Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hoping that my trojan is gone


  • This topic is locked This topic is locked
2 replies to this topic

#1 hopefullytrojanfree

hopefullytrojanfree

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 18 March 2009 - 08:40 PM

Hopefully the experts here can look through the log and let me know if "bleepingcomputer" did its job, which I think it did.

ComboFix 09-03-15.01 - Stan 2009-03-18 21:22:34.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1159 [GMT -4:00]
Running from: c:\documents and settings\Stan\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drivers\gaopdxaklnqqoroeeiwqmmnaijgvjngukftvxo.sys
c:\windows\system32\drivers\gaopdxrmyvymqskltenbgixudpskjwbpjovutm.sys
c:\windows\system32\drivers\gaopdxyapuxrdlvnrwkpbivaqxdoltfmrqvmph.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxxmumdbjduxdltoirkhfrhpabrnoretfm.dll
Z:\Autorun.inf
z:\recycler\S-1-4-31-100013720-100003350-100027788-1077.com
z:\recycler\S-5-3-59-100026097-100009182-100004493-3868.com
z:\recycler\S-5-5-81-100002894-100007065-100025522-8070.com
z:\recycler\S-9-9-13-100003843-100027127-100021430-4327.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
.

2009-03-18 18:49 . 2009-03-18 18:49 <DIR> d-------- c:\documents and settings\Stan\Application Data\TrojanHunter
2009-03-18 18:14 . 2009-03-18 18:14 <DIR> d-------- c:\program files\TrojanHunter 5.0
2009-03-17 23:01 . 2009-03-17 23:01 <DIR> d-------- C:\Mdtcm
2009-03-16 22:10 . 2009-03-16 22:10 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-16 22:01 . 2009-03-16 22:01 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-16 22:01 . 2009-03-16 22:01 <DIR> d-------- c:\program files\AVG
2009-03-16 22:01 . 2009-03-16 22:01 <DIR> d-------- c:\documents and settings\Stan\Application Data\AVGTOOLBAR
2009-03-16 22:01 . 2009-03-16 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-16 22:01 . 2009-03-16 22:01 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-16 22:01 . 2009-03-16 22:01 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-16 22:01 . 2009-03-16 22:01 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-16 20:43 . 2009-01-26 15:31 414,552 --a------ c:\windows\system32\123.scr
2009-03-16 20:36 . 2009-03-16 21:21 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-16 20:36 . 2009-03-16 21:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-16 20:11 . 2009-03-16 20:11 <DIR> d-------- c:\documents and settings\Administrator
2009-03-16 20:00 . 2009-03-16 20:01 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-16 20:00 . 2009-03-16 20:00 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-16 20:00 . 2009-03-16 20:00 <DIR> d-------- c:\documents and settings\Stan\Application Data\PC Tools
2009-03-16 20:00 . 2009-03-18 19:25 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-16 20:00 . 2009-03-16 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-16 20:00 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-16 20:00 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-16 20:00 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-16 20:00 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-16 17:44 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 01:20 --------- d-----w c:\documents and settings\Stan\Application Data\DNA
2009-03-18 23:25 --------- d-----w c:\program files\DNA
2009-03-18 23:02 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-18 22:49 --------- d-----w c:\documents and settings\Stan\Application Data\U3
2009-03-16 11:37 --------- d-----w c:\program files\Norton Internet Security
2009-03-16 01:29 --------- d-----w c:\documents and settings\Stan\Application Data\BitTorrent
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-24 20:36 --------- d-----w c:\program files\BitTorrent
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"j2 4.4"="c:\program files\j2 Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-24 342848]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-16 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-23 26112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-23 77824]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-11 290816]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 122880]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-12-22 71280]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-10-22 70840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-11-03 4800512]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 163840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-16 1932568]
"THGuard"="c:\program files\TrojanHunter 5.0\THGuard.exe" [2008-10-24 1056928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2003-08-13 54472]

c:\documents and settings\Stan\Start Menu\Programs\Startup\
jConnect 4.4.lnk - c:\program files\j2 Messenger 4.4\J2GTray.exe [2008-10-07 656896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-06 113664]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-16 22:01 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-16 130424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-16 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-16 107912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-16 298264]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2008-08-22 6016]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2006-03-24 23296]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-16 348752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-9-9-13-100003843-100027127-100021430-4327.com c:\
\Shell\Open\command - c:\recycler\S-9-9-13-100003843-100027127-100021430-4327.com c:\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-9-9-13-100003843-100027127-100021430-4327.com z:\
\Shell\Open\command - z:\recycler\S-9-9-13-100003843-100027127-100021430-4327.com z:\
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2009-03-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2003-08-13 19:38]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-AVG7_RegCleaner - c:\progra~1\Grisoft\AVG7\avgregcl.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ebay.com/
uInternet Connection Wizard,ShellNext = hxxp://estore.sonic.com/upgrades/purchase.asp?srnm=C5HL2KVAEPDSS4JGR&lang=ENU&id=40
uInternet Settings,ProxyServer = 192.168.1.1
uInternet Settings,ProxyOverride = <local>
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Stan\Application Data\Mozilla\Firefox\Profiles\x5uhg4ro.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-18 21:26:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-18 21:28:38
ComboFix-quarantined-files.txt 2009-03-19 01:28:32

Pre-Run: 101,167,312,896 bytes free
Post-Run: 101,278,400,512 bytes free

173 --- E O F --- 2009-03-16 21:46:33

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 28 March 2009 - 07:45 AM

Hello hopefullytrojanfree,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:10 PM

Posted 08 April 2009 - 08:27 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users