Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have Been Infected With Torjan! Please Help!


  • Please log in to reply
5 replies to this topic

#1 zeshan007

zeshan007

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 29 July 2008 - 08:16 AM

Trojan.Win32.Vaklik.bcd J:\1aq1obb.bat

Worm.Win32.AutoRun.eks G:\ffojc.com

Trojan-Dropper.Win32.Small.axz J:\boot.exe

Trojan-PSW.Win32.OnLineGames.bdb J:\ntde1ect.com

Edited by zeshan007, 29 July 2008 - 08:17 AM.


BC AdBot (Login to Remove)

 


m

#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 July 2008 - 04:21 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

#3 zeshan007

zeshan007
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 30 July 2008 - 05:04 AM

thanks dear


but i my computer is still infected

malwarebytes report

Malwarebytes' Anti-Malware 1.20
Database version: 951
Windows 5.1.2600 Service Pack 2

12:48:36 PM 7/15/2008
mbam-log-7-15-2008 (12-48-36).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 111717
Time elapsed: 1 hour(s), 17 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\XPPRESP3\Local Settings\Temp\Rar$EX03.921\keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
H:\SOFTWARES\MISC SOFTWARE\PLAYER\2.Inter video Win DVD 6.0\USE it for activation.exe (Rogue.Installer) -> Quarantined and deleted successfully.
H:\SOFTWARES\MISC SOFTWARE\Video converter\ALIVEmp4 CONVERTER\crack\snd.nfo.viewer.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 30 July 2008 - 05:09 AM

