Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.kobcka


  • Please log in to reply
1 reply to this topic

#1 gomemasai

gomemasai

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 17 April 2009 - 04:27 AM

Hi, I got trojan kobcka... I knew from my antivirus.

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.


yes i Know about this, but i have followed so many instructions from bleepingcomputer supervision, but nothing has worked.So, I will post my combo fix log.

I have used malwarebytes, AFT cleaner, combofix, SUPERantispyware, bitdefender, AVG 8.5 but nothing can do with the trojan kobcka

HERE IS MY COMBO FIX LOG

ComboFix 09-04-14.09 - sendy 04/17/2009 15:44.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1279.1030 [GMT 7:00]
Running from: c:\users\sendy\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\bin
c:\windows\system32\bin\brutalchess.exe
c:\windows\system32\bin\freetype6.dll
c:\windows\system32\bin\jpeg.dll
c:\windows\system32\bin\libpng12.dll
c:\windows\system32\bin\libtiff.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcm80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcp80.dll
c:\windows\system32\bin\Microsoft.VC80.CRT\msvcr80.dll
c:\windows\system32\bin\SDL.dll
c:\windows\system32\bin\SDL_image.dll
c:\windows\system32\bin\zlib1.dll
c:\windows\system32\nbspfru.dll
c:\windows\system32\pthreadGC2.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOTDRV
-------\Legacy_CNZEGGZH
-------\Legacy_PROTECT
-------\Legacy_SOPIDKC
-------\Legacy_TDCTXTE
-------\Service_botdrv
-------\Service_cnzeggzh
-------\Service_restore


((((((((((((((((((((((((( Files Created from 2009-03-17 to 2009-04-17 )))))))))))))))))))))))))))))))
.

