Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected With Win32.banker.fs Trojan.spyagent.da


  • Please log in to reply
4 replies to this topic

#1 sunshine_yad

sunshine_yad

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 03 March 2008 - 05:36 PM

Hi, today i've been infected with a nasty thing called Win32.Banker.FS Trojan.SpyAgent.DA
while looking in internet for an antivirus, i've found a program called ComboFix. it made a logfile for me and now i am asking, if anyone can tell me what to do next with it. 10x for the replies!
here is the logfile:

ComboFix 08-03-03.16 - Agent Smith 2008-03-03 23:04:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1049.18.263 [GMT 2:00]
Running from: C:\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\cftmon.exe

----- BITS: Possible infected sites -----

hxxp://zupacha.info
hxxp://64.46.39.14
hxxp://auto
hxxp://b.megaban.com.ua
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FCI
-------\LEGACY_MSUPDATE
-------\LEGACY_NTOSNH.SYS
-------\ntosnh.sys


((((((((((((((((((((((((( Files Created from 2008-02-03 to 2008-03-03 )))))))))))))))))))))))))))))))
.

2008-03-03 21:20 . 2008-03-03 21:20 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-03 21:20 . 2008-03-03 21:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-28 08:23 . 2008-02-28 08:23 <DIR> d-------- C:\Documents and Settings\Agent Smith\Application Data\ADC Software
2008-02-27 22:05 . 2008-02-29 18:23 <DIR> d-------- C:\Documents and Settings\Agent Smith\Application Data\Feedreader
2008-02-27 22:04 . 2008-03-01 19:13 <DIR> d---s---- C:\Program Files\FeedReader30
2008-02-23 18:38 . 2008-03-01 20:09 <DIR> d-------- C:\Documents and Settings\Agent Smith\Application Data\skypePM
2008-02-23 18:38 . 2008-02-23 18:38 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-23 18:34 . 2008-03-01 21:51 <DIR> d-------- C:\Documents and Settings\Agent Smith\Application Data\Skype
2008-02-23 18:33 . 2008-02-28 21:26 <DIR> d---s---- C:\Program Files\Skype
2008-02-23 18:33 . 2008-02-23 18:33 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-02-23 18:33 . 2008-02-23 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-02-17 10:52 . 2008-02-17 10:52 <DIR> d-------- C:\Documents and Settings\Agent Smith\Application Data\InstallShield
2008-02-16 18:05 . 2008-02-17 10:52 <DIR> d---s---- C:\Program Files\QIP Infium
2008-02-16 18:05 . 2008-02-16 18:05 <DIR> d-------- C:\Documents and Settings\Agent Smith\Application Data\QIP
2008-02-11 18:45 . 2008-02-11 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-02-08 17:02 . 2008-02-08 17:02 42 --a------ C:\WINDOWS\Prodigy.pls
2008-02-08 17:02 . 2008-02-08 17:02 42 --a------ C:\WINDOWS\mdv736.pls
2008-02-08 12:22 . 2008-02-08 12:22 <DIR> d--hs---- C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-03 21:06 521,248 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-03-03 21:06 51,980 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-03-03 21:06 238,868 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-03 21:06 17,446,944 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-03 15:23 --------- d-s---w C:\Program Files\MetaTrader 4
2008-02-28 19:26 --------- d-s---w C:\Program Files\Abilon
2008-02-28 19:25 --------- d-----w C:\Documents and Settings\Agent Smith\Application Data\Abilon
2008-02-19 14:38 --------- d-s---w C:\Program Files\Disc2Phone
2008-02-17 08:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-17 08:50 --------- d-s---w C:\Program Files\MyPhoneExplorer
2008-02-11 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-11 16:53 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-02-03 19:23 --------- d-s---w C:\Program Files\ACD Systems
2008-02-01 16:40 91,700 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-02-01 15:29 --------- d-s---w C:\Program Files\Streambox Ripper
2008-01-19 21:14 28,672 ----a-w C:\WINDOWS\gscr.dll
2008-01-04 14:30 --------- d-----w C:\Program Files\MOBILedit!
2007-10-05 20:15 54 ----a-w C:\Documents and Settings\Agent Smith\~tmp74.exe.bat
2007-07-03 11:52 96,326 -csha-r C:\Program Files\desktop49.ico
2007-07-03 11:52 89 --sh--w C:\Program Files\desktop.ini
2007-07-03 11:48 96,326 -csha-r C:\Program Files\Common Files\desktop6.ico
2007-07-03 11:48 88 --sh--w C:\Program Files\Common Files\desktop.ini
2007-07-03 07:02 87,608 -c--a-w C:\Documents and Settings\Agent Smith\Application Data\ezpinst.exe
2007-07-03 07:02 47,360 -c--a-w C:\Documents and Settings\Agent Smith\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37FF719A-A736-4FAB-8CBF-7B905277648D}]
2008-03-03 21:09 204800 --a------ C:\DOCUME~1\AGENTS~1\LOCALS~1\Temp\~util32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\msrepl4p]
@={25A9E451-E4CF-E903-2CE3-8C67B2E326AB}

