Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-psw.win32.onlinegames.qzl - Combofix Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 Loziek

Loziek

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 05 June 2008 - 01:41 PM

Hello,

Recently my computer got infected from USB stick. I have kaspersky antivirus (KIS), but for some reason it didn't kill or notice the virus. When I have done manual scan, Kaspersky reported infection: Trojan-PSW.Win32.OnLineGames.qzl and worm.Win32.AutoRun.cub and delete files. Unfortunately virus recreated this files and hence I cannot get rid of virus.

Running ComboFix fixed the problem. As stated in ComboFix howto I am posting log files:

ComboFix 08-06-04.1 - loziek 2008-06-05 0:54:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.632 [GMT 2:00]
Running from: C:\Documents and Settings\loziek\Pulpit\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-04 00:20 . 2008-06-04 00:20 <DIR> d-------- C:\Program Files\Google
2008-05-18 23:59 . 2008-05-18 23:59 63 --a------ C:\pdfinfo.ini
2008-05-18 23:58 . 2008-05-18 23:58 1,024 --a------ C:\WINDOWS\system32\pwdremover.dat
2008-05-18 23:58 . 2008-05-18 23:58 36 --a------ C:\WINDOWS\verypdf.ini
2008-05-16 21:11 . 2008-05-16 21:11 1,501,379 --a------ C:\WINDOWS\WANEUninstaller.exe
2008-05-11 16:27 . 2004-08-04 08:38 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-05-11 16:27 . 2004-08-04 08:38 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-05-11 16:26 . 2004-08-04 07:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-11 16:26 . 2004-08-04 07:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-05-09 21:01 . 2008-05-09 21:01 <DIR> d-------- C:\Program Files\Mplayer
2008-05-09 20:56 . 2008-05-09 21:01 746 --a------ C:\WINDOWS\QIII.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 23:13 942,368 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-04 23:13 23,079,200 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 22:28 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-04 22:26 96,440 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-04 22:26 314,756 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-01 20:36 --------- d-----w C:\Documents and Settings\loziek\Dane aplikacji\Skype
2008-05-31 18:22 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-31 18:22 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-31 18:22 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-19 21:29 --------- d-----w C:\Documents and Settings\loziek\Dane aplikacji\Azureus
2008-05-11 15:00 --------- d-----w C:\Documents and Settings\loziek\Dane aplikacji\OpenOffice.org2
2008-05-03 17:44 --------- d-----w C:\Documents and Settings\loziek\Dane aplikacji\ACD Systems
2008-05-03 17:43 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-05-03 17:43 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2008-04-27 08:16 --------- d-----w C:\Program Files\Common Files\DirectX
2008-04-17 09:09 --------- d-----w C:\Documents and Settings\loziek\Dane aplikacji\Research In Motion
2008-04-17 08:58 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-04-16 07:28 --------- d-----w C:\Documents and Settings\loziek\Dane aplikacji\TortoiseSVN
2008-03-25 08:20 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 17:34 2 ----a-w C:\Documents and Settings\Loziek\TempWmicBatchFile.bat
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\programy\nauka\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\programy\nauka\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\programy\nauka\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\programy\nauka\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\programy\nauka\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\programy\nauka\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 13:35 536576 --a------ C:\programy\nauka\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tppoll"="C:\Program Files\TOPRO\TPPOLL.EXE" [2005-03-02 18:12 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"StartUp This"="C:\programy\narzedzia\laplink\LaunchSt.exe" [2007-03-15 09:50 54840]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-01-26 22:56:58 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\programy\security\kis\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 19:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--------- 2005-06-12 11:51 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-04-21 05:57 162584 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
--a------ 2007-03-21 14:00 174872 C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-04-21 05:57 142104 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-04-21 05:57 138008 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2008-01-09 16:25 16859648 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\programy\inside\j2re\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
--a------ 2007-09-07 12:35 102400 C:\Program Files\Synaptics\SynTP\SynTPStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\programy\\narzedzia\\laplink\\PCmover.exe"=
"C:\\programy\\security\\kis\\avp.exe"=
"C:\\programy\\internet\\skype\\Skype.exe"=
"C:\\programy\\internet\\webdrive.exe"=
"C:\\programy\\internet\\wdService.exe"=

R1 GhPciScan;GhostPciScanner;C:\programy\narzedzia\ghost\ghpciscan.sys [2002-08-14 16:11]
R2 WebDriveFSD;WebDrive Filesystem Driver;C:\programy\internet\wdfsd.sys [2008-01-17 19:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 15:58]
R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 14:37]
S3 DCamUSBIntel;USB Video Camera;C:\WINDOWS\system32\Drivers\TP6800.sys [2006-05-18 17:29]
S3 flash;flash;C:\WINDOWS\system32\drivers\flash.sys [2005-11-17 16:36]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 23:10]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b07c4af-bb5a-11dc-8525-000461463f2c}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69c30990-bb67-11dc-a44d-001e4c32544e}]
\Shell\AutoRun\command - H:\0hct8ybw.bat
\Shell\explore\Command - H:\0hct8ybw.bat
\Shell\open\Command - H:\0hct8ybw.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6dfa05ee-1e5d-11dd-a487-001e4c32544e}]
\Shell\Auto\command - fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 01:13:40
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\programy\nauka\TortoiseSVN\iconv\_tbl_simple.so
-> C:\programy\nauka\TortoiseSVN\iconv\windows-1250.so
-> C:\programy\nauka\TortoiseSVN\iconv\utf-8.so
.
Completion time: 2008-06-05 1:14:51
ComboFix-quarantined-files.txt 2008-06-04 23:14:40

Pre-Run: 3,006,623,744 bajtów wolnych
Post-Run: 2,811,912,192 bajtów wolnych

162 --- E O F --- 2008-05-17 08:42:59

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:38 AM

Posted 01 July 2008 - 06:48 PM

Welcome to the BleepingComputer Forums. If you are still having problems, please post a new HijackThis log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:04:38 AM

Posted 08 July 2008 - 10:18 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users