2019-09-25 22:40 . 2019-09-25 22:40 20480 ----a-w c:\windows\system32\APITypes.dll
2009-04-14 16:31 . 2009-04-15 17:42 121 ----a-w c:\windows\bdagent.INI
2009-04-14 15:19 . 2009-04-16 04:10 340 ----a-w c:\windows\system32\BDUpdateV1.xml
2009-04-14 15:12 . 2009-04-17 08:38 81984 ----a-w c:\windows\system32\bdod.bin
2009-04-14 15:07 . 2009-04-14 15:07 850 ----a-w c:\windows\system32\ProductTweaks.xml
2009-04-14 15:06 . 2009-04-14 15:06 385 ----a-w c:\windows\system32\user_gensett.xml
2009-04-14 14:58 . 2009-04-14 14:58 -------- d-----w c:\users\sendy\Application Data\BitDefender
2009-04-14 14:57 . 2009-04-14 15:05 -------- d-----w c:\users\All Users\Application Data\BitDefender
2009-04-14 14:55 . 2008-04-14 12:00 11776 -c--a-w c:\windows\system32\dllcache\regsvr32.exe
2009-04-14 14:55 . 2008-04-14 12:00 11776 ----a-w c:\windows\system32\regsvr32.exe
2009-04-14 12:40 . 2009-04-14 12:40 -------- d-----w c:\users\sendy\Application Data\Yahoo!
2009-04-13 04:19 . 2009-04-13 04:19 -------- d-----w C:\SDFix
2009-04-12 04:56 . 2009-04-12 04:57 1529241 ----a-w C:\SDFix.exe
2009-04-11 11:20 . 2009-04-13 05:04 4212 ---h--w c:\windows\system32\zllictbl.dat
2009-04-11 11:13 . 2009-04-14 11:38 -------- d-----w c:\windows\Internet Logs
2009-04-10 13:01 . 2007-02-20 09:04 190696 ----a-w c:\windows\system32\NPSWF32_FlashUtil.exe
2009-04-10 13:01 . 2007-02-20 09:04 2463976 ----a-w c:\windows\system32\NPSWF32.dll
2009-04-06 07:36 . 2009-04-06 07:36 -------- d-----w c:\users\All Users\Application Data\FLEXnet
2009-04-05 04:02 . 2009-04-05 04:02 -------- d-----w c:\users\All Users\Application Data\SUPERAntiSpyware.com
2009-04-05 04:02 . 2009-04-05 04:02 -------- d-----w c:\users\sendy\Application Data\SUPERAntiSpyware.com
2009-04-05 03:46 . 2009-04-05 03:46 -------- d-----w c:\users\sendy\Application Data\Malwarebytes
2009-04-05 03:46 . 2009-04-05 03:46 -------- d-----w c:\users\All Users\Application Data\Malwarebytes
2009-04-05 03:26 . 2009-04-05 03:26 -------- d-----w c:\users\sendy\Local Settings\Application Data\Downloaded Installations
2009-04-04 05:01 . 2009-04-04 05:11 -------- d-----w c:\users\sendy\Local Settings\Application Data\Microsoft Games
2009-04-02 00:10 . 2001-08-17 15:36 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-04-02 00:10 . 2008-04-13 22:42 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-04-02 00:10 . 2008-04-13 17:15 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys
2009-04-02 00:10 . 2008-04-13 17:15 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-04-01 02:18 . 2009-04-06 07:41 -------- d--h--w C:\$AVG8.VAULT$
2009-03-31 12:01 . 2009-03-31 12:01 -------- d-----w c:\users\sendy\Application Data\yihcgcbc
2009-03-31 12:01 . 2009-03-31 12:01 -------- d-----w c:\users\sendy\Local Settings\Application Data\yihcgcbc
2009-03-31 08:02 . 2009-04-10 13:15 -------- d-----w c:\users\sendy\Local Settings\Application Data\Adobe
2009-03-30 07:11 . 2009-03-30 07:11 -------- d-----w c:\windows\Sun
2009-03-29 06:23 . 2009-03-29 06:23 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\yihcgcbc
2009-03-29 06:23 . 2009-03-29 06:23 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\yihcgcbc
2009-03-27 16:35 . 2009-03-27 16:39 -------- d-----w c:\users\sendy\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-17 08:52 . 2009-04-17 08:51 49152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-04-17 08:52 . 2009-03-27 07:17 32768 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2009-04-17 08:52 . 2009-03-27 07:17 147456 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2009-04-17 08:51 . 2009-04-17 06:25 49152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041720090418\index.dat
2009-04-17 08:51 . 2009-03-27 11:44 16384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2009-04-17 08:51 . 2009-03-27 07:58 -------- d-----w c:\users\sendy\Application Data\DMCache
2009-04-17 08:51 . 2009-03-27 09:49 131072 --sha-w c:\windows\system32\config\systemprofile\PrivacIE\index.dat
2009-04-17 07:32 . 2009-03-27 07:48 -------- d---a-w c:\users\All Users\Application Data\TEMP
2009-04-17 07:10 . 2009-03-27 08:03 -------- d-----w c:\program files\Garena
2009-04-16 16:58 . 2009-04-16 01:15 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041620090417\index.dat
2009-04-16 04:16 . 2009-04-01 06:10 11132 ----a-w C:\hpfr3500.log
2009-04-14 16:42 . 2009-04-14 12:16 49152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041420090415\index.dat
2009-04-14 15:39 . 2009-03-27 07:47 146 ----a-w C:\YServer.txt
2009-04-14 15:39 . 2009-03-27 07:46 -------- d-----w c:\program files\Yahoo!
2009-04-14 15:26 . 2009-04-05 04:02 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-14 14:57 . 2009-04-14 14:53 -------- d-----w c:\program files\Common Files\BitDefender
2009-04-14 14:57 . 2009-04-14 14:57 -------- d-----w c:\program files\BitDefender
2009-04-14 13:49 . 2009-03-27 08:38 -------- d-----w c:\users\All Users\Application Data\Avg8
2009-04-14 13:08 . 2009-03-27 07:47 -------- d-----w c:\users\All Users\Application Data\Yahoo!
2009-04-13 14:50 . 2009-04-13 02:25 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009041320090414\index.dat
2009-04-13 02:24 . 2009-04-13 02:25 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009040620090413\index.dat