[HKEY_CLASSES_ROOT\CLSID\{25A9E451-E4CF-E903-2CE3-8C67B2E326AB}]
2004-08-17 15:04 71168 --a------ C:\WINDOWS\system32\msrepl4p.dIl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Punto Switcher"="C:\Program Files\Punto Switcher\PS.exe" [2002-05-23 13:23 167936]
"CTFMON.EXE"="C:\WINDOWS\system32\cftmon.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lingvo Launcher"="C:\Program Files\ABBYY Lingvo 9.0\Lvagent.exe" [2003-12-08 03:17 118784]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2002-04-26 19:53 12288]
"LWBMOUSE"="C:\Program Files\Мышиные дрова\lwbwheel.exe" [ ]
"MOD"="C:\Program Files\Microangelo\muamgr.exe" [2003-05-01 14:33 73728]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 14:35 7110656]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky 6.0\avp.exe" [2007-06-29 15:30 206192]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2002-06-19 07:50 180224]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 04:24 286720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Desktop selection.gif
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{020487CC-FC04-4B1E-863F-D9801796230B}"= C:\DOCUME~1\AGENTS~1\LOCALS~1\Temp\wndutl32.dll [2008-03-03 21:08 13312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^“лавное меню^Программы^Автозагрузка^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\“лавное меню\Программы\Автозагрузка\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^“лавное меню^Программы^Автозагрузка^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\“лавное меню\Программы\Автозагрузка\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^“лавное меню^Программы^Автозагрузка^wjlm.exe]
path=C:\Documents and Settings\All Users\“лавное меню\Программы\Автозагрузка\wjlm.exe
backup=C:\WINDOWS\pss\wjlm.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 01:06 40048 C:\Program Files\Adobe Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-17 15:05 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-17 15:04 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-03-31 07:30 1106944 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
--a--c--- 2003-08-19 22:22 278528 C:\Program Files\ABBYY FineReader 7.0\AbbyyNewsReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\AGENTS~1\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kav]
C:\Program Files\Kaspersky Anti-Virus 6.0\avp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 09:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-08-02 14:35 7110656 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-08-02 14:35 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-08-02 14:35 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-03-22 07:39 167936 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 04:24 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpIDerNT]
C:\PROGRA~1\DrWeb\spidernt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"SharedAccess"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\svchost.exe"=

