Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By *attention User: Some Dangerous Trojans Detected...*


  • This topic is locked This topic is locked
4 replies to this topic

#1 GrimReality

GrimReality

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 10 July 2008 - 05:25 PM

I've already tried...
smitfraudfix.exe
Spybot S&D
A-Squared
AVG Free
and now I've got Windows Firewall turned on

But I still have the same symptoms of the infection, namely, whenever I go into Control Panel, My Computer/Windows Explorer, or Internet Explorer a warning box pops up saying
"System error!"
"Attention User! Some dangerous trojan horses detected in your system. Microsoft Windows files corrupted. This may lead to the destruction of important files in c:\windows. Download protection software now!"
"Click OK to download the antispyware. (Recommended)"
with two options:
OK and Cancel

Either of those two options, or closing the window with the top right X button, or Alt-F4 all result in the same thing. A new Internet Explorer window opens and goes directly to a page that downloads or updates or does whatever to make this infection worse.

I'd be ready to reformat if it weren't for the uncertainty of my backup files. I didn't have any recent backups prior to this infection (stupid me), so I decided to back everything up while infected, of course that means my backups potentially carry the infection.

anyway, here' the combofix log:
ComboFix 08-07-09.5 - Drew 2008-07-10 16:45:10.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2424 [GMT -5:00]
Running from: C:\Documents and Settings\Drew\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2008-06-10 to 2008-07-10  )))))))))))))))))))))))))))))))
.