2009-04-11 08:26 . 2009-03-27 08:07 -------- d-----w c:\users\sendy\Application Data\LimeWire
2009-04-10 13:01 . 2009-04-10 13:01 -------- d-----w c:\program files\QuickTime
2009-04-10 12:59 . 2009-03-27 07:03 -------- d-----w c:\program files\Common Files\Adobe
2009-04-06 12:50 . 2009-04-06 12:50 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009033020090406\index.dat
2009-04-06 06:59 . 2009-04-06 06:59 -------- d-----w c:\program files\Bonjour
2009-04-06 06:26 . 2009-04-06 06:26 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-05 03:34 . 2009-03-27 07:01 -------- d-----w c:\program files\Java
2009-04-05 03:22 . 2009-04-05 03:22 -------- d-----w c:\program files\WinPcap
2009-03-31 11:08 . 2009-03-27 06:41 86811 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-27 17:16 . 2009-03-27 07:58 -------- d-----w c:\program files\Internet Download Manager
2009-03-27 15:26 . 2009-03-27 07:58 -------- d-----w c:\users\sendy\Application Data\IDM
2009-03-27 09:48 . 2008-04-14 12:00 213120 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-27 08:44 . 2009-03-27 07:42 45808 ----a-w c:\users\sendy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-27 08:39 . 2009-03-27 08:39 -------- d-----w c:\users\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-27 08:28 . 2009-03-27 08:27 -------- d-----w c:\program files\xampp
2009-03-27 08:22 . 2009-03-27 08:22 -------- d-----w c:\program files\Microsoft ActiveSync
2009-03-27 08:17 . 2009-03-27 08:17 -------- d-----w c:\program files\Microsoft.NET
2009-03-27 08:09 . 2009-03-27 08:09 -------- d-----w c:\program files\FLV Player
2009-03-27 08:09 . 2009-03-27 08:04 -------- d-----w c:\users\sendy\Application Data\Winamp
2009-03-27 08:07 . 2009-03-27 08:07 -------- d-----w c:\program files\LimeWire
2009-03-27 08:05 . 2009-03-27 08:05 -------- d-----w c:\program files\K-Lite Codec Pack
2009-03-27 08:04 . 2009-03-27 08:04 -------- d-----w c:\program files\Winamp
2009-03-27 08:02 . 2009-03-27 08:01 -------- d-----w c:\program files\Creative
2009-03-27 08:02 . 2009-03-27 08:02 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-27 08:01 . 2009-03-27 08:01 -------- d-----w c:\program files\Common Files\InstallShield
2009-03-27 07:57 . 2009-03-27 07:47 -------- d-----w c:\program files\Your Uninstaller 2008
2009-03-27 07:55 . 2009-03-27 07:55 -------- d-----w c:\program files\HP
2009-03-27 07:55 . 2009-03-27 07:50 -------- d-----w c:\program files\Hewlett-Packard
2009-03-27 07:48 . 2009-03-27 07:48 -------- d-----w c:\users\sendy\Application Data\URSoft
2009-03-27 07:36 . 2009-03-27 07:36 -------- d-----w c:\program files\AVG
2009-03-27 07:24 . 2009-03-27 07:24 -------- d-----w c:\users\All Users\Application Data\Nero
2009-03-27 07:23 . 2009-03-27 07:08 -------- d---a-w c:\program files\Windows Sidebar
2009-03-27 07:14 . 2009-03-27 07:14 -------- d-----w c:\program files\microsoft frontpage
2009-03-27 07:13 . 2008-12-10 01:21 2190336 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-27 07:13 . 2009-03-27 07:22 -------- d---a-w c:\users\sendy\Application Data\TrueTransparency
2009-03-27 07:13 . 2009-03-27 07:17 -------- d---a-w c:\windows\system32\config\systemprofile\Application Data\TrueTransparency
2009-03-27 07:13 . 2009-03-27 07:22 -------- d---a-w c:\users\sendy\Application Data\RKLauncher
2009-03-27 07:13 . 2009-03-27 07:17 -------- d---a-w c:\windows\system32\config\systemprofile\Application Data\RKLauncher
2009-03-27 07:13 . 2009-03-27 07:22 -------- d---a-w c:\users\sendy\Application Data\OtakuSoftware
2009-03-27 07:13 . 2009-03-27 07:17 -------- d---a-w c:\windows\system32\config\systemprofile\Application Data\OtakuSoftware
2009-03-27 07:12 . 2009-03-27 07:22 -------- d---a-w c:\users\sendy\Application Data\Nero
2009-03-27 07:12 . 2009-03-27 07:17 -------- d---a-w c:\windows\system32\config\systemprofile\Application Data\Nero
2009-03-27 07:12 . 2009-03-27 07:22 -------- d---a-w c:\users\sendy\Application Data\LClock
2009-03-27 07:12 . 2009-03-27 07:17 -------- d---a-w c:\windows\system32\config\systemprofile\Application Data\LClock
2009-03-27 07:04 . 2009-03-27 07:04 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-27 07:02 . 2009-03-27 07:02 -------- d-----w c:\program files\TUGZip
2009-03-27 07:02 . 2009-03-27 07:01 -------- d-----w c:\program files\Windows Live
2009-03-27 07:01 . 2009-03-27 07:01 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-27 06:59 . 2009-03-27 06:59 -------- d-----w c:\program files\MSBuild
2009-03-27 06:59 . 2009-03-27 06:59 -------- d-----w c:\program files\Reference Assemblies
2009-03-27 06:54 . 2009-03-27 06:54 -------- d-----w c:\program files\ffdshow
2009-03-27 06:44 . 2009-03-27 06:44 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-27 06:43 . 2009-03-27 06:43 -------- d-----w c:\program files\MSXML 4.0
2009-03-27 06:38 . 2009-03-27 06:38 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-27 06:38 . 2009-03-27 06:38 -------- d-----w c:\program files\Windows Media Connect 2
2008-01-22 03:51 . 2009-03-27 07:04 121 ---ha-w c:\program files\desktop.ini
2009-03-05 11:2009-04-14 15:07 08:04 . c:\program files\mozilla firefox\components\FFComm.dll
.

