Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan; Msn Yahoo Messenger Problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 feedback

feedback

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:13 AM

Posted 22 February 2008 - 10:29 AM

ComboFix 08-02-22.3 - Gian 2008-02-22 23:14:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT 8:00]
Running from: C:\Documents and Settings\Gian\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\internet explorer\iekey.dll
C:\WINDOWS\svchost.ini
C:\WINDOWS\system32\vx.tll

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-22 22:43 . 2001-08-17 14:07 101,888 --a------ C:\WINDOWS\system32\drivers\adpu160m.sys
2008-02-22 22:42 . 2008-02-22 22:45 <DIR> d-------- C:\Documents and Settings\Gian\Application Data\PrevxCSI
2008-02-22 09:31 . 2008-02-22 09:31 51,200 -r-hs---- C:\WINDOWS\system32\fool1.dll
2008-02-22 09:29 . 2008-02-22 22:26 51,200 -r-hs---- C:\WINDOWS\system32\fool0.dll
2008-02-21 08:10 . 2008-02-21 19:49 51,200 --ahs---- C:\WINDOWS\system32\fool0.dll.vir2
2008-02-20 19:48 . 2008-02-22 09:31 143,729 -r-hs---- C:\g2lbn.cmd
2008-02-20 19:48 . 2008-02-20 19:59 51,200 -rahs---- C:\WINDOWS\system32\fool0.dll.vir1
2008-02-20 00:08 . 2008-02-20 00:09 143,449 -r-hs---- C:\evkq381.com
2008-02-20 00:08 . 2008-02-22 23:14 583 -r-hs---- C:\autorun.inf
2008-02-19 23:47 . 2008-02-22 09:31 143,729 -r-hs---- C:\WINDOWS\system32\kxvo.exe
2008-02-19 22:06 . 2008-02-19 22:06 <DIR> d-------- C:\Program Files\Common Files\Cisco Systems
2008-02-19 22:06 . 2005-01-14 20:00 108,480 --a------ C:\WINDOWS\system32\drivers\naiavf5x.sys
2008-02-19 22:06 . 2005-02-10 20:00 58,464 --a------ C:\WINDOWS\system32\drivers\mvstdi5x.sys
2008-02-19 22:05 . 2008-02-19 22:06 <DIR> d-------- C:\Program Files\Common Files\Network Associates
2008-02-18 22:51 . 2008-02-19 20:42 69,632 --ahs---- C:\WINDOWS\system32\fool0.dll.vir
2008-01-31 11:54 . 2008-01-31 11:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-01-31 11:51 . 2008-01-31 11:51 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-01-31 11:50 . 2008-01-31 11:50 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-01-31 11:50 . 2007-03-19 13:00 215,040 --a------ C:\WINDOWS\system32\CNMLM8T.DLL
2008-01-31 11:49 . 2008-01-31 11:49 <DIR> d--h----- C:\Program Files\CanonBJ
2008-01-31 11:49 . 2007-03-24 00:30 1,400,832 --a------ C:\WINDOWS\system32\CNC220C.DLL
2008-01-31 11:49 . 2007-03-19 18:18 200,704 --a------ C:\WINDOWS\system32\CNC220L.DLL
2008-01-31 11:49 . 2007-03-15 22:12 188,416 --a------ C:\WINDOWS\system32\CNC220O.DLL
2008-01-31 11:49 . 2007-03-24 00:29 98,304 --a------ C:\WINDOWS\system32\CNC220I.DLL
2008-01-31 11:47 . 2008-01-31 11:53 <DIR> d-------- C:\Program Files\Canon
2008-01-31 11:31 . 2007-05-17 17:30 318,976 --a------ C:\WINDOWS\system32\avisynth.dll
2008-01-31 11:27 . 2008-01-31 11:27 <DIR> d-------- C:\Program Files\eRightSoft
2008-01-31 10:29 . 2008-01-31 10:29 <DIR> d-------- C:\OutputFolder
2008-01-31 10:27 . 2008-01-31 10:40 <DIR> d-------- C:\Program Files\Ultra MP4 Video Converter
2008-01-31 10:27 . 2007-04-12 14:19 129,024 --a------ C:\WINDOWS\system32\AVERM.dll
2008-01-31 10:27 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQT.dll
2008-01-31 09:03 . 2008-01-31 09:03 <DIR> d-------- C:\ConvertTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 15:51 --------- d-----w C:\Documents and Settings\Gian\Application Data\Hamachi
2008-02-21 14:27 --------- d-----w C:\Program Files\Diablo II
2008-02-19 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-02-19 14:05 --------- d-----w C:\Program Files\Network Associates
2008-02-17 11:15 --------- d-----w C:\Program Files\Warcraft III
2008-02-09 01:01 --------- d-----w C:\Documents and Settings\Gian\Application Data\uTorrent
2008-02-04 13:17 --------- d-----w C:\Documents and Settings\Gian\Application Data\Image Zone Express
2008-01-27 12:55 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-01-26 17:30 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-01-26 17:30 249,856 ------w C:\WINDOWS\Setup1.exe
2008-01-26 17:30 --------- d-----w C:\Program Files\Hero Editor
2008-01-21 07:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-21 07:29 --------- d-----w C:\Documents and Settings\Gian\Application Data\InstallShield
2008-01-17 03:44 --------- d-----w C:\Program Files\LimeWire
2008-01-01 14:43 90,112 ----a-w C:\WINDOWS\DUMP27d6.tmp
2007-12-28 15:31 11,198,985 ----a-w C:\myro-patcherv1.exe
2007-12-17 13:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-25 06:34 90,112 ----a-w C:\WINDOWS\DUMPb093.tmp
2007-11-25 03:58 90,112 ----a-w C:\WINDOWS\DUMPe8c9.tmp
2006-11-09 14:51 17,144 ----a-w C:\Documents and Settings\Gian\Application Data\GDIPFONTCACHEV1.DAT
2005-05-13 09:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-07-14 04:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 07:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 14:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 10:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 11:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 05:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-24 16:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:34 5354792]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-06-24 14:08 860160]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"kxva"="C:\WINDOWS\system32\kxvo.exe" [2008-02-22 09:31 143729]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 16:28 790528]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2003-05-30 09:42 585728]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03 49263]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-06-07 11:31 819712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 15:29 176128]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-08 01:02 185632]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 09:50 1603152]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00 94208]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\msncall.exe"=
"C:\\Program Files\\Diablo II\\Diablo II.exe"=
"C:\\Program Files\\Ocean Technology\\GG E-Sports Platform\\GGclient.exe"=
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"C:\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Nexon\\MapleStory\\NewPatcher.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Documents and Settings\\Gian\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"C:\\Documents and Settings\\Gian\\Desktop\\icon\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"21395:TCP"= 21395:TCP:BitComet 21395 TCP
"21395:UDP"= 21395:UDP:BitComet 21395 UDP
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundRouterRequest"= 0 (0x0)