2008-07-10 16:38 . 2008-07-10 16:38	<DIR>	d--------	C:\Deckard
2008-07-09 20:08 . 2008-07-09 20:08	<DIR>	d--h-----	C:\$AVG8.VAULT$
2008-07-08 22:12 . 2008-07-08 22:16	2,264	--a------	C:\WINDOWS\system32\tmp.reg
2008-07-08 18:23 . 2008-07-08 20:54	<DIR>	d--------	C:\WINDOWS\BDOSCAN8
2008-07-08 18:09 . 2008-07-08 21:51	<DIR>	d--------	C:\Program Files\Burn4Free
2008-07-08 16:10 . 2008-07-08 22:30	<DIR>	d--------	C:\Program Files\DNA
2008-07-08 16:10 . 2008-07-08 16:10	<DIR>	d--------	C:\Program Files\BitTorrent
2008-07-08 16:10 . 2008-07-08 16:49	<DIR>	d--------	C:\Documents and Settings\Drew\Application Data\BitTorrent
2008-07-08 07:32 . 2008-07-08 07:32	180,224	--a------	C:\WINDOWS\system32\AswBHO.dll
2008-07-06 12:41 . 2008-07-06 12:41	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-07-06 12:41 . 2008-07-06 12:41	1,409	--a------	C:\WINDOWS\QTFont.for
2008-07-06 01:23 . 2008-07-06 01:23	<DIR>	d--------	C:\Documents and Settings\Drew\Application Data\SPORE Creature Creator
2008-07-01 17:35 . 2008-07-01 17:47	<DIR>	d--------	C:\Documents and Settings\Drew\Application Data\OpenOffice.org2
2008-07-01 17:34 . 2008-07-01 17:34	<DIR>	d--------	C:\Program Files\OpenOffice.org 2.4
2008-06-30 18:47 . 2008-06-30 18:47	152	--a------	C:\WINDOWS\CoolPlay.ini
2008-06-30 18:45 . 2008-07-09 23:57	64,988	--a------	C:\WINDOWS\system32\DVCState-{00000004-00000000-00000006-00001102-00000005-00211102}.rfx
2008-06-30 18:45 . 2008-07-09 23:57	54,672	--a------	C:\WINDOWS\system32\BMXStateBkp-{00000004-00000000-00000006-00001102-00000005-00211102}.rfx
2008-06-30 18:45 . 2008-07-09 23:57	54,672	--a------	C:\WINDOWS\system32\BMXState-{00000004-00000000-00000006-00001102-00000005-00211102}.rfx
2008-06-30 18:45 . 2008-07-09 23:57	1,080	--a------	C:\WINDOWS\system32\settingsbkup.sfm
2008-06-30 18:45 . 2008-07-09 23:57	1,080	--a------	C:\WINDOWS\system32\settings.sfm
2008-06-30 18:44 . 2000-05-22 03:58	647,872	---------	C:\WINDOWS\system32\Mscomct2.ocx
2008-06-30 18:44 . 1999-10-10 12:00	41,984	---------	C:\WINDOWS\Ctregrun.exe
2008-06-30 18:43 . 2000-05-11 01:00	90,112	---------	C:\WINDOWS\Updreg.EXE
2008-06-30 18:42 . 2005-08-07 16:42	68,135	-ra------	C:\WINDOWS\system32\instwdm.ini
2008-06-30 18:42 . 2005-08-07 17:10	10,240	--a------	C:\WINDOWS\CTDCRES.DLL
2008-06-30 18:42 . 2005-08-07 16:42	191	-ra------	C:\WINDOWS\system32\ctzapxx.ini
2008-06-26 15:10 . 2008-06-26 15:10	42,320	--a------	C:\WINDOWS\system32\xfcodec.dll
2008-06-25 18:13 . 2008-06-25 18:13	331	--a------	C:\WINDOWS\doom3.ini
2008-06-20 12:46 . 2008-06-20 12:46	245,248	-----c---	C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 12:46 . 2008-06-20 12:46	147,968	-----c---	C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 06:51 . 2008-06-20 06:51	361,600	-----c---	C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 06:40 . 2008-06-20 06:40	138,496	-----c---	C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 06:08 . 2008-06-20 06:08	225,856	-----c---	C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-14 17:31 . 2008-06-14 17:31	<DIR>	dr-h-----	C:\Documents and Settings\Drew\Application Data\SecuROM
2008-06-10 14:38 . 2008-07-08 18:11	1,355	--a------	C:\WINDOWS\imsins.BAK
2008-06-10 14:33 . 2008-06-13 06:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 14:33 . 2008-05-08 09:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 16:42	22,328	----a-w	C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-10 16:42	107,832	----a-w	C:\WINDOWS\system32\PnkBstrB.exe
2008-07-09 23:12	---------	d-----w	C:\Program Files\Java
2008-07-08 21:48	---------	d-----w	C:\Program Files\a-squared Free
2008-07-07 22:56	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-07 05:32	---------	d-----w	C:\Documents and Settings\Drew\Application Data\Xfire
2008-07-06 06:23	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2008-07-03 22:18	96,520	----a-w	C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-03 22:18	76,040	----a-w	C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-03 22:18	10,520	----a-w	C:\WINDOWS\system32\avgrsstx.dll
2008-06-30 23:47	196,608	----a-w	C:\WINDOWS\system32\drivers\nStandard.bin
2008-06-30 23:44	---------	d-----w	C:\Program Files\Creative
2008-06-30 23:43	81,920	----a-w	C:\WINDOWS\system32\OpenAL32.dll
2008-06-30 23:42	---------	d-----w	C:\Documents and Settings\Drew\Application Data\Creative
2008-06-20 17:46	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51	361,600	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40	138,496	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08	225,856	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 22:40	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-14 23:15	---------	d-----w	C:\Documents and Settings\Drew\Application Data\Bioshock
2008-06-13 11:05	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 00:59	---------	d-----w	C:\Program Files\Electronic Arts
2008-06-03 20:46	12,288	----a-w	C:\WINDOWS\system32\drivers\EIO64_xp.sys
2008-06-03 20:46	---------	d-----w	C:\Program Files\ASUS
2008-06-02 03:10	---------	d-----w	C:\Documents and Settings\Drew\Application Data\Command & Conquer 3 Tiberium Wars Demo
2008-05-28 03:10	---------	d-----w	C:\Program Files\Palm
2008-05-28 03:02	16,694	----a-w	C:\WINDOWS\system32\drivers\PalmUSBD.sys
2008-05-28 02:15	---------	d-----w	C:\Program Files\DivX
2008-05-25 21:02	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-05-25 20:53	---------	d-----w	C:\Program Files\CCleaner
2008-05-25 20:38	---------	d-----w	C:\Program Files\palmOne
2008-05-23 01:17	---------	d-----w	C:\Program Files\AVG
2008-05-23 01:17	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg8
2008-05-21 18:24	---------	d-----w	C:\Documents and Settings\Drew\Application Data\Arcsoft
2008-05-21 18:02	53,248	----a-w	C:\WINDOWS\PalmDevC.dll
2008-05-20 17:16	---------	d-----w	C:\Program Files\Microsoft Silverlight
2008-05-13 19:56	---------	d-----w	C:\Program Files\RADVideo
