Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo Fix - My Report


  • This topic is locked This topic is locked
1 reply to this topic

#1 bobh2o

bobh2o

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:08 AM

Posted 15 July 2008 - 02:26 PM

ComboFix 08-07-14.2 - ROBERTOH2O 2008-07-15 20.38.35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1040.18.133 [GMT 2:00]
Eseguito da: C:\Documents and Settings\ROBERTOH2O\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ROBERTOH2O\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
* Creato nuovo punto di ripristino
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\ROBERTOH2O\Dati applicazioni\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk
C:\WINDOWS\eepo.exe
C:\WINDOWS\recover.reg
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\clbdll.dll
C:\WINDOWS\system32\kruofnwd.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nbdqaicb.ini
C:\WINDOWS\system32\uvyHknnn.ini
C:\WINDOWS\system32\uvyHknnn.ini2

.
((((((((((((((((((((((((( Files Creati Da 2008-06-15 al 2008-07-15 )))))))))))))))))))))))))))))))))))
.

2008-07-15 00:30 . 2008-07-15 00:30 <DIR> d-------- C:\Documents and Settings\ROBERTOH2O\Dati applicazioni\PC Tools
2008-07-15 00:30 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-15 00:30 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-15 00:30 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-15 00:30 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-14 23:31 . 2008-07-14 23:36 2,626 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-14 22:29 . 2008-07-15 20:46 <DIR> d-a------ C:\Documents and Settings\All Users\Dati applicazioni\TEMP
2008-07-14 22:28 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-07-14 21:45 . 2005-06-17 20:31 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di stampa
2008-07-14 21:45 . 2005-06-17 20:31 <DIR> d--h----- C:\Documents and Settings\Administrator\Risorse di rete
2008-07-14 21:45 . 2005-06-17 20:31 <DIR> d-------- C:\Documents and Settings\Administrator\Preferiti
2008-07-14 21:45 . 2005-06-17 19:37 <DIR> d--h----- C:\Documents and Settings\Administrator\Modelli
2008-07-14 21:45 . 2005-06-17 20:31 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Avvio
2008-07-14 21:45 . 2005-06-17 20:31 <DIR> d--h----- C:\Documents and Settings\Administrator\Impostazioni locali
2008-07-14 21:45 . 2005-06-17 20:31 <DIR> d-------- C:\Documents and Settings\Administrator\Documenti
2008-07-14 21:45 . 2005-06-17 20:31 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dati applicazioni
2008-07-14 21:45 . 2008-07-14 21:45 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-14 21:23 . 2008-07-14 21:23 33,152 --a------ C:\WINDOWS\system32\urqQiFWN.dll
2008-07-14 21:23 . 2001-08-31 12:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-07-14 21:21 . 2008-07-14 18:40 262,144 --a------ C:\WINDOWS\evgratsm.dll
2008-07-14 21:21 . 2008-07-14 18:40 98,304 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-02 22:34 . 2008-07-02 22:34 24,400 --a------ C:\Documents and Settings\ROBERTOH2O\wdrxdsrg.exe
2008-06-29 21:51 . 2008-06-29 21:51 58,594 --a------ C:\WINDOWS\system32\mpx.exe
2008-06-29 07:33 . 2008-06-29 07:33 18,944 --a------ C:\WINDOWS\system32\mpxu.exe
2008-06-20 19:39 . 2008-06-20 19:39 247,296 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 12:44 . 2008-06-20 12:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 21:16 --------- d-----w C:\Programmi\EPSON Print CD
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-14 17:59 272,768 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 21:30 --------- d-----w C:\Programmi\Easy CD-DA Extractor 9
2008-05-16 14:06 17,696 ----a-w C:\Documents and Settings\ROBERTOH2O\Dati applicazioni\GDIPFONTCACHEV1.DAT
2007-01-15 20:40 0 ----a-w C:\Documents and Settings\All Users\Dati applicazioni\PKP_DLbz.DAT
2006-12-31 10:01 81,920 ----a-w C:\Documents and Settings\ROBERTOH2O\Dati applicazioni\ezpinst.exe
2006-12-31 10:01 47,360 ----a-w C:\Documents and Settings\ROBERTOH2O\Dati applicazioni\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"SybaseCentral43"="E:\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2005-03-31 19:48 102400]
"DBISQL9"="E:\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2005-04-21 18:20 135168]
"MsnMsgr"="C:\Programmi\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"AnyDVD"="C:\Programmi\SlySoft\AnyDVD\AnyDVD.exe" [2007-05-06 22:34 1336008]
"mpx"="c:\WINDOWS\system32\mpx.exe" [2008-06-29 21:51 58594]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CloneCDTray"="C:\Programmi\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 15:47 57344]
"SunJavaUpdateSched"="C:\Programmi\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"iTunesHelper"="C:\Programmi\iTunes\iTunesHelper.exe" [2005-10-18 12:58 278528]
"QuickTime Task"="C:\Programmi\QuickTime\qttask.exe" [2005-11-18 00:25 155648]
"EPSON Stylus Photo R800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9YE.EXE" [2005-01-13 06:00 98304]
"avgnt"="C:\Programmi\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 16:57 262401]
"PWRISOVM.EXE"="C:\Programmi\PowerISO\PWRISOVM.EXE" [2007-04-09 14:23 200704]
"ISTray"="E:\SpywareDoctor\pctsTray.exe" [2008-02-01 12:55 1103240]
"AdslTaskBar"="stmctrl.dll" [2003-01-22 12:01 151552 C:\WINDOWS\system32\stmctrl.dll]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
ColorVisionStartup.lnk - C:\Programmi\ColorVision\Utility\ColorVisionStartup.exe [2006-08-28 17:15:18 385024]
Gestione servizi.lnk - C:\Programmi\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 18:23:32 74308]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-06-17 22:10:41 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"evgratsm"= {0D880D24-857F-4D86-B39A-EE9EF59BC929} - C:\WINDOWS\evgratsm.dll [2008-07-14 18:40 262144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programmi\\iTunes\\iTunes.exe"=
"C:\\Programmi\\Messenger\\msmsgs.exe"=
"C:\\Programmi\\BitTornado\\btdownloadgui.exe"=
"E:\\Sybase\\SQL Anywhere 9\\win32\\dbisqlg.exe"=
"E:\\Sybase\\Shared\\Sybase Central 4.3\\win32\\scjview.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Programmi\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programmi\\MSN Messenger\\livecall.exe"=
"E:\\Sybase\\SQL Anywhere 9\\win32\\dbeng9.exe"=
"C:\\WINDOWS\\system32\\mpxu.exe"=

