BleepingComputer.com: Personal Protection Virus

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Personal Protection Virus combofix analysis

#1 User is offline   quiltyrams 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 14-July 09

Posted 14 July 2009 - 02:05 PM

ComboFix 09-07-13.01 - Lucas Greff 07/14/2009 12:31.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.220 [GMT -6:00]
Running from: c:\documents and settings\Lucas Greff\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\LUCASG~1\LOCALS~1\Temp\pft1A6.tmp\Disk1\Whck40.dll
c:\documents and settings\Lucas Greff\Local Settings\Temp\pft1A6.tmp\Disk1\Whck40.dll
c:\documents and settings\Lucas Greff\Local Settings\Temporary Internet Files\search.html
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2PLUGIN.DLL
c:\program files\Need2Find\bar\1.bin\ND2FNBAR.DLL
c:\program files\Need2Find\bar\1.bin\NPND2FN.DLL
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\files.ini
c:\program files\RXToolBar
c:\program files\RXToolBar\graphics\additional.gif
c:\program files\RXToolBar\graphics\additional_active.gif
c:\program files\RXToolBar\graphics\background.jpg
c:\program files\RXToolBar\graphics\blue_hr_horz.GIF
c:\program files\RXToolBar\graphics\gray_hr_horz.GIF
c:\program files\RXToolBar\graphics\thumbtack.gif
c:\program files\RXToolBar\graphics\thumbtack_active.gif
c:\program files\RXToolBar\graphics\thumbtack_click.gif
c:\program files\RXToolBar\HTML\content.htm
c:\program files\RXToolBar\HTML\main.htm
c:\program files\RXToolBar\RXToolBar.dll
c:\recycler\S-1-5-21-315636210-436321949-3341562259-1003
c:\windows\cenbk.dat
c:\windows\fhgcx.dat
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\Installer\17bf9.msi
c:\windows\Installer\192c9c.msi
c:\windows\Installer\192cb8.msi
c:\windows\Installer\24a672.msp
c:\windows\Installer\34ef6db6.msp
c:\windows\Installer\34ef6db7.msp
c:\windows\Installer\34ef6db8.msp
c:\windows\Installer\34ef6db9.msp
c:\windows\Installer\34ef6dba.msp
c:\windows\Installer\34ef6dbb.msp
c:\windows\Installer\34ef6dbc.msp
c:\windows\Installer\34ef6dbd.msp
c:\windows\Installer\34ef6dbe.msp
c:\windows\Installer\361b1.msi
c:\windows\jidgt.dat
c:\windows\nyjrj.dat
c:\windows\ofnbl.dat
c:\windows\qrozq.dat
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\system32\aqueu.dat
c:\windows\system32\crkr.dll
c:\windows\system32\E95THK16.EXE
c:\windows\system32\encapi32.dll
c:\windows\system32\ervrd.dat
c:\windows\system32\jssdz.dat
c:\windows\system32\kmpoo.dll
c:\windows\system32\kypnc.dat
c:\windows\system32\mstd.exe
c:\windows\system32\msxmlm.dll
c:\windows\system32\ohtib.dll
c:\windows\system32\otosl.dat
c:\windows\system32\pdbmt.dat
c:\windows\system32\pvjfz.dll
c:\windows\system32\xiuut.dat
c:\windows\winhelp.ini
c:\windows\winnt32.exe
c:\windows\winpo32.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_11Fßä#·ºÄÖ`I


((((((((((((((((((((((((( Files Created from 2009-06-14 to 2009-07-14 )))))))))))))))))))))))))))))))
.

