Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojans


  • This topic is locked This topic is locked
1 reply to this topic

#1 lastknightmd

lastknightmd

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 18 June 2008 - 04:51 PM

My PC suddenly started showing a blue desktop screen with bugs crawling on the screen. After reading through various posts here, ran SuperAntiSpyware, Malwarebytes AntiMalware and ComboFix in safe mode. The blue screen and bugs have disappeared. But scans with a2(a-squared) always identify trojans and system has slowed down. My regular AV is Avast. I want to make sure that all malware and virus have been removed and need to verify with your expertise. Please help.

ComboFix log is attached.
ComboFix 08-06-16.5 - Administrator 2008-06-18 1:33:41.4 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.274 [GMT -4:00]
Running from: C:\Software\AV\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-18 00:08 . 2008-06-18 00:08 <DIR> d-------- C:\Documents and Settings\Mohana\Application Data\HPAppData
2008-06-17 23:43 . 2008-06-17 23:43 <DIR> d-------- C:\Documents and Settings\Mohana\Application Data\Bitdefender
2008-06-17 23:42 . 2003-10-11 01:19 <DIR> d-------- C:\Documents and Settings\Mohana\WINDOWS
2008-06-17 23:42 . 2003-10-14 01:21 <DIR> d-------- C:\Documents and Settings\Mohana\Application Data\Symantec
2008-06-17 23:42 . 2003-10-11 00:57 <DIR> d-------- C:\Documents and Settings\Mohana\Application Data\Sonic
2008-06-17 23:42 . 2003-10-11 01:47 <DIR> d-------- C:\Documents and Settings\Mohana\Application Data\SampleView
2008-06-17 23:42 . 2003-10-14 01:24 <DIR> d-------- C:\Documents and Settings\Mohana\Application Data\interMute
2008-06-17 23:42 . 2008-06-18 01:21 <DIR> d-------- C:\Documents and Settings\Mohana
2008-06-17 15:42 . 2008-06-17 15:42 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-06-13 16:46 . 2008-03-28 09:17 212,728 --a------ C:\WINDOWS\CMDLIC.DLL
2008-06-13 16:46 . 2008-03-28 09:16 205,560 --a------ C:\WINDOWS\UNBOC.EXE
2008-06-13 16:46 . 2004-08-04 03:56 22,528 --a------ C:\WINDOWS\system32\wsock32.dlb
2008-06-13 16:45 . 2008-06-13 16:45 <DIR> d-------- C:\Program Files\Comodo
2008-06-13 16:45 . 2008-06-13 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BOC426
2008-06-13 16:45 . 2008-06-18 00:07 10,096 --a------ C:\WINDOWS\BOC426.INI
2008-06-13 15:22 . 2008-06-13 15:22 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-13 15:19 . 2008-06-13 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-06-11 13:33 . 2008-06-11 13:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Bitdefender
2008-06-11 12:46 . 2008-06-18 01:21 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2008-06-11 12:42 . 2008-06-11 12:42 <DIR> d-------- C:\Program Files\Softwin
2008-06-11 12:42 . 2008-06-11 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-06-11 12:41 . 2008-06-11 12:42 <DIR> d-------- C:\Program Files\Common Files\Softwin
2008-06-11 12:16 . 2008-06-11 12:16 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-11 12:16 . 2008-06-11 12:34 <DIR> d-------- C:\SDFix
2008-06-11 03:04 . 2008-06-18 00:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-11 03:03 . 2008-06-11 03:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-11 03:01 . 2008-06-11 03:02 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-11 02:35 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 02:31 . 2008-06-17 23:41 9,809,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-11 02:31 . 2008-06-17 23:41 116,036 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-11 00:36 . 2008-06-17 17:21 <DIR> d-------- C:\Program Files\a-squared Free
2008-06-11 00:23 . 2008-06-11 00:23 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\TextPad
2008-06-11 00:12 . 2008-06-11 00:12 250 --a------ C:\WINDOWS\gmer.ini
2008-06-10 15:47 . 2008-06-17 23:27 <DIR> d-------- C:\KaspAvp
2008-06-10 15:03 . 2008-06-10 22:24 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-10 15:03 . 2008-06-10 15:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-10 15:03 . 2008-06-10 15:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-10 15:03 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-10 15:03 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-10 14:56 . 2008-06-10 14:56 3,310 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-09 23:17 . 2008-06-09 23:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-09 22:38 . 2008-06-09 22:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-09 22:38 . 2008-06-09 22:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-06-09 22:38 . 2008-06-09 22:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-09 22:28 . 2008-06-09 22:12 6,467,096 --a------ C:\SUPERAntiSpyware.exe
2008-06-09 22:12 . 2008-06-09 22:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 22:06 . 2008-06-09 22:06 <DIR> d-------- C:\Program Files\CCleaner
2008-06-08 14:00 . 2003-10-11 01:19 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-08 14:00 . 2003-10-14 01:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-08 14:00 . 2003-10-11 00:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-06-08 14:00 . 2003-10-11 01:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-06-08 14:00 . 2003-10-14 01:24 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-06-08 14:00 . 2008-06-13 15:19 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-04 17:30 . 2008-06-08 12:56 <DIR> d-------- C:\Program Files\DNA
2008-05-30 16:38 . 2008-05-30 16:38 <DIR> d-------- C:\temp