R0 avgntmgr;avgntmgr;C:\WINDOWS\system32\drivers\avgntmgr.sys [2008-04-20 16:57]
R1 avgntdd;avgntdd;C:\WINDOWS\system32\DRIVERS\avgntdd.sys [2008-04-20 16:57]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2002-09-25 07:37]
R3 TaurusUsb;ADSL Modem USB Service 1.09a;C:\WINDOWS\system32\DRIVERS\torususb.sys [2003-01-09 15:21]
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Programmi\CyberLink\PowerDVD\000.fcl []
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys []
S3 Spyder;ColorVision Spyder2;C:\WINDOWS\system32\DRIVERS\SpyderUSB.sys [2006-08-07 20:28]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;D:\MicrosoftVisualStudio8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 08:01]

.
- - - - ORPHANS REMOVED - - - -

BHO-{CC7A93B7-2698-4A5F-A745-3074CB042395} - C:\WINDOWS\kgxmotapexd.dll
Notify-opnlMgdc - opnlMgdc.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-15 20:47:18
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwClose

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Programmi\CyberLink\PowerDVD\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Programmi\AntiVir PersonalEdition Classic\sched.exe
C:\Programmi\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Programmi\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Programmi\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Programmi\CyberLink\Shared files\RichVideo.exe
E:\SpywareDoctor\pctsAuxs.exe
E:\SpywareDoctor\pctsSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Programmi\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\mpxu.exe
C:\Programmi\iPod\bin\iPodService.exe
.
**************************************************************************
.
Ora fine scansione: 2008-07-15 20:59:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-15 18:58:33

12 Directory 7,194,796,032 byte disponibili
16 Directory 7,608,893,440 byte disponibili

WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

161 --- E O F --- 2008-07-08 19:02:53

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:08 AM

Posted 15 July 2008 - 02:27 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users