Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problmes With W32\lineage.hxi.worm; W32\lineage.h2b.worm; And Trj\lineage.h2j


  • Please log in to reply
1 reply to this topic

#1 hondurod

hondurod

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 21 April 2008 - 01:07 AM

ComboFix 08-04-20.2 - Administrator 2008-04-20 23:50:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.923 [GMT -6:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Administrator\Favorites\Online Security Test.url
C:\Program Files\Helper
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\msssc.dll
D:\Autorun.inf
E:\Autorun.inf
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-20 23:24 . 2008-04-20 23:24 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-20 23:24 . 2008-04-20 23:24 <DIR> d-------- C:\Program Files\Panda Security
2008-04-20 02:17 . 2008-04-20 02:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-04-20 02:14 . 2006-11-05 23:00 198,656 --a------ C:\WINDOWS\system32\CNMLM8O.DLL
2008-04-20 02:13 . 2008-04-20 02:17 <DIR> d-------- C:\Program Files\Canon
2008-04-13 15:48 . 2008-04-13 15:48 <DIR> d-------- C:\WINDOWS\system32\DRM
2008-04-13 14:56 . 2008-04-13 15:51 2,421 --a------ C:\WINDOWS\aopr.ini
2008-04-13 14:22 . 2008-04-13 14:22 <DIR> d-------- C:\Program Files\Passware
2008-04-13 14:14 . 2008-04-13 16:47 <DIR> d-------- C:\Program Files\PasswordTools
2008-04-13 14:00 . 2008-04-13 16:49 <DIR> d-------- C:\Program Files\Intelore
2008-04-13 14:00 . 2008-04-13 14:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intelore
2008-04-10 21:32 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll
2008-04-10 21:32 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll
2008-04-10 21:32 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll
2008-04-10 21:32 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll
2008-04-10 21:32 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-04-10 21:32 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll
2008-04-10 21:32 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll
2008-04-09 10:35 . 2008-04-09 10:35 268 --ah----- C:\sqmdata11.sqm
2008-04-09 10:35 . 2008-04-09 10:35 244 --ah----- C:\sqmnoopt11.sqm
2008-04-07 23:26 . 2008-04-07 23:26 <DIR> d-------- C:\Program Files\Ares
2008-04-07 23:10 . 2008-04-12 08:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-07 23:09 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-07 23:08 . 2008-04-07 23:09 <DIR> d-------- C:\Program Files\Java
2008-04-07 23:05 . 2008-04-07 23:05 <DIR> d-------- C:\Program Files\Common Files\Java
2008-04-06 16:27 . 2008-04-06 22:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Wippien
2008-04-06 16:27 . 2007-12-04 18:06 23,224 --a------ C:\WINDOWS\system32\drivers\wip0203.sys
2008-04-06 00:48 . 2008-04-06 00:48 <DIR> d-------- C:\Program Files\Hamachi
2008-04-06 00:07 . 2008-04-06 16:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Hamachi
2008-04-06 00:07 . 2008-04-06 00:48 15,440 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-05 22:52 . 2008-04-06 00:23 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-04-05 22:52 . 2008-04-06 00:23 30,739 --a------ C:\WINDOWS\scunin.dat
2008-04-05 22:52 . 2008-04-06 00:23 967 --a------ C:\WINDOWS\ScUnin.pif
2008-03-29 11:52 . 2008-03-29 11:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Kane's Wrath
2008-03-29 11:51 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-03-29 11:51 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-03-29 11:51 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-03-29 11:51 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-03-26 22:55 . 2008-03-26 22:55 22,328 --a------ C:\Documents and Settings\Administrator\Application Data\PnkBstrK.sys
2008-03-26 22:50 . 2008-03-26 22:50 103,736 --a------ C:\Documents and Settings\Administrator\Application Data\PnkBstrB.exe
2008-03-26 22:49 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-03-26 22:49 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-03-26 22:49 . 2008-03-26 22:49 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-03-26 22:49 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-03-26 22:49 . 2008-03-26 22:49 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-03-26 22:49 . 2008-03-26 22:49 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-03-25 23:49 . 2008-04-20 02:14 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-03-25 23:49 . 2008-03-25 23:49 <DIR> d--h----- C:\Program Files\CanonBJ
2008-03-25 23:49 . 2008-03-25 23:49 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-03-25 23:49 . 2006-07-31 14:00 161,792 --a------ C:\WINDOWS\system32\CNMLM7W.DLL
2008-03-25 15:44 . 2008-03-29 01:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Bioshock
2008-03-25 15:42 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-03-25 15:42 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-03-25 15:42 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-03-25 15:42 . 2007-05-31 19:30 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-03-25 15:42 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-03-25 15:38 . 2008-03-25 15:38 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-03-25 15:38 . 2008-03-25 15:38 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-03-24 21:27 . 2008-03-24 21:27 244 --ah----- C:\sqmnoopt10.sqm
2008-03-24 21:27 . 2008-03-24 21:27 232 --ah----- C:\sqmdata10.sqm
2008-03-22 18:09 . 2008-03-22 18:09 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 05:45 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DNA
2008-04-21 05:39 263,900 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck
2008-04-21 05:39 263,900 ----a-w C:\WINDOWS\system32\drivers\APPFCONT.DAT
2008-04-21 05:39 1,224 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck
2008-04-21 05:39 1,224 ----a-w C:\WINDOWS\system32\drivers\APPFLTR.CFG
2008-04-17 07:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-11 21:11 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-29 17:40 --------- d-----w C:\Documents and Settings\Administrator\Application Data\BitTorrent
2008-03-19 23:36 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-19 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 22:35 --------- d-----w C:\Program Files\Lavasoft
2008-03-19 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 20:12 51,072 ----a-w C:\WINDOWS\system32\drivers\ikhlayer.sys
2008-03-19 20:12 30,592 ----a-w C:\WINDOWS\system32\drivers\ikhfile.sys
2008-03-19 20:10 --------- d-----w C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-19 15:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-18 15:43 --------- d-----w C:\Program Files\DNA
2008-03-18 15:32 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-12 19:10 633,344 ------w C:\WINDOWS\system32\gpprefcl.dll
2008-03-11 01:27 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-09 21:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-02 19:38 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Command & Conquer 3 Tiberium Wars
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 04:35 --------- d-----w C:\Program Files\BitTorrent
2008-03-01 03:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-21 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Backup
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-05 00:23 693,792 ----a-w C:\WINDOWS\system32\OGACheckControl.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6860A44B-5D3E-433D-A7B5-D517F810D0E7}]
C:\Program Files\NetProject\sbmdl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 08:16 171464]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-03-12 14:43 287040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2006-10-16 19:20 398944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Spyware Doctor"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"F:\\Games\\Electronic Arts\\Battlefield 2\\BF2.exe"=
"F:\\Games\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"F:\\Games\\Electronic Arts\\Crysis\\Bin32\\Crysis.exe"=
"F:\\Games\\Electronic Arts\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