2008-05-13 04:42	6,656	----a-w	C:\WINDOWS\system32\haspvdd.dll
2008-05-13 04:42	47,616	----a-w	C:\WINDOWS\system32\drivers\Haspnt.sys
2008-05-13 04:42	---------	d-----w	C:\Program Files\GLOBEtrotter Software Inc
2008-05-13 04:41	---------	d-----w	C:\Program Files\Common Files\Alias Shared
2008-05-13 04:41	---------	d-----w	C:\Program Files\Autodesk
2008-05-13 04:40	---------	d-----w	C:\Program Files\Common Files\Autodesk Shared
2008-05-13 04:40	---------	d-----w	C:\Program Files\Alias
2008-05-12 22:25	43,520	----a-w	C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-09 10:53	90,112	----a-w	C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53	430,080	----a-w	C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53	180,224	----a-w	C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53	172,032	----a-w	C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24	155,648	----a-w	C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07	135,168	----a-w	C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12	1,288,192	----a-w	C:\WINDOWS\system32\quartz.dll
2008-05-04 23:01	349	----a-w	C:\Program Files\INSTALL.LOG
2008-04-30 22:27	442,368	----a-w	C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2008-04-23 02:44	565,823,849	----a-w	C:\creativesoundblasterxfidisk.zip
2008-04-20 20:03	66,872	----a-w	C:\WINDOWS\system32\PnkBstrA.exe
2008-04-19 19:54	22,328	----a-w	C:\Documents and Settings\Drew\Application Data\PnkBstrK.sys
2008-04-14 10:42	985,088	----a-w	C:\WINDOWS\system32\setupapi.dll
2008-04-14 10:42	11,264	----a-w	C:\WINDOWS\system32\spnpinst.exe
2008-04-14 10:41	423,936	----a-w	C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25	1,804	----a-w	C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16	329,728	----a-w	C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13	92,424	----a-w	C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13	87,176	----a-w	C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13	12,168	----a-w	C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11	997,376	----a-w	C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10	53,279	----a-w	C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10	4,126	----a-w	C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10	3,584	----a-w	C:\WINDOWS\system32\msafd.dll
2008-04-13 19:30	1,845,632	----a-w	C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24	2,145,280	----a-w	C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44	17,664	----a-w	C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43	9,728	------w	C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43	12,800	----a-w	C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31	7,424	----a-w	C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31	2,023,936	----a-w	C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30	61,440	----a-w	C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14	76,800	------w	C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39	438,784	----a-w	C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39	2,897,920	----a-w	C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39	187,392	----a-w	C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37	208,384	----a-w	C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37	138,752	----a-w	C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27	79,872	----a-w	C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26	94,208	----a-w	C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26	12,288	----a-w	C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26	12,288	----a-w	C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24	20,480	----a-w	C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21	733,696	----a-w	C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09	4,096	----a-w	C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03	63,488	----a-w	C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03	549,376	----a-w	C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48	1,647,616	----a-w	C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45	216,064	----a-w	C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23	48,128	----a-w	C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22	48,128	----a-w	C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39	884,736	----a-w	C:\WINDOWS\system32\msimsg.dll
2003-12-18 16:33	20,102	----a-w	C:\Program Files\Readme.txt
2003-09-03 12:46	10,960	----a-w	C:\Program Files\EULA.txt
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{284AAAD9-FDF9-49A3-93ED-9CAE4AA26805}]
2008-07-08 07:32	180224	--a------	C:\WINDOWS\system32\AswBHO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-03 17:18 1232152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 11:34 122880]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2005-08-07 17:10 18944 C:\WINDOWS\system32\Ctxfihlp.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"SENTINEL"= snti386.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-12-12 10:46 19456 C:\WINDOWS\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"NBService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTHelper"=CTHELPER.EXE
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
"AIMWDInstallFilename"=C:\PROGRA~1\AIM\AIMWDI~1.EXE
"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"D:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"D:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Demo\\etqw.exe"=
"D:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars Demo\\etqwded.exe"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\Program Files\\Steam\\Steam.exe"=
"D:\\Program Files\\Firefly Studios\\Stronghold 2\\Stronghold2.exe"=
"D:\\Program Files\\Sierra Entertainment\\World in Conflict - DEMO\\wic.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1200:UDP"= 1200:UDP:*:Disabled:steam client friends
"27000:UDP"= 27000:UDP:*:Disabled:steam client inclusive 1
"27020:TCP"= 27020:TCP:*:Disabled:steam client inclusive 2