2009-07-14 18:01 . 2009-07-14 18:22 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-14 17:45 . 2009-07-14 17:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-14 17:45 . 2009-07-14 17:45 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-14 17:45 . 2009-07-14 17:45 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-14 17:45 . 2009-07-14 17:45 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-14 17:44 . 2009-07-14 17:47 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-14 17:44 . 2009-07-14 17:44 -------- d-----w- c:\program files\AVG
2009-07-14 17:44 . 2009-07-14 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-13 17:58 . 2009-07-14 01:59 167936 ----a-w- c:\windows\system32\NetFilter.exe
2009-07-13 17:58 . 2009-05-14 09:58 61440 ----a-w- c:\windows\system32\ndisapi.dll
2009-07-13 17:58 . 2009-06-22 14:58 24576 ----a-w- c:\windows\system32\drivers\ndisrd.sys
2009-07-13 17:57 . 2009-07-13 17:57 -------- d-----w- c:\program files\Common Files\Uninstall
2009-07-13 17:56 . 2009-07-13 17:57 -------- d-----w- c:\program files\PersonalAV
2009-06-22 15:44 . 2009-06-22 15:44 -------- d-sh--w- c:\documents and settings\Lucas Greff\IECompatCache
2009-06-22 14:19 . 2009-06-22 14:19 -------- d-sh--w- c:\documents and settings\Lucas Greff\PrivacIE
2009-06-22 14:19 . 2009-06-22 14:19 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-22 14:18 . 2009-06-22 14:18 -------- d-sh--w- c:\documents and settings\Lucas Greff\IETldCache
2009-06-22 14:14 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-22 14:14 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-22 14:14 . 2009-06-22 14:14 -------- d-----w- c:\windows\ie8updates
2009-06-22 14:13 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-22 14:13 . 2009-06-22 14:13 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 09:06 . 2008-11-05 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-20 21:57 . 2009-05-20 21:57 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-20 21:57 . 2008-06-12 14:04 38208 ----a-w- c:\documents and settings\Lucas Greff\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-20 17:04 . 2009-05-20 17:04 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-20 17:04 . 2009-05-20 17:04 -------- d-----w- c:\program files\Java
2009-05-20 17:03 . 2009-05-20 17:03 152576 ----a-w- c:\documents and settings\Lucas Greff\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-13 05:15 . 2006-06-23 17:33 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2001-08-18 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2001-08-18 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2003-09-19 15:12 . 2003-09-19 15:12 220 -csh--w- c:\windows\dwin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-02-24 5537792]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2002-11-23 631362]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-02-24 86016]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2005-04-08 151552]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-11 77824]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-20 148888]
"PersonalAV"="c:\program files\PersonalAV\pav.exe" [2009-07-13 1892352]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-14 1948440]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-02-24 1495040]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-06-30 19968]
"MSDRV"="NetFilter.exe" - c:\windows\system32\NetFilter.exe [2009-07-14 167936]

c:\documents and settings\Lucas Greff\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\MSWorks\Calendar\WKCALREM.EXE [1998-7-20 68368]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NFU JTi Printer.lnk - C:\NFUDirMon.exe [2008-7-25 180224]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\cinetray.exe [2002-9-18 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-14 17:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\FUIAgentDesktop\\JH.FUMI.Agent.Desktop.exe"=
"c:\\Corel\\Suite8\\Programs\\WPWIN8.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/14/2009 11:45 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/14/2009 11:45 AM 108552]
S3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [8/10/2003 1:41 AM 14348]
S3 SaiH2541;SaiH2541;c:\windows\system32\drivers\SaiH2541.sys [3/12/2005 5:43 PM 55936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - _11F*00DF*00E4*0006#*00B7*00BA*00C4*00D6`I
*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2001-08-18 00:12]

2009-07-14 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-10 18:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A77D3539-581D-450C-9E44-A84C415A6172} - c:\windows\system32\msxmlm.dll
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKLM-Run-AceGain LiveUpdate - c:\program files\AceGain\LiveUpdate\LiveUpdate.exe
HKLM-Run-msit32.exe - c:\windows\system32\msit32.exe
HKLM-Run-winws.exe - c:\windows\system32\winws.exe
HKLM-Run-atlvo32.exe - c:\windows\system32\atlvo32.exe
HKLM-Run-addti.exe - c:\windows\system32\addti.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nfuic.com/ov/wrd/run/portal.show
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {76392179-60A8-462D-8961-B95C14DAADF4} - hxxp://mobius2.nfuic.com:8080/ddrint/content/ddiprintengine.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-14 12:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\Sti_Trace.log:nyeqit 29768 bytes executable
c:\windows\SchedLgU.Txt:jzbael 11336 bytes executable
c:\windows\canst.dat:khgmxi 12317 bytes executable
c:\windows\chipset.log:smtzun 79610 bytes executable
c:\windows\PFP80JCM.{PB:zkfhxg 12317 bytes executable
c:\windows\ODBC(2).INI:bmlvje 12317 bytes executable
c:\windows\ODBC(5).INI:wiuobl 82093 bytes executable
c:\windows\ODBC.INI:unwilo 35081 bytes executable
c:\windows\bayug.log:auenv 35081 bytes executable
c:\windows\Blue Lace 16.bmp:alala 79610 bytes executable
c:\windows\yrpld.dat:fcgvnp 82093 bytes executable


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(344)
c:\windows\system32\WININET.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG8\avgwdsvc.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-07-14 12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-14 18:53

Pre-Run: 65,489,227,776 bytes free
Post-Run: 66,191,794,176 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

253 --- E O F --- 2009-07-13 18:25

#2 Guest_The weatherman_*

  • Group: Guests

Posted 14 July 2009 - 05:33 PM

Hello quiltyrams,

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff/The weatherman

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users