R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 06:02]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 03:41]
R3 ham50;Intel HaM Data Fax Voice;C:\WINDOWS\system32\DRIVERS\ham50.sys [2000-09-05 08:48]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 12:58]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);C:\WINDOWS\system32\DRIVERS\se46bus.sys [2006-11-30 16:11]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\se46mdfl.sys [2006-11-30 16:11]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\se46mdm.sys [2006-11-30 16:11]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\se46mgmt.sys [2006-11-30 16:11]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);C:\WINDOWS\system32\DRIVERS\se46nd5.sys [2006-11-30 16:11]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\se46obex.sys [2006-11-30 16:11]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);C:\WINDOWS\system32\DRIVERS\se46unic.sys [2006-11-30 16:11]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-03 15:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 21:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2007-09-12 05:00:02 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-02-28 07:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-02-28 08:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 09:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 10:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 12:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 13:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 14:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 15:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 16:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-01 22:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 17:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 18:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 19:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 20:00:01 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 21:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-01 21:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-01 22:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-02-16 23:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-08-14 19:41:57 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-08-14 19:41:57 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-02-16 23:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2007-08-14 19:41:57 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-08-14 19:41:57 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-08-14 19:41:57 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-08-14 19:41:57 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-09-12 05:00:02 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-02-28 07:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-02-28 08:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 09:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 10:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 12:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-07-05 11:25:48 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2008-03-03 13:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 14:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 15:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 16:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 17:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 18:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 19:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 20:00:01 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2008-03-03 21:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\0mNIucjv.exe
"2007-07-05 11:25:48 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2007-07-05 11:25:48 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2007-07-05 11:25:48 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2007-07-05 11:25:48 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
"2007-07-05 11:25:48 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\0N5yV1T2.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-03 23:08:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.2180]
-> C:\Program Files\Punto Switcher\correct.dll
-> C:\DOCUME~1\AGENTS~1\LOCALS~1\Temp\wndutl32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-03-03 23:11:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-03 21:11:27

Edited by sunshine_yad, 04 March 2008 - 12:50 PM.


BC AdBot (Login to Remove)

 


m

#2 sunshine_yad

sunshine_yad
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 04 March 2008 - 02:05 PM

I have got a win32.banker.fs.trojan.spyagent.da have tried everything to remove it, but no results. could anyone tell me, will my computer live a health live again?
have got the logfile, here it is.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:53:15, on 04.03.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ABBYY Lingvo 9.0\Lvagent.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Мышиные дрова\lwbwheel.exe
C:\Program Files\Kaspersky Lab\Kaspersky 6.0\avp.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Punto Switcher\PS.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Kaspersky Lab\Kaspersky 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Download Master\dmaster.exe
C:\Program Files\Trend Micro HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ссылки
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DirectPluginX Class - {37FF719A-A736-4FAB-8CBF-7B905277648D} - C:\DOCUME~1\AGENTS~1\LOCALS~1\Temp\~util32.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IE 4.x-6.x BHO for Download Master - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - C:\PROGRA~1\DOWNLO~1\dmiehlp.dll
O4 - HKLM\..\Run: [Lingvo Launcher] "C:\Program Files\ABBYY Lingvo 9.0\Lvagent.exe" /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Мышиные дрова\lwbwheel.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky 6.0\avp.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKCU\..\Run: [Punto Switcher] C:\Program Files\Punto Switcher\PS.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\cftmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Добавить в Анти-Баннер - C:\Program Files\Kaspersky Lab\Kaspersky 6.0\ie_banner_deny.htm
O8 - Extra context menu item: Закачать ВСЕ при помощи Download Master - C:\Program Files\Download Master\dmieall.htm
O8 - Extra context menu item: Закачать при помощи Download Master - C:\Program Files\Download Master\dmie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Cтатистика Веб-Антивируса - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky 6.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe
O9 - Extra 'Tools' menuitem: &Download Master - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - C:\Program Files\Download Master\dmaster.exe
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O22 - SharedTaskScheduler: Windows Installer Class - {020487CC-FC04-4B1E-863F-D9801796230B} - C:\DOCUME~1\AGENTS~1\LOCALS~1\Temp\wndutl32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky 6.0\avp.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O24 - Desktop Component 0: (no name) - C:\Desktop selection.gif

--
End of file - 7364 bytes

i have noticed, that some words are in russian here. if it is necessary, i will translate them quickley.

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:43 AM

Posted 22 March 2008 - 04:13 AM

Hi sunshine_yad! :thumbsup:

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible. I'm in Hijackthis school and Teachers will check my posts.
Sorry that it took us so long to get back to you, but as you can see we're stumped with the amout of logs.

Before we can start, please post a fresh hijackthis log back here.
Posted Image

#4 sunshine_yad

sunshine_yad
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 22 March 2008 - 04:39 PM

thank you for the reply, but I have already found the cure. the guys from virus.info site helped me. anyway thanks for the help.

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:43 AM

Posted 23 March 2008 - 04:14 AM

Ok. That's fine :thumbsup:
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users