R1 APPFLT;App Filter Plugin;C:\WINDOWS\System32\Drivers\APPFLT.SYS [2007-04-02 19:43]
R1 DSAFLT;DSA Filter Plugin;C:\WINDOWS\System32\Drivers\DSAFLT.SYS [2007-04-02 19:43]
R1 FNETMON;NetMon Filter Plugin;C:\WINDOWS\System32\Drivers\fnetmon.SYS [2007-03-12 17:45]
R1 IDSFLT;Ids Filter Plugin;C:\WINDOWS\System32\Drivers\IDSFLT.SYS [2007-04-02 19:43]
R1 NETFLTDI;Panda Net Driver [TDI Layer];C:\WINDOWS\System32\Drivers\NETFLTDI.SYS [2007-04-17 17:42]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\Drivers\ShlDrv51.sys [2007-03-12 09:27]
R1 SMSFLT;SMS Filter Plugin;C:\WINDOWS\System32\Drivers\SMSFLT.SYS [2007-04-02 19:43]
R1 WNMFLT;Wifi Monitor Filter Plugin;C:\WINDOWS\System32\Drivers\WNMFLT.SYS [2007-04-02 19:43]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\drivers\cpoint.sys [2006-10-27 13:27]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2006-11-10 09:12]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\System32\DRIVERS\PavProc.sys [2007-02-19 06:21]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 15:01]
R3 NETIMFLT;PANDA NDIS IM Filter Miniport;C:\WINDOWS\system32\DRIVERS\netimflt.sys [2007-04-24 15:43]
R3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\System32\PavSRK.sys []
R3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\System32\PavTPK.sys []
S3 ASUSHWIO;ASUSHWIO;C:\WINDOWS\System32\drivers\ASUSHWIO.sys []
S3 leafnets;Leaf Networks Adapter;C:\WINDOWS\system32\DRIVERS\leafnets.sys [2007-05-02 17:48]
S3 wip0203;Wippien Network Adapter 2.3;C:\WINDOWS\system32\DRIVERS\wip0203.sys [2007-12-04 18:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c583a9f-ed50-11dc-9558-000c6ed7fe83}]
\Shell\AutoRun\command - b.com
\Shell\explore\Command - b.com
\Shell\open\Command - b.com

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 23:52:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-04-20 23:54:39
ComboFix-quarantined-files.txt 2008-04-21 05:54:14

Pre-Run: 16,028,590,080 bytes free
Post-Run: 16,391,196,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

204 --- E O F --- 2008-04-09 09:06:07

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:20 AM

Posted 07 May 2008 - 07:55 PM

Hello hondurod

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please post a new Hijackthis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users