Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virueses, Getting Annoyed


  • This topic is locked This topic is locked
1 reply to this topic

#1 tharox

tharox

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 05 September 2008 - 10:45 AM

Hello guys,
I need ur help with viruses on my pc...my wow acc got scammed few days ago so i wanted to chk pc for viruses. I saw NOD32 showing me some screens cleaned by deleting - quarantined....
There was some virus Win32/PSW.OnLineGames.NMY trojan... i used combofix and got this report:

ComboFix 08-08-31.01 - Korisnik 2008-09-05 17:32:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.798 [GMT 2:00]
Running from: C:\Documents and Settings\Korisnik\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Korisnik\Application Data\macromedia\Flash Player\#SharedObjects\UFNRHN53\bin.clearspring.com
C:\Documents and Settings\Korisnik\Application Data\macromedia\Flash Player\#SharedObjects\UFNRHN53\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Korisnik\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Korisnik\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol

.
((((((((((((((((((((((((( Files Created from 2008-08-05 to 2008-09-05 )))))))))))))))))))))))))))))))
.

2008-09-03 22:05 . 2008-09-03 22:05 <DIR> d-------- C:\Program Files\Roxio
2008-09-03 22:05 . 2008-09-03 22:05 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2008-09-01 20:15 . 2008-09-01 20:22 <DIR> d-------- C:\Program Files\Windows Live
2008-09-01 20:15 . 2008-09-01 20:20 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-09-01 19:56 . 2008-09-01 19:56 <DIR> d--h----- C:\WINDOWS\PIF
2008-09-01 18:02 . 2008-09-01 20:25 2,362 --a------ C:\WINDOWS\system32\ddr.exe
2008-09-01 17:47 . 2008-09-01 20:12 91,992 -r-hs---- C:\22xo.exe
2008-08-27 23:03 . 2008-08-27 23:03 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-08-24 18:16 . 2008-08-24 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-08-19 14:18 . 2008-08-19 14:18 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\dvdcss
2008-08-15 16:52 . 2008-08-15 16:52 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-08-15 16:51 . 2008-03-12 22:47 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-08-15 16:51 . 2008-03-12 22:47 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-08-15 16:51 . 2008-03-12 22:47 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-08-15 16:51 . 2008-03-12 16:14 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-08-15 16:51 . 2008-03-12 23:17 372,736 -ra------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-08-15 16:51 . 2008-03-12 23:18 307,200 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-08-15 16:51 . 2008-03-06 16:40 168,883 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-08-15 16:51 . 2008-01-21 15:48 12,477 -ra------ C:\WINDOWS\atiogl.xml
2008-08-15 16:51 . 2007-08-31 15:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-08-14 08:56 . 2008-08-14 08:56 <DIR> d-------- C:\spoolerlogs
2008-08-13 17:38 . 2008-08-27 10:03 282 --a------ C:\WINDOWS\hpqcopy.INI
2008-08-13 17:26 . 2008-08-13 17:26 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\HP
2008-08-11 16:16 . 2008-08-18 18:01 <DIR> d-------- C:\Documents and Settings\Korisnik\Application Data\HPAppData
2008-08-11 12:50 . 2008-08-11 12:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HP
2008-08-11 12:43 . 2008-08-11 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WEBREG
2008-08-11 12:41 . 2008-08-11 12:41 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\HPAppData
2008-08-11 12:41 . 2008-08-11 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HPSSUPPLY
2008-08-11 12:40 . 2008-08-11 12:40 <DIR> d-------- C:\Program Files\Common Files\HP
2008-08-11 12:40 . 2008-08-11 12:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
2008-08-11 12:40 . 2008-08-11 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2008-08-11 12:39 . 2008-08-11 12:41 <DIR> d-------- C:\Program Files\HP
2008-08-11 12:30 . 2008-08-11 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2008-08-11 12:30 . 2007-04-04 09:47 267,864 -ra------ C:\WINDOWS\system32\hpzids01.dll
2008-08-11 12:30 . 2008-09-03 22:22 144,045 --a------ C:\WINDOWS\hpoins16.dat
2008-08-11 12:30 . 2007-03-28 14:01 118,272 --a------ C:\WINDOWS\system32\hpz3l5ha.dll
2008-08-11 12:30 . 2007-03-08 06:20 49,920 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-08-11 12:30 . 2007-03-08 06:20 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-08-11 12:30 . 2007-08-13 05:48 5,279 --------- C:\WINDOWS\hpomdl16.dat
2008-08-11 12:29 . 2007-03-08 06:20 364,544 -ra------ C:\WINDOWS\system32\hppldcoi.dll
2008-08-11 12:29 . 2007-03-08 06:20 309,760 -ra------ C:\WINDOWS\system32\difxapi.dll
2008-08-11 12:29 . 2007-03-08 06:20 21,568 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-08-11 12:27 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-08-11 12:27 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-08-10 22:28 . 2008-08-10 22:28 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-08-10 22:23 . 2008-08-10 22:23 <DIR> d-------- C:\ATI2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-05 15:25 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\MegauploadToolbar
2008-09-04 17:45 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Xfire