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-03 17:18]
R1 EIO_XP;EIO_XP;C:\WINDOWS\system32\drivers\EIO_XP.sys [2006-06-14 13:44]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-03 17:18]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-03 17:18]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 17:18]
R3 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS\system32\drivers\asusgsb.sys [2007-10-23 17:48]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-08-07 16:54]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS\system32\Drivers\Video3D32.sys [2007-10-23 17:48]
S3 Asushwio;Asushwio;C:\WINDOWS\system32\drivers\Asushwio.sys [2006-10-10 22:33]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-19 07:01:00 C:\WINDOWS\Tasks\defrag.job"
- C:\WINDOWS\system32\defrag.exe
"2008-04-19 10:04:00 C:\WINDOWS\Tasks\defrag2.job"
- C:\WINDOWS\system32\defrag.exe
"2008-07-10 16:13:17 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 16:45:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\xfire_lsp_10650.dll
.
Completion time: 2008-07-10 16:46:03
ComboFix-quarantined-files.txt  2008-07-10 21:45:54
ComboFix2.txt  2008-07-10 21:14:16

Pre-Run: 21,194,199,040 bytes free
Post-Run: 21,180,010,496 bytes free

255	--- E O F ---	2008-07-08 23:11:17



and here's the hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18:56, on 7/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\program files\a-squared free\a2service.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Drew\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: VideoCodec Class - {284AAAD9-FDF9-49A3-93ED-9CAE4AA26805} - C:\WINDOWS\system32\AswBHO.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10650.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176458449000
O16 - DPF: {D27CDB6E-AE6D-11CF-96BB-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - c:\program files\a-squared free\a2service.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8123 bytes

btw, what is this infection called?

Edited by GrimReality, 10 July 2008 - 05:29 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:34 AM

Posted 11 July 2008 - 12:20 AM

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following:

O2 - BHO: VideoCodec Class - {284AAAD9-FDF9-49A3-93ED-9CAE4AA26805} - C:\WINDOWS\system32\AswBHO.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Let me know if that solved your issue.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 GrimReality

GrimReality
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:34 PM

Posted 11 July 2008 - 12:57 AM

I do believe that worked! Thanks a ton!

Now, should I consider the backups I made as possibly infected or do you think they should be safe?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:34 AM

Posted 11 July 2008 - 01:18 AM

Hi,

Yes, what's in the HijackThis backup folder is an infected file. So you may delete the HijackThis backups folder. :thumbsup:

Good to hear your issue is resolved. Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:34 AM

Posted 23 July 2008 - 12:41 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users