Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Problems


  • Please log in to reply
1 reply to this topic

#1 monkgj

monkgj

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 04 September 2008 - 10:39 PM

I ran ad aware, spy bot, and AVG Free 8.0. I've got major trojan problems, here's my ComboFix log. Please help!

ComboFix 08-09-04.08 - aerii 2008-09-04 23:13:36.1 - NTFSx86
Running from: C:\Documents and Settings\aerii\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\aerii\Favorites\Games.url
C:\WINDOWS\Install.txt
C:\WINDOWS\system\sgcxcxxaspf080828.exe
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\atsxyzd.sys
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\inf\sppdcrs080828.scr
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\inf\svchosd.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\noxtcyr.exe
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\sotpeca.exe
C:\WINDOWS\system32\soxpeca.exe
C:\WINDOWS\system32\syspilog.pil
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\tawisys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFINDING
-------\Legacy_AFISICX
-------\Legacy_INTERNET_SERVICE
-------\Legacy_MABIDWE
-------\Legacy_MACIDWE
-------\Legacy_MESSANGER
-------\Legacy_MSSERVICE
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PANDRV
-------\Legacy_PERFS
-------\Legacy_ROUTING
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SEUICTOL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDXDOWKC
-------\Legacy_TDYDOWKC
-------\Legacy_WSERVING
-------\Legacy_WSLDOEKD
-------\Service_afinding
-------\Service_afisicx
-------\Service_Internet Service
-------\Service_mabidwe
-------\Service_macidwe
-------\Service_Messanger
-------\Service_MsService
-------\Service_noxtcyr
-------\Service_noytcyr
-------\Service_perfs
-------\Service_routing
-------\Service_roxtctm
-------\Service_roytctm
-------\Service_seuictol
-------\Service_sobicyt
-------\Service_sotpeca
-------\Service_soxpeca
-------\Service_tdxdowkc
-------\Service_tdydowkc
-------\Service_wserving
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-01 21:02 . 2008-09-04 22:32 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-01 20:42 . 2008-09-01 21:00 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-09-01 20:42 . 2008-09-01 20:42 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-09-01 20:42 . 2008-09-01 20:42 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-09-01 20:42 . 2008-09-01 20:42 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-09-01 20:41 . 2008-09-01 20:41 <DIR> d-------- C:\Program Files\AVG
2008-09-01 20:41 . 2008-09-01 20:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-26 17:15 . 2004-08-04 03:56 388,608 --a------ C:\WINDOWS\system32\tmpacj1.exe
2008-08-21 17:35 . 2008-08-21 17:37 <DIR> d-------- C:\Program Files\Ad-Aware
2008-08-21 17:35 . 2008-08-21 17:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-21 17:34 . 2008-08-21 17:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-20 22:52 . 2008-08-21 21:09 <DIR> d-------- C:\Program Files\EasyCleaner
2008-08-20 22:49 . 2008-08-21 17:28 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-20 22:49 . 2008-08-22 22:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-16 17:42 . 2008-08-16 17:42 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Skype
2008-08-16 17:14 . 2008-09-04 23:15 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-10 20:54 . 2008-08-10 20:54 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 00:22 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-08-30 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-21 02:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-17 03:41 --------- d-----w C:\Documents and Settings\aerii\Application Data\U3
2008-08-09 14:27 --------- d-----w C:\Program Files\Apple Software Update
2008-07-15 21:44 --------- d-----w C:\Program Files\Thomson
2008-07-10 16:55 --------- d-----w C:\Documents and Settings\aerii\Application Data\Skype
2008-07-10 13:46 --------- d-----w C:\Documents and Settings\aerii\Application Data\skypePM
2008-01-31 21:17 32 -c--a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 50528]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-20 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-08 294912]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2003-04-08 11750]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2003-04-01 81920]
"VAIO Recovery"="C:\Windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 40960]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-01 1232152]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 C:\WINDOWS\system32\Ati2mdxx.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PowerPanel.lnk - C:\Program Files\PowerPanel\Program\PcfMgr.exe [2003-04-30 872448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"msacm.divxa32"= msaud32_divx.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-01 96520]
R1 DMICall;Sony DMI Call service;C:\WINDOWS\system32\DRIVERS\DMICall.sys [2000-12-05 3952]
R2 Apple Mobile Device;Apple Mobile Device;C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-09-06 110592]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-01 873752]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-01 231192]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-09-01 76040]
R3 ApfiltrService;Alps Pointing-device Filter Driver;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys [2003-02-28 90852]
R3 E100B;Intel® PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys [2002-09-25 140800]
R3 HSFHWICH;HSFHWICH;C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys [2003-03-13 164736]
R3 SNC;Sony Notebook Control Device;C:\WINDOWS\system32\Drivers\SonyNC.sys [2000-11-09 48896]
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\system32\DRIVERS\SonyPI.sys [2002-08-20 71961]
R3 WDM_YAMAHAAC97;YAMAHA AC-XG Audio Device;C:\WINDOWS\system32\drivers\yacxgc.sys [2002-09-19 205056]
S2 nobicyt;nobicyt Service;C:\WINDOWS\system32\Nobicyt.exe [ ]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service;C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2007-08-24 68464]
S3 NdisIP;Microsoft TV/Video Connection;C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 odserv;Microsoft Office Diagnostics Service;C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ovt519;VGA USB Camera;C:\WINDOWS\system32\Drivers\ov519vid.sys [2003-09-25 174530]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-06-10 371766]
S3 PRISM;IEEE 802.11 Wireless NIC Driver;C:\WINDOWS\system32\DRIVERS\EXPRESS.sys [2002-12-27 615424]
S3 SLIP;BDA Slip De-Framer;C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 SPTISRV;Sony SPTI Service;C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe [2002-12-24 65536]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-24 52384]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-24 6064]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-24 84512]
S3 usb_rndisx;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2005-10-20 12800]
S3 VAIOMediaPlatform-MusicServer-AppServer;VAIO Media Music Server;C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe [2003-03-18 536648]
S3 VAIOMediaPlatform-MusicServer-HTTP;VAIO Media Music Server (HTTP);C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe [2003-02-10 57344]
S3 VAIOMediaPlatform-MusicServer-UPnP;VAIO Media Music Server (UPnP);C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe [2003-03-20 675840]
S3 VAIOMediaPlatform-PhotoServer-AppServer;VAIO Media Photo Server;C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe [2003-03-25 262144]
S3 VAIOMediaPlatform-PhotoServer-HTTP;VAIO Media Photo Server (HTTP);C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe [2003-02-10 57344]
S3 VAIOMediaPlatform-PhotoServer-UPnP;VAIO Media Photo Server (UPnP);C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe [2003-03-20 675840]
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2006-11-06 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{764d38e0-69ac-11dd-8a2f-080046ad5890}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com/
R0 -: HKLM-Main,Start Page = hxxp://www.comcast.net/
R0 -: HKLM-Main,Window Title = Windows Internet Explorer provided by Comcast
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab
C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-04 23:24:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscript.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\PROGRA~1\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-09-04 23:35:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-05 03:34:44

Pre-Run: 3,154,231,296 bytes free
Post-Run: 3,156,922,368 bytes free

260 --- E O F --- 2008-08-30 03:41:32

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:26 AM

Posted 21 September 2008 - 08:49 PM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users