Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Attention! Malware/trojan Problem


  • Please log in to reply
2 replies to this topic

#1 screwuhippie

screwuhippie

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 20 June 2008 - 05:20 PM

Hi,

I would appreciate it if someone could help. Followed a link that suggested I run "ComboFix.exe" from this site and then post my log in a forum. I am getting a pop-up when i'm navigating anything in explore (ie, files etc)

System Error!

Attention, Bob Johnson! Some dangerous trojan horses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in C:\WINDOWS. Download protection software now!

Click OK to download the antispyware (Recommended)

And you can click yes or no but either way it opens a browser to a site that says it'll fix it.

Needless to say ... Please help/advise. I also tried something called SmitfraudFix.

Thank you in advance


ComboFix 08-06-19.4 - The Admin 2008-06-20 18:08:56.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.83 [GMT -4:00]
Running from: C:\Documents and Settings\The Admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 01:22 . 2008-06-20 01:24 3,010 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-20 00:13 . 2008-06-20 00:16 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-19 23:24 . 2008-06-19 23:24 13,824 --a------ C:\WINDOWS\system32\dani.dll
2008-06-19 23:24 . 2008-06-19 23:24 13,824 --a------ C:\WINDOWS\system32\copol.dll
2008-06-12 19:34 . 2008-06-12 19:34 0 --a------ C:\LOG29.tmp
2008-06-12 13:16 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-06-12 13:16 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-06-10 21:12 . 2008-04-14 07:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 21:12 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 20:24 . 2008-06-09 21:00 <DIR> d-------- C:\Documents and Settings\The Admin\Application Data\TrueCrypt
2008-06-09 20:23 . 2008-06-09 20:23 <DIR> d-------- C:\Program Files\TrueCrypt
2008-06-09 20:23 . 2008-04-12 00:00 188,672 --a------ C:\WINDOWS\system32\drivers\truecrypt.sys
2008-05-29 22:55 . 2008-05-30 00:25 <DIR> d-------- C:\Program Files\Yahoo SiteBuilder
2008-05-29 22:32 . 2008-05-29 22:32 0 --a------ C:\LOG10.tmp
2008-05-29 22:20 . 2008-05-29 22:20 0 --a------ C:\LOG8.tmp
2008-05-29 22:03 . 2008-05-29 22:03 0 --a------ C:\LOG7.tmp
2008-05-20 10:58 . 2008-05-20 10:58 0 --a------ C:\LOG236.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 03:18 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-19 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-15 15:21 --------- d-----w C:\Documents and Settings\The Admin\Application Data\LimeWire
2008-06-12 23:42 --------- d-----w C:\Documents and Settings\The Admin\Application Data\U3
2008-06-08 23:43 --------- d-----w C:\Program Files\ImTOO
2008-05-25 22:43 --------- d-----w C:\Program Files\JAlbumWin
2008-05-25 22:41 --------- d-----w C:\Program Files\mIRC
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-27 02:59 --------- d-----w C:\Program Files\IrfanView
2008-04-27 02:48 --------- d-----w C:\Program Files\Canon
2008-04-27 02:47 --------- d-----w C:\Program Files\Common Files\Canon
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2FF811E6-8925-4084-A649-C159955E67E8}]
2008-06-19 23:24 13824 --a------ C:\WINDOWS\system32\dani.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 13:42 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [2005-11-15 14:28 85744]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-08 00:55 176128]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe" [2005-07-08 00:55 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 16:18 241664]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 16:41 49152]
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2005-07-08 00:55 491520]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 16:57 282624]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-03 18:19 185632]
"MP10_EnsureFileVer"="C:\WINDOWS\inf\unregmp2.exe" [2006-02-28 08:00 208896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Document Assistant.lnk - C:\HPDESK\hppddir.exe [2007-02-24 18:26:10 384512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2006-01-12 13:56]
R2 HPPECP00;HPPECP00;C:\WINDOWS\system32\drivers\HPPECP00.sys [1998-11-12 13:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13613f54-cb86-11dc-b9ac-00104b686cd3}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 02:16:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe
"2007-02-18 05:42:15 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 18:10:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-20 18:11:58
ComboFix-quarantined-files.txt 2008-06-20 22:11:53
ComboFix2.txt 2008-06-20 22:05:38

Pre-Run: 37,313,273,856 bytes free
Post-Run: 37,303,455,744 bytes free

104 --- E O F --- 2008-06-11 07:02:52

BC AdBot (Login to Remove)

 


#2 screwuhippie

screwuhippie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 20 June 2008 - 05:22 PM

I'm Sorry about posting the ComboFix log ... I was following the instructions at

http://www.bleepingcomputer.com/combofix/h...e-combofix#skip

which says

You should now register an account at one of the forums listed below and copy and paste the above log file into a new topic. When posting this information please also provide a description of the problems that you are having. When posting your log files, please be patient as these forums are very active and it could take some time before you receive a response. If you having problems connecting to the Internet after running Combofix, then please see this section.

It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log at a forum as you most likely will have infections left over that a helper will need to analyze further.

sorry ... where else can I post this to get help?

#3 screwuhippie

screwuhippie
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:55 PM

Posted 20 June 2008 - 05:56 PM

I did a little reading (should have done earlier sorry) and found this

http://www.bleepingcomputer.com/forums/ind...+detected\

Worked great! Thanks Thunder

Sorry to waste board space




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users