Program Files\Photo Viewer
2007-12-24 20:09 . 2007-10-10 18:55 6,065,664 --------- C:\WINNT\system32\dllcache\ieframe.dll
2007-12-24 20:09 . 2007-06-30 22:31 2,455,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dat
2007-12-24 20:09 . 2007-06-30 22:36 991,232 --------- C:\WINNT\system32\dllcache\ieframe.dll.mui
2007-12-24 20:09 . 2007-10-10 18:55 459,264 --------- C:\WINNT\system32\dllcache\msfeeds.dll
2007-12-24 20:09 . 2007-10-10 18:55 383,488 --------- C:\WINNT\system32\dllcache\ieapfltr.dll
2007-12-24 20:09 . 2007-10-10 18:55 267,776 --------- C:\WINNT\system32\dllcache\iertutil.dll
2007-12-24 20:09 . 2007-10-10 18:55 63,488 --------- C:\WINNT\system32\dllcache\icardie.dll
2007-12-24 20:09 . 2007-10-10 18:55 52,224 --------- C:\WINNT\system32\dllcache\msfeedsbs.dll
2007-12-24 20:09 . 2007-10-10 05:59 13,824 --------- C:\WINNT\system32\dllcache\ieudinit.exe
2007-12-24 19:56 . 2007-08-13 18:54 33,792 --a------ C:\WINNT\system32\dllcache\custsat.dll
2007-12-24 11:42 . 2006-08-21 04:14 128,896 --------- C:\WINNT\system32\dllcache\fltmgr.sys
2007-12-24 11:42 . 2006-08-21 04:14 23,040 --------- C:\WINNT\system32\dllcache\fltmc.exe
2007-12-24 11:42 . 2006-08-21 07:21 16,896 --------- C:\WINNT\system32\dllcache\fltlib.dll
2007-12-23 14:48 . 2007-07-09 08:09 584,192 --------- C:\WINNT\system32\dllcache\rpcrt4.dll
2007-12-23 13:10 . 2007-12-25 08:46 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-12-22 16:38 . 2006-10-19 04:42 303,616 -ra------ C:\WINNT\system32\drivers\BLKWGNv7.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-01-10 13:22 --------- d-----w C:\Program Files\Greetings Workshop
2008-01-09 13:37 --------- d-----w C:\Program Files\PhoneTools
2008-01-09 13:36 --------- d-----w C:\Program Files\Microsoft Picture It! 9
2008-01-09 13:35 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-19 00:15 --------- d-----w C:\Documents and Settings\Jeanine\Application Data\Wal-Mart Digital Photo Viewer
2007-11-13 10:25 20,480 ----a-w C:\WINNT\system32\drivers\secdrv.sys
2007-10-31 10:12 3,590,656 ------w C:\WINNT\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINNT\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINNT\system32\dllcache\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINNT\system32\wmasf.dll
2007-10-27 22:39 230,912 ------w C:\WINNT\system32\dllcache\wmasf.dll
2007-10-27 22:37 2,109,440 ------w C:\WINNT\system32\dllcache\wmvcore.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINNT\system32\dllcache\shell32.dll
2007-10-11 06:13 474,112 ------w C:\WINNT\system32\dllcache\shlwapi.dll
2007-10-11 06:13 151,040 ------w C:\WINNT\system32\dllcache\cdfview.dll
2007-10-11 06:13 1,494,528 ------w C:\WINNT\system32\dllcache\shdocvw.dll
2007-10-11 06:13 1,054,208 ------w C:\WINNT\system32\dllcache\danim.dll
2007-10-11 06:13 1,023,488 ------w C:\WINNT\system32\dllcache\browseui.dll
2007-10-10 23:56 824,832 ------w C:\WINNT\system32\dllcache\wininet.dll
2007-10-10 23:56 232,960 ------w C:\WINNT\system32\dllcache\webcheck.dll
2007-10-10 23:56 1,159,680 ------w C:\WINNT\system32\dllcache\urlmon.dll
2007-10-10 23:55 671,232 ------w C:\WINNT\system32\dllcache\mstime.dll
2007-10-10 23:55 478,208 ------w C:\WINNT\system32\dllcache\mshtmled.dll
2007-10-10 23:55 44,544 ------w C:\WINNT\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINNT\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 27,648 ------w C:\WINNT\system32\dllcache\jsproxy.dll
2007-10-10 23:55 230,400 ------w C:\WINNT\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINNT\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINNT\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINNT\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINNT\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINNT\system32\dllcache\advpack.dll
2007-10-10 23:55 105,984 ------w C:\WINNT\system32\dllcache\url.dll
2007-10-10 23:55 102,400 ------w C:\WINNT\system32\dllcache\occache.dll
2007-10-10 10:59 70,656 ------w C:\WINNT\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINNT\system32\dllcache\iexplore.exe
2007-10-10 05:46 161,792 ------w C:\WINNT\system32\dllcache\ieakui.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_13.22.10.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"CARPService"="carpserv.exe" [2001-09-30 19:50 4608 C:\WINNT\system32\carpserv.exe]
"S3TRAY2"="S3tray2.exe" [2001-10-12 13:32 69632 C:\WINNT\system32\S3tray2.exe]
"Multi-function Keyboard"="GWHotKey.exe" [2001-08-28 12:13 98361 C:\WINNT\GWHotKey.exe]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2001-08-09 18:21 118784]
"1AEIWLRAD.EXE"="AEIWLRAD.EXE" [2001-12-06 17:03 24576 C:\WINNT\system32\AEIWLRAD.EXE]
"HPDJ Taskbar Utility"="C:\WINNT\System32\spool\drivers\w32x86\3 \hpztsb04.exe" [2001-11-08 14:59 196608]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 06:32 50688]
"CapFax"="C:\Program Files\PhoneTools\CapFax.EXE" [2001-11-07 13:25 20480]

