Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Little Question Frm The Bleeping Fellows =>


  • Please log in to reply
2 replies to this topic

#1 heroic

heroic

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 18 May 2008 - 12:36 PM

Hi there, everyone.

My computer is infected with KXVO.
Also, i cannot view my hidden files. and whenever i want to get into drive C or any other drive. it will open it in a new window than going to the certain drive. =/
I did everything, kaspersky, symante
it didnt not work. and i ran Combofix after all.


heres my log, if u would please take a look at it. and tell me what i should do.




_____-
ComboFix 08-05-15.3 - lathzia 2008-05-18 13:27:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.720 [GMT -7:00]
Running from: C:\Documents and Settings\lathzia\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\lathzia\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\system32\fool0.dll
C:\WINDOWS\system32\fool1.dll
C:\WINDOWS\system32\ieso0.dll
C:\WINDOWS\system32\kxvo.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 12:48 . 2008-05-18 12:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 12:41 . 2008-05-18 12:41 <DIR> d-------- C:\Program Files\PrevxCSI
2008-05-18 12:41 . 2008-05-18 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-18 12:41 . 2008-05-18 12:41 163,042 -r-hs---- C:\6isba62q.cmd
2008-05-18 12:41 . 2008-05-18 12:41 17,408 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2008-05-18 10:28 . 2008-05-18 13:02 <DIR> d-------- C:\Program Files\World of Warcraft
2008-05-18 02:25 . 2008-05-18 12:43 0 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-18 01:22 . 2008-05-18 01:22 <DIR> d-------- C:\Program Files\Real Alternative
2008-05-17 16:57 . 2008-05-17 17:40 <DIR> d-------- C:\Program Files\Gimmix
2008-05-17 16:39 . 2007-12-03 02:10 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-05-17 16:38 . 2008-05-17 16:38 <DIR> d-------- C:\Program Files\Google
2008-05-16 11:32 . 2008-05-18 12:39 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\WTablet
2008-05-16 11:32 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-16 11:32 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-16 11:31 . 2007-09-07 11:40 1,373,480 --a------ C:\WINDOWS\system32\Wacom_Tablet.exe
2008-05-16 11:31 . 2007-09-07 11:33 128,296 --a------ C:\WINDOWS\system32\Wacom_Tablet.dll
2008-05-16 11:31 . 2007-02-16 10:30 12,848 --a------ C:\WINDOWS\system32\drivers\wacomvhid.sys
2008-05-16 11:31 . 2007-02-15 16:11 11,440 --a------ C:\WINDOWS\system32\drivers\WacomVKHid.sys
2008-05-16 11:31 . 2007-02-16 11:12 11,312 --a------ C:\WINDOWS\system32\drivers\wacommousefilter.sys
2008-05-16 10:47 . 2008-05-16 10:47 <DIR> d-------- C:\X
2008-05-16 10:41 . 2008-05-18 01:44 162,280 -r-hs---- C:\0ajq.cmd
2008-05-14 20:24 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-14 20:23 . 2008-05-14 20:23 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-14 20:22 . 2008-05-14 20:22 <DIR> d-------- C:\Program Files\MSBuild
2008-05-14 20:14 . 2008-05-14 20:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-14 20:13 . 2008-05-14 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-14 20:12 . 2008-05-14 20:12 <DIR> dr-h----- C:\MSOCache
2008-05-14 14:43 . 2008-05-14 14:43 0 --a------ C:\WINDOWS\vpc32.INI
2008-05-14 13:13 . 2008-05-14 13:13 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-05-14 13:13 . 2008-05-14 13:13 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-14 13:13 . 2008-05-14 13:13 8,014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-05-14 13:13 . 2008-05-14 13:13 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-05-14 13:12 . 2008-05-14 13:13 <DIR> d-------- C:\Program Files\Symantec
2008-05-14 13:11 . 2008-05-18 13:24 <DIR> d-------- C:\Program Files\Symantec AntiVirus
2008-05-14 13:11 . 2008-05-14 13:14 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-14 13:11 . 2008-05-14 13:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-14 13:09 . 2008-05-14 13:09 <DIR> d-------- C:\Program Files\MagicISO
2008-05-14 12:26 . 2008-05-18 12:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-14 12:26 . 2008-05-14 12:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-13 00:23 . 2008-05-17 20:20 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\dvdcss
2008-05-12 12:56 . 2008-05-18 10:28 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-12 11:01 . 2004-03-02 17:37 125,184 --------- C:\WINDOWS\system32\drivers\imagesrv.sys
2008-05-12 11:01 . 2004-03-02 17:37 5,504 --------- C:\WINDOWS\system32\drivers\imagedrv.sys
2008-05-12 11:01 . 2008-05-12 11:01 1,024 --ah----- C:\Documents and Settings\Default User\NtUser.dat.LOG
2008-05-12 11:00 . 2008-05-12 11:00 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-12 11:00 . 2008-05-12 11:00 <DIR> d-------- C:\Program Files\Ahead
2008-05-12 11:00 . 2004-07-26 17:16 1,568,768 --------- C:\WINDOWS\system32\ImagX7.dll
2008-05-12 11:00 . 2004-07-26 17:16 476,320 --------- C:\WINDOWS\system32\ImagXpr7.dll
2008-05-12 11:00 . 2004-07-26 17:16 471,040 --------- C:\WINDOWS\system32\ImagXRA7.dll
2008-05-12 11:00 . 2004-07-26 17:16 262,144 --------- C:\WINDOWS\system32\ImagXR7.dll
2008-05-12 11:00 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-05-12 11:00 . 2000-06-26 11:45 106,496 --a------ C:\WINDOWS\system32\TwnLib20.dll
2008-05-12 10:56 . 2008-05-13 11:30 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-05-12 10:54 . 2008-05-12 10:54 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\DAEMON Tools
2008-05-12 10:53 . 2008-05-12 10:53 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-11 21:40 . 2008-05-16 11:31 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-05-11 21:40 . 2008-05-16 11:31 <DIR> d-------- C:\Program Files\Tablet
2008-05-11 21:40 . 2007-09-07 11:31 3,499,304 --a------ C:\WINDOWS\system32\WacomTablet.cpl
2008-05-11 21:40 . 2007-09-05 14:30 1,910,035 --a------ C:\WINDOWS\system32\WacomTablet.znc
2008-05-11 21:40 . 2007-09-07 11:20 181,544 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-05-11 21:40 . 2001-04-09 13:45 8,138 --a------ C:\WINDOWS\system32\drivers\PenClass.sys