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#5 zeshan007

zeshan007
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:37 PM

Posted 10 August 2008 - 02:34 AM

ComboFix 08-08-08.07 - XPPRESP3 08/10/2008 10:02:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1256.1.1033.18.186 [GMT 3:00]
Running from: C:\Documents and Settings\XPPRESP3\Desktop\Co :thumbsup: mboFix.exe
Command switches used :: C:\Documents and Settings\XPPRESP3\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\WLFNVY10.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 07:11 45,600 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-10 07:08 4,906,528 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-10 07:08 --------- d-----w C:\Program Files\BitComet
2008-08-10 07:07 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\Orbit
2008-08-10 07:05 9,356 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-10 07:05 86,480 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-10 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-10 05:53 --------- d-----w C:\Program Files\Online TV Player 4
2008-08-10 05:43 --------- d-----w C:\Program Files\Rapid Hacker
2008-08-09 13:19 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-08-09 10:14 --------- d-----w C:\Program Files\WinPcap
2008-08-09 10:14 --------- d-----w C:\Program Files\Media Pirate
2008-08-09 09:26 368,480 ----a-w C:\WINDOWS\system32\drivers\tdrpman.sys
2008-08-09 09:26 132,224 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-08-09 09:14 --------- d-----w C:\Program Files\DivX
2008-08-09 08:58 --------- d-----w C:\Program Files\Nokia
2008-08-09 08:55 --------- d-----w C:\Program Files\Total Video Converter
2008-08-09 08:55 --------- d-----w C:\Program Files\StreamingStar
2008-08-09 08:54 --------- d-----w C:\Program Files\Tube Explorer
2008-08-09 08:08 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-08-09 08:07 96,976 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-08-09 08:07 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-08-09 06:23 --------- d-----w C:\Program Files\Kaspersky Lab
2008-08-07 10:16 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\Thinstall
2008-08-07 10:04 --------- d-----w C:\Program Files\Deskshare
2008-08-07 10:04 --------- d-----w C:\Program Files\Common Files\DeskShare Shared
2008-08-07 08:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\VOWSoft
2008-08-06 09:57 --------- d-----w C:\Program Files\DIFX
2008-08-06 04:52 58,629 ----a-w C:\WINDOWS\system32\mpt.exe
2008-08-05 13:49 395,744 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-08-05 13:49 39,264 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-08-05 13:47 --------- d-----w C:\Program Files\Acronis
2008-08-05 05:52 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-08-04 12:12 --------- d-----w C:\Program Files\AutoCAD 2009
2008-08-04 11:46 --------- d-----w C:\Program Files\Mobiola Headset for S60v3
2008-08-04 08:36 --------- d-----w C:\Program Files\cebas
2008-08-04 08:31 --------- d-----w C:\Program Files\DCPFLICS
2008-08-04 08:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-04 08:07 --------- d-----w C:\Program Files\Chaos Group
2008-08-04 07:41 2,147,840 ----a-w C:\WINDOWS\system32\kernel1.exe
2008-08-03 08:00 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 12:24 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\ImTOO Software Studio
2008-08-02 11:18 --------- d-----w C:\Program Files\Yahoo!
2008-08-01 05:59 41,764 ----a-w C:\WINDOWS\system32\kek.exe
2008-08-01 04:28 41,984 ----a-w C:\WINDOWS\system32\mpxa.exe
2008-07-30 17:07 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-30 17:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-29 11:31 30,601 ----a-w C:\Documents and Settings\XPPRESP3\x.exe
2008-07-29 10:23 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\SUPERAntiSpyware.com
2008-07-29 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-29 10:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-28 12:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-07-28 07:03 --------- d-----w C:\Program Files\Golden Al-Wafi Translator
2008-07-28 07:02 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-07-28 07:02 172,032 ------w C:\WINDOWS\Setup1.exe
2008-07-28 06:57 --------- d-----w C:\Program Files\Ahead
2008-07-28 06:54 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-27 13:04 --------- d-----w C:\Program Files\new
2008-07-26 11:16 --------- d-----w C:\Program Files\Autodesk
2008-07-26 10:41 --------- d-----w C:\Program Files\Orbitdownloader
2008-07-26 10:40 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\DMCache
2008-07-24 08:57 --------- d-----w C:\Program Files\directx
2008-07-23 16:48 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-07-23 16:48 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-07-23 12:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-23 09:35 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\PC Suite
2008-07-23 07:21 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-07-23 07:20 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\TuneUp Software
2008-07-23 07:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-07-23 06:01 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-07-23 06:01 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-07-23 06:01 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\Nokia
2008-07-23 05:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-07-23 05:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-22 12:12 --------- d-----w C:\Program Files\Real
2008-07-22 10:16 --------- d-----w C:\Program Files\TGTSoft
2008-07-22 07:23 --------- d-----w C:\Program Files\WinMatrix XP
2008-07-21 13:50 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-21 11:07 --------- d-----w C:\Program Files\Common Files\xing shared
2008-07-21 11:07 --------- d-----w C:\Program Files\Common Files\Real
2008-07-21 11:06 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-07-21 11:06 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-07-21 11:06 --------- d-----w C:\Program Files\Google
2008-07-20 12:09 --------- d-----w C:\Program Files\Vimicro
2008-07-20 12:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-19 12:38 --------- d-----w C:\Documents and Settings\LocalService\Application Data\TeamViewer
2008-07-19 07:34 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\TeamViewer
2008-07-19 07:23 --------- d-----w C:\Program Files\TeamViewer3
2008-07-19 06:04 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\Autodesk
2008-07-19 06:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-07-17 07:58 --------- d-----w C:\Program Files\PowerISO
2008-07-16 12:04 --------- d-----w C:\Program Files\Hewlett-Packard
2008-07-16 11:21 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-07-16 09:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-07-16 08:41 --------- d-----w C:\Program Files\Common Files\ChaosGroup
2008-07-16 07:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-16 07:26 --------- d-----w C:\Documents and Settings\XPPRESP3\Application Data\Yahoo!
2008-07-15 14:03 6,120 ----a-w C:\WINDOWS\BricoPackFoldersDelete.cmd
2008-07-15 14:03 51,523 ----a-w C:\WINDOWS\BricoPackUninst.cmd
2008-07-15 13:54 --------- d-----w C:\Program Files\Windows Live
.