C:\Documents and Settings\Jeanine\Start Menu\Programs\Startup\
Greetings Workshop Reminders.lnk - C:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-03 23:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Photo Loader supervisory.lnk - C:\Program Files\CASIO\Photo Loader\Plauto.exe [2004-04-21 06:07:09]

R2 Aeiwsvc;Aeiwsvc;C:\WINNT\system32\AEIWLSVC.EXE [2001-11-06 12:00]
R3 AEIWLBRG;AEIWLBRG;C:\WINNT\System32\aeiwlbrg.sys [2001-11-06 11:59]
R3 Belkin701F;Belkin Wireless G Notebook Card Service v7;C:\WINNT\system32\DRIVERS\BLKWGNv7.sys [2006-10-19 04:42]
R3 ViaModem;ViaModem;C:\WINNT\system32\DRIVERS\ViaMod em.sys [2001-11-13 19:14]
S3 AEIWL;Actiontec PRISM Wireless LAN USB Driver;C:\WINNT\system32\DRIVERS\AEIWLUSB.sys [2001-12-14 10:24]
S3 ati2mpaa;ati2mpaa;C:\WINNT\system32\DRIVERS\ati2mp aa.sys [2001-08-17 13:48]
S3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mt aa.sys [2004-08-04 00:29]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2004-08-04 01:01]

.
Contents of the 'Scheduled Tasks' folder
"2002-05-13 09:48:02 C:\WINNT\Tasks\ISP signup reminder 1.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2002-05-13 09:48:03 C:\WINNT\Tasks\ISP signup reminder 2.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
"2002-05-13 09:48:03 C:\WINNT\Tasks\ISP signup reminder 3.job"
- C:\WINNT\System32\OOBE\oobebaln.exe
.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 08:39:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-01-10 8:40:40
ComboFix-quarantined-files.txt 2008-01-10 13:40:21
ComboFix2.txt 2008-01-09 14:01:01
ComboFix3.txt 2008-01-07 18:23:09
.
2007-12-25 14:12:38 --- E O F ---

[Jintan]

Good - post the Panda log when ready.

[jtracker]

Ya its coming. Its taking awhile though.

[jtracker]

Panda log.



Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Jeanine\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Jeanine\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jeanine\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Possible Virus. Not disinfected C:\Program Files\Common Files\aolshare\Coach\Player\AolNySEV.exe
Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{5C25849B-58DA-498F-BF0A-89B607971821}\Setup.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\SDFix\apps\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINNT\NirCmd.exe
================================================== ========

Hijackthis log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:24 AM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\S3tray2.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\AEIWLSVC.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINNT\system32\AEIWLRAD.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04. exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\system32\ctfmon.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Jeanine\Desktop\hijack\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=2839
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [1AEIWLRAD.EXE] AEIWLRAD.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04. exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1192369178635
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1192370888187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Aeiwsvc - Unknown owner - C:\WINNT\system32\AEIWLSVC.EXE
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

--
End of file - 5164 bytes

Things seem to be going faster.