2008-05-10 18:52 . 2005-04-09 10:34 <DIR> d-------- C:\istgah_dic
2008-05-07 20:40 . 2008-05-07 20:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-05 18:38 . 2008-05-05 18:40 <DIR> d-------- C:\Python25
2008-05-05 18:28 . 2008-05-05 18:38 <DIR> d-------- C:\Program Files\ConTEXT
2008-05-04 18:36 . 2007-02-12 11:41 2,732,032 --a------ C:\WINDOWS\system32\Netw2r32.dll
2008-05-04 18:36 . 2007-02-08 13:51 2,209,408 --a------ C:\WINDOWS\system32\drivers\w29n51.sys
2008-05-04 18:36 . 2007-02-12 11:40 557,056 --a------ C:\WINDOWS\system32\Netw2c32.dll
2008-05-03 16:33 . 2007-12-26 17:30 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2008-05-03 16:33 . 2007-12-26 17:30 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2008-05-03 16:32 . 2008-05-03 16:33 <DIR> d-------- C:\Program Files\Cheat Engine
2008-05-03 13:04 . 2008-05-03 13:04 <DIR> d-------- C:\sj801
2008-05-03 11:31 . 2008-05-03 11:33 <DIR> d-------- C:\Program Files\Winamp
2008-05-03 11:31 . 2008-05-03 12:00 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\Winamp
2008-05-03 11:31 . 2007-03-07 16:51 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-05-03 11:31 . 2007-03-07 16:51 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-03 11:31 . 2007-03-07 16:51 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-02 18:07 . 2008-05-02 18:07 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\vlc
2008-05-02 18:06 . 2008-05-02 18:06 <DIR> d-------- C:\Program Files\VideoLAN
2008-05-02 15:09 . 2008-05-02 15:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-02 15:08 . 2008-05-02 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-05-02 14:51 . 2008-05-02 12:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-02 14:20 . 2008-05-02 14:20 <DIR> d-------- C:\Program Files\AVG
2008-05-02 14:20 . 2008-05-02 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-02 13:05 . 2008-05-02 13:05 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\Media Player Classic
2008-05-02 12:59 . 2008-05-02 12:59 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-02 08:19 . 2008-05-02 08:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-02 08:16 . 2008-05-02 08:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-02 08:09 . 2008-05-02 08:17 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 08:00 . 2008-05-02 08:00 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-02 07:51 . 2008-05-02 07:51 <DIR> d-------- C:\Logs
2008-05-02 00:28 . 2008-05-18 10:28 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-05-02 00:25 . 2008-05-02 00:25 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\Apple Computer
2008-05-02 00:24 . 2008-05-02 00:25 <DIR> d-------- C:\Program Files\iTunes
2008-05-02 00:24 . 2008-05-02 00:24 <DIR> d-------- C:\Program Files\iPod
2008-05-02 00:23 . 2008-05-02 00:23 <DIR> d-------- C:\Program Files\Bonjour
2008-05-02 00:22 . 2008-05-02 00:23 <DIR> d-------- C:\Program Files\QuickTime
2008-05-02 00:22 . 2008-05-02 00:22 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-02 00:22 . 2008-05-02 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-02 00:21 . 2008-05-02 00:21 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-02 00:21 . 2008-05-02 00:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-01 23:45 . 2008-05-18 10:29 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\Azureus
2008-05-01 23:45 . 2008-05-01 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-01 23:41 . 2008-05-01 23:43 <DIR> d-------- C:\Program Files\Azureus
2008-05-01 23:41 . 2008-05-01 23:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-05-01 23:41 . 2008-05-02 15:51 32 --a------ C:\WINDOWS\wininit.ini
2008-05-01 23:40 . 2008-05-07 13:56 <DIR> d-------- C:\Program Files\Trillian
2008-05-01 23:32 . 2008-05-01 23:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-01 23:24 . 2008-05-01 23:25 <DIR> d-------- C:\WINDOWS\nview
2008-05-01 23:24 . 2006-03-23 01:30 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-05-01 23:24 . 2006-03-22 23:32 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-05-01 23:24 . 2008-05-18 12:40 50,868 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-01 23:24 . 2008-05-18 13:02 50,245 --a------ C:\WINDOWS\system32\nvModes.dat
2008-05-01 23:24 . 2008-05-18 13:12 50,245 --a------ C:\WINDOWS\system32\nvModes.001
2008-05-01 23:24 . 2006-03-22 23:32 16,960 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-05-01 23:18 . 2008-05-01 23:18 <DIR> d-------- C:\Program Files\SigmaTel
2008-05-01 23:18 . 2005-03-10 16:56 273,168 --a------ C:\WINDOWS\system32\drivers\STAC97.sys
2008-05-01 23:09 . 2008-05-01 23:09 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-01 23:09 . 2008-05-01 23:09 <DIR> d-------- C:\Program Files\Broadcom
2008-05-01 23:08 . 2008-05-01 23:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-05-01 23:08 . 2008-05-01 23:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-05-01 23:08 . 2008-05-01 23:08 <DIR> d-------- C:\Documents and Settings\lathzia\Application Data\Intel
2008-05-01 23:08 . 2008-05-04 18:38 21,425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-01 23:07 . 2008-05-01 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-05-01 23:06 . 2008-05-04 18:36 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-02 05:42 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 02:39 486856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 06:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 11:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 11:17 970752]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-12 06:55 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-22 23:32 7561216]
"nwiz"="nwiz.exe" [2006-03-22 23:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2006-03-22 23:32 73728 C:\WINDOWS\system32\nvhotkey.dll]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NvMediaCenter"="NvMCTray.dll" [2006-03-22 23:32 86016 C:\WINDOWS\system32\nvmctray.dll]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-03-26 23:35 36352]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 16:33 52840]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-10-07 20:48 125368]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]