2008-05-27 17:37 . 2008-05-27 17:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HP
2008-05-27 17:24 . 2008-05-27 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-05-27 17:22 . 2007-03-30 11:29 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-05-27 17:22 . 2007-03-28 14:01 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-05-27 17:22 . 2007-03-08 00:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-05-27 17:22 . 2007-03-08 00:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-05-27 17:22 . 2007-03-08 00:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-05-27 17:21 . 2007-03-17 02:39 958,464 -ra------ C:\WINDOWS\system32\hpotiop4.dll
2008-05-27 17:21 . 2007-03-17 02:39 675,840 -ra------ C:\WINDOWS\system32\hpowiax4.dll
2008-05-27 17:21 . 2007-03-08 00:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-05-27 17:21 . 2007-03-08 00:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-05-27 17:21 . 2007-03-17 02:39 303,104 -ra------ C:\WINDOWS\system32\hpovst11.dll
2008-05-27 17:20 . 2008-05-27 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-05-27 17:19 . 2008-06-17 17:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\HPAppData
2008-05-27 17:16 . 2008-05-27 17:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-05-27 17:16 . 2008-05-27 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-05-27 17:10 . 2008-05-27 17:24 139,759 --a------ C:\WINDOWS\hpoins15.dat
2008-05-27 17:10 . 2007-09-20 16:05 1,039 --------- C:\WINDOWS\hpomdl15.dat
2008-05-27 17:04 . 2003-05-29 01:34 266,240 --a------ C:\WINDOWS\system32\hpdj3600
2008-05-27 17:04 . 2004-04-07 20:04 121,809 --a------ C:\WINDOWS\hpdj3600.hi1
2008-05-27 17:04 . 2004-04-07 20:04 7,325 --a------ C:\WINDOWS\hpdj3600.bu1
2008-05-24 15:02 . 2008-05-24 15:02 <DIR> d-------- C:\Program Files\AVG
2008-05-24 15:02 . 2008-05-27 17:28 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 16:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-06-11 16:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-06-11 02:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-11 02:23 --------- d-----w C:\Program Files\Java
2008-05-27 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-05-27 21:20 --------- d-----w C:\Program Files\HP
2008-05-27 21:16 --------- d-----w C:\Program Files\Common Files\HP
2008-05-27 21:05 --------- d-----w C:\Program Files\Hewlett-Packard
2008-05-20 18:42 --------- d-----w C:\Program Files\DivX
2008-05-10 20:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\MSNInstaller
2008-05-10 19:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-10 19:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2004-08-12 03:22 52,968 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-04-10 17:17 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( snapshot_2008-06-17_22.25.09.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-18 02:18:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-18 05:22:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll" [2003-08-19 05:56 852038 C:\WINDOWS\system32\nview.dll]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 10:07 114688]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 10:23 90112]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 05:55 483328]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 11:01 110592]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42 212992]
"VTTimer"="VTTimer.exe" [2004-10-22 12:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"LTMSG"="LTMSG.exe" [2003-07-14 20:52 40960 C:\WINDOWS\ltmsg.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 20:11 139264]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39 98304]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 14:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2005-10-07 22:06 385024]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-20 18:00 185896]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"lphc7quj0erdg"="C:\WINDOWS\system32\lphc7quj0erdg.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2007-04-02 16:48 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 15:49 69632]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 19:19 79224]
"BOC-426"="C:\PROGRA~1\Comodo\CBOClean\BOC426.exe" [2008-04-10 11:08 351480]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
WkCalRem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 14:21:32 24651]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\bin\matcli.exe [2005-09-17 13:18:26 204800]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
C:\Program Files\BitTorrent_DNA\dna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
C:\Program Files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 15:22 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"hpqcxs08"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20]
S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\wd_windows_tools\setup.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 01:36:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-18 1:37:32
ComboFix-quarantined-files.txt 2008-06-18 05:37:28
ComboFix2.txt 2008-06-18 02:25:21
ComboFix3.txt 2008-06-10 19:42:56
ComboFix4.txt 2008-06-10 04:29:42

Pre-Run: 137,497,853,952 bytes free
Post-Run: 137,503,211,520 bytes free

199 --- E O F --- 2008-06-11 07:05:27

BC AdBot (Login to Remove)

 


#2 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:31 AM

Posted 18 June 2008 - 08:24 PM

Hello lastknightmd,

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff/TMacK
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users