[Jintan]

Looks good. Mistaken identity on some tools we use (pretty common) and two files it says are suspect:

This AOL file I see in searches as being picked up in other scans as identified as possible malware due to some functions it does, so should be okay:

C:\Program Files\Common Files\aolshare\Coach\Player\AolNySEV.exe

And an unknown setup file, again probably alerted due to functions it does.

C:\Program Files\InstallShield Installation Information\{5C25849B-58DA-498F-BF0A-89B607971821}\Setup.exe

If you navigate to that, right click, select Properties, see if you can locate the vendor info on it. If none, and you do not recognize it, then Go to this SITE. Click on the Browse button, and navigate to that file, upload and "Send" it. Copy the results with the notepad and copy/paste them back here please.

And before we do some cleanup there let me know how the system is running now.

[jtracker]

Well computer seems to be running better than before.


Antivirus Version Last Update Result
AhnLab-V3 2008.1.14.10 2008.01.14 -
AntiVir 7.6.0.46 2008.01.14 -
Authentium 4.93.8 2008.01.13 -
Avast 4.7.1098.0 2008.01.14 -
AVG 7.5.0.516 2008.01.13 -
BitDefender 7.2 2008.01.14 -
CAT-QuickHeal 9.00 2008.01.12 -
ClamAV 0.91.2 2008.01.13 -
DrWeb 4.44.0.09170 2008.01.14 -
eSafe 7.0.15.0 2008.01.13 -
eTrust-Vet 31.3.5456 2008.01.14 -
Ewido 4.0 2008.01.14 -
FileAdvisor 1 2008.01.14 -
Fortinet 3.14.0.0 2008.01.14 -
F-Prot 4.4.2.54 2008.01.13 -
F-Secure 6.70.13030.0 2008.01.14 -
Ikarus T3.1.1.20 2008.01.14 -
Kaspersky 7.0.0.125 2008.01.14 -
McAfee 5205 2008.01.11 -
Microsoft 1.3109 2008.01.14 -
NOD32v2 2789 2008.01.14 -
Norman 5.80.02 2008.01.14 -
Panda 9.0.0.4 2008.01.13 -
Prevx1 V2 2008.01.14 -
Rising 20.27.02.00 2008.01.14 -
Sophos 4.24.0 2008.01.14 -
Sunbelt 2.2.907.0 2008.01.12 -
TheHacker 6.2.9.187 2008.01.13 -
VBA32 3.12.2.5 2008.01.13 -
VirusBuster 4.3.26:9 2008.01.13 -
Webwasher-Gateway 6.0.1 2008.01.14 Win32.Malware.gen!88 (suspicious)
Additional information
File size: 170499 bytes
MD5: ff7739c73bab3353d0bb6180d89b5fee
SHA1: 190158dc711d44467cf5f5fad3689d8989c0b80f
PEiD: -

[Jintan]

Hmmm - at least one suggestion that one is bad. Let's check it then - go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.

C:\Program Files\InstallShield Installation Information\{5C25849B-58DA-498F-BF0A-89B607971821}\Setup.exe

You DO NOT need to be a member to upload, anybody can upload the files.

In the meantime go ahead and rename it, by adding ".old" to the end (Setup.exe.old). That will keep it idle until we are sure.

[jtracker]

Ok I did the above.

[Jintan]

I received the file, thanks. Overall it appears to be a generic InstallShield (R) Setup Launcher, though the last Virus Total scan engine, which is one that does well in identifying malware, found something in it that it considered potentially malicious. As an installer whatever function it performed is likely completed, so for now you can just leave the original with the added ".old" extension, and after a few weeks delete that if you wish.


If the system is running good now just need to clean up what we brought there. Both Panda and Kaspersky uninstall through Add/Remove Programs if you do not plan to use them in the near future. Also delete any files/folders/logs we created there. To have ComboFix remove it's files/folders and undo some changes it made go to Start - Run, type the following then select OK:

ComboFix /u

Then good idea to reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

[jtracker]

Thanks so much!

[Jintan]

Glad to assist here.