C:\Documents and Settings\lathzia\Start Menu\Programs\Startup\
istgah Dictionary.lnk - C:\istgah_dic\dic_istgah.exe [2008-05-10 18:52:27 367104]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-05-11 21:40:45 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

R0 pxark;pxark;C:\WINDOWS\system32\drivers\pxark.sys [2008-05-18 12:41]
R2 CSIScanner;CSIScanner;"C:\Program Files\PrevxCSI\prevxcsi.exe" /service []
R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 11:40]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
S3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys [2006-08-09 11:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\d8hii.cmd
\Shell\explore\Command - C:\d8hii.cmd
\Shell\open\Command - C:\d8hii.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2557c952-1ac3-11dd-a99f-001143746d98}]
\Shell\AutoRun\command - E:\oalvm.com
\Shell\explore\Command - E:\oalvm.com
\Shell\open\Command - E:\oalvm.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bdfe543-180b-11dd-a989-a799fd3db25d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3bdfe544-180b-11dd-a989-a799fd3db25d}]
\Shell\AutoRun\command - G:\f6d.bat
\Shell\explore\Command - G:\f6d.bat
\Shell\open\Command - G:\f6d.bat

*Newly Created Service* - CATCHME
*Newly Created Service* - CSISCANNER
*Newly Created Service* - PXARK
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 13:28:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-18 13:28:35
ComboFix-quarantined-files.txt 2008-05-18 20:28:30

Pre-Run: 30,175,576,064 bytes free
Post-Run: 30,869,688,320 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

238
_____
_____


hijackthis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:11 PM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\istgah_dic\dic_istgah.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: istgah Dictionary.lnk = C:\istgah_dic\dic_istgah.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7604 bytes

BC AdBot (Login to Remove)

 


m

#2 heroic

heroic
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 18 May 2008 - 03:00 PM

Bump~


after , scanning once more. and checking all the possible places for the certain trojan. I concluded that it has been removed forever off my computer. Although im running a linux machine, and ill be working on that for a while, and playing WoW on that instead of XP for sometime. Just to be safe for sometime. But Can someone, kidnly look at my log and make me sure, that there are no harmful things going on?

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:04 PM

Posted 13 June 2008 - 07:51 PM

Hello heroic

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please post a new Hijackthis log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users