------- Sigcheck -------

03/14/2005 04:17 AM 359936 6129e70f3d2f1e60860c930ebeaf92c2 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
11/27/2005 02:30 AM 359808 0e66b538096a6529d1ac66e78eb0d5c8 C:\WINDOWS\system32\drivers\tcpip.sys

08/04/2004 12:56 PM 974336 a5c1f2cf7c31874e66478910b43d6513 C:\WINDOWS\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 PM 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07/22/2008 03:35 PM 68856]
"RocketDock"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe" [03/19/2007 01:05 AM 630784]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/25/2007 10:52 PM 476702]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [11/30/2006 09:49 PM 4662776]
"UberIcon"="C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe" [05/21/2006 10:43 AM 180224]
"BitComet"="C:\Program Files\BitComet\BitComet.exe" [07/17/2008 04:50 PM 2599224]
"mpt"="c:\WINDOWS\system32\mpt.exe" [08/06/2008 07:52 AM 58629]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM 144784]
"BigDog303"="C:\WINDOWS\VM303_STI.EXE" [10/25/2005 12:56 PM 61440]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM 155648]
"RTHDCPL"="RTHDCPL.EXE" [01/11/2006 08:23 PM 15961088 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 12:56 PM 15360]

C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\
Mobiola Web Camera for S60 3Ed.lnk - C:\Program Files\Mobiola Headset for S60v3\Headset.exe [2008-08-04 14:45:46 555175]
RocketDock.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-19 01:05:02 630784]
TransBar.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 22:41:18 65536]
UberIcon.lnk - C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe [2006-05-21 10:43:08 180224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2008-07-26 13:41:24 1674440]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^UberIcon.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\UberIcon.lnk
backup=C:\WINDOWS\pss\UberIcon.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 10/10/2007 07:51 PM 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
--a------ 08/12/2005 02:43 PM 45056 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWS myPrintMileage Agent]
--a------ 12/01/2004 02:08 PM 102400 C:\Program Files\Hewlett-Packard\HP Deskjet 1280\Toolbox\mpm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 12.0]
--a------ 03/28/2007 08:41 PM 2037352 C:\Program Files\Norton Ghost\Agent\VProTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 01/20/2008 10:05 AM 217088 C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 11/30/2006 09:49 PM 4662776 C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7776:TCP"= 7776:TCP:BitComet 7776 TCP
"7776:UDP"= 7776:UDP:BitComet 7776 UDP

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [08/09/2008 12:26 PM]
R2 IPClampService;IPCLAMP by cebas Computer GmbH;C:\PROGRA~1\cebas\ip-clamp\ipclamp.exe [11/20/2007 07:52 PM]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [12/13/2007 01:28 PM]
S2 CallerIP;Visualware CallerIP;C:\Program Files\CallerIP\cip-nt.exe []
S2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [08/04/2004 12:56 PM]
S3 MBLAUDRV;Mobiola Audio Service;C:\WINDOWS\system32\drivers\BTCamAudioDrv.sys [10/25/2007 08:13 PM]
S3 MBLAUDRVOUT;Mobiola Audio Out Service;C:\WINDOWS\system32\drivers\BTCamAudioDrvOut.sys [12/05/2007 03:56 PM]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [06/29/2007 03:01 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8cf8db3-5d30-11dd-806f-001ee59bab94}]
\Shell\AutoRun\command - J:\rqb0v2ot.bat
\Shell\explore\Command - J:\rqb0v2ot.bat
\Shell\open\Command - J:\rqb0v2ot.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e625fa48-562c-11dd-aaa3-001ee59bab94}]
\Shell\AutoRun\command - 6xig.com
\Shell\explore\Command - 6xig.com
\Shell\open\Command - 6xig.com

*Newly Created Service* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder

2008-07-23 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe [12/19/2006 04:53 PM]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acronis Scheduler2 Service - C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
Notify-dimsntfy - (no file)
MSConfigStartUp-IDMan - C:\Program Files\Internet Download Manager\IDMan.exe
MSConfigStartUp-PC Suite Tray - C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
MSConfigStartUp-STYLEXP - C:\Program Files\TGTSoft\StyleXP\StyleXP.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\XPPRESP3\Application Data\Mozilla\Firefox\Profiles\cadqgc17.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://google.atcomet.com/b/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 10:08:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\mpxa.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 08/10/2008 10:30:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 07:29:50

Pre-Run: 1,245,069,312 bytes free
Post-Run: 1,546,424,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional (bootscreen)" /fastdetect /NoExecute=OptIn /KERNEL=kernel1.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

268

#6 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 10 August 2008 - 04:13 AM

Why do you post a ComboFix-logfile? I asked for a Kaspersky-report...
Please remove that ComboFix log, I may not treat that. post the kaspersky log instead. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users