R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-14 00:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{505364e0-9284-11dc-bdc1-000e2e3dc3e9}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{794bc19a-e170-11db-bf06-000e2e3dc3e9}]
\Shell\AutoRun\command - F:\RavMon.exe
\Shell\explore\Command - F:\RavMon.exe -e
\Shell\open\Command - F:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a03905eb-6884-11db-bdcf-000e2e3dc3e9}]
\Shell\AutoRun\command - F:\ie.exe
\Shell\explore\Command - F:\ie.exe
\Shell\open\Command - F:\ie.exe

*Newly Created Service* - ZSDERFS
.
Contents of the 'Scheduled Tasks' folder
"2008-01-02 06:04:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-22 14:29:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 23:16:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\Ocean Technology\GG E-Sports Platform\filter.dll
.
Completion time: 2008-02-22 23:17:32
ComboFix-quarantined-files.txt 2008-02-22 15:17:29
.
2008-02-13 16:19:12 --- E O F ---


*** as i turn on my computer and reached the desktop, the msn and yahoo messenger are in auto run and then my computer stopped... my antivirus mcaffee v8.1 stated that it is because of fool0.dll

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:13 PM

Posted 09 March 2008 - 07:51 PM

Hello feedback

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please * Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\Hijack This.
  • Click on I agree
  • Then Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:13 PM

Posted 23 March 2008 - 08:16 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users