2008-09-04 14:28 --------- d-----w C:\Program Files\Lavasoft
2008-09-04 14:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-04 14:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-03 06:41 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\BitTorrent
2008-09-02 16:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-02 09:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-02 07:18 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2008-09-01 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-08-30 22:36 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\DNA
2008-08-30 08:17 --------- d-----w C:\Program Files\DNA
2008-08-22 08:24 136,888 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-08-22 08:24 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-08-21 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-08-15 14:55 --------- d-----w C:\Program Files\ATI Technologies
2008-08-11 10:41 --------- d-----w C:\Program Files\Hewlett-Packard
2008-08-08 09:46 --------- d-----w C:\Program Files\YouTube Downloader
2008-08-02 08:58 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-01 10:09 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-08-01 10:09 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-08-01 10:09 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-07-31 07:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-30 08:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-07-29 19:53 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\atitray
2008-07-28 14:59 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\GrabIt
2008-07-28 12:32 --------- d-----w C:\Program Files\GrabIt
2008-07-20 13:57 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\vlc
2008-07-19 12:45 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\fltk.org
2008-07-15 15:35 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-07-15 13:46 22,328 ----a-w C:\Documents and Settings\Korisnik\Application Data\PnkBstrK.sys
2008-07-15 13:24 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-15 13:23 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\DAEMON Tools
2008-07-12 12:42 --------- d-----w C:\Documents and Settings\Korisnik\Application Data\Hamachi
2008-07-08 13:43 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"Sony Ericsson PC Suite"="D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42 69632]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 09:21 1443072]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 19:39 90112 C:\WINDOWS\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Korisnik\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 21:24:54 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"vidc.xvid"= xvid.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"D:\\Program Files\\Xfire\\xfire.exe"=
"D:\\Program Files\\World of Warcraft 2.1.0\\Repair.exe"=
"C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnf.exe"=
"D:\\Program Files\\Valve\\hl.exe"=
"D:\\Program Files\\Valve\\hlds.exe"=
"D:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Java\\jre1.5.0_03\\bin\\javaw.exe"=
"D:\\Program Files\\World of Warcraft 2.1.0\\BackgroundDownloader.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"D:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"D:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqcopy.exe"=
"C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service;C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 11:31]
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 autorun;autorun;c:\huadio.tmp []
S3 USB_RNDIS;DSL Router USB;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-03 23:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43d264a7-92c7-11dc-aa81-101111111111}]
\Shell\AutoOpen\command - G:\.\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\MSOCache\90000804-6000-11D3-8CFE-0150048383C9\KB915865.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dbedd12c-77f7-11dd-acbb-101111111111}]
\Shell\AutoRun\command - I:\22xo.exe
\Shell\explore\Command - I:\22xo.exe
\Shell\open\Command - I:\22xo.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\oft0x452.default\
FF -: plugin - C:\Documents and Settings\Korisnik\Application Data\Mozilla\Firefox\Profiles\oft0x452.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\Dyyno\Dyyno Player\npvlc.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_03\bin\NPJava11.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_03\bin\NPJava12.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_03\bin\NPJava13.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_03\bin\NPJava14.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_03\bin\NPJava32.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF -: plugin - C:\Program Files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-05 17:33:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\autorun]
"ImagePath"="\??\c:\huadio.tmp"
.
Completion time: 2008-09-05 17:34:35
ComboFix-quarantined-files.txt 2008-09-05 15:34:30

Pre-Run: 7,526,850,560 bytes free
Post-Run: 7,579,308,032 bytes free

214



Can you please tell me what to do next? Becouse i am not sure did i delete damn virus.
Thanks for help

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:11:05 AM

Posted 05 September 2008 - 12:53 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users