------- Sigcheck -------

[-] 2008-12-10 01:22 578048 6616894470538493B9AAE74271F099EF c:\windows\system32\user32.dll

[-] 2008-10-20 08:53 361600 402B5152110F91E4C096200501737EA6 c:\windows\system32\drivers\tcpip.sys
[-] 2008-10-20 08:53 361600 402B5152110F91E4C096200501737EA6 c:\windows\system32\syscache\tcpip.sys

[-] 2009-03-27 09:48 213120 539F03CFF197E8313792A49266407407 c:\windows\system32\dllcache\ndis.sys
[-] 2009-03-27 09:48 213120 D41B059096E41D3DBC7C7A862C0836FC c:\windows\system32\drivers\ndis.sys

[-] 2009-03-27 07:13 2190336 46E55E15D38088D2711FD6D986DF4F7C c:\windows\system32\ntoskrnl.exe

[-] 2008-12-10 01:21 1424464 3FC9FA3953286B48F1FCEE2FBC1F85F7 c:\windows\explorer.exe

[-] 2008-04-14 12:00 15363 06D757BC777E7F32F08374B659E6FB2F c:\windows\system32\ctfmon.exe
[7] 2008-04-14 12:00 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\ctfmon.exe

[-] 2008-04-14 12:00 57958 2B85AF3A17697ACB227051EFA493F4AD c:\windows\system32\spoolsv.exe
[7] 2008-04-14 12:00 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\dllcache\spoolsv.exe

[-] 2008-04-14 12:00 26118 3D10680AEA143E84C6E877912A123C69 c:\windows\system32\userinit.exe
[7] 2008-04-14 12:00 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-06-10 05:29 97064 ----a-w c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UltimateServices"="c:\windows\System32\ultsvcs.exe" [2008-12-17 264293]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15363]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2009-03-27 2606512]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-31 4617720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"BDAgent"="c:\program files\BitDefender\BitDefender 2009\bdagent.exe" [2009-04-16 778240]
"BitDefender Antiphishing Helper"="c:\program files\BitDefender\BitDefender 2009\IEShow.exe" [2009-02-23 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"UltimateServices"="c:\windows\System32\ultsvcs.exe" [2008-12-17 264293]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-02 3882312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 12:51 233491 ----a-w c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 04:24 65321 ----a-w c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2009-03-27 08:00 2606512 ----a-w c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2008-06-10 05:29 1083176 ----a-w c:\program files\Nero\Nero8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock]
2004-09-19 18:27 65539 ----a-w c:\users\sendy\Application Data\LClock\lclock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36354 ----a-w c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mysql"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apache2"=2 (0x2)
"wuauserv"=2 (0x2)
"MBAMService"=2 (0x2)
"idsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"FileZilla Server"=3 (0x3)
"InCDsrv"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"ose"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=

R3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [2009-01-20 172032]
R3 GarenaPEngine;GarenaPEngine; [x]
R4 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2008-06-10 53032]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]
S3 bdfm;bdfm;c:\windows\system32\drivers\bdfm.sys [2008-09-18 111112]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-04-17 c:\windows\Tasks\el.job
- c:\windows\system32\regsvr32.exe [2009-04-14 12:00]

2009-04-17 c:\windows\Tasks\elu.job
- c:\windows\system32\cmd.exe [2008-04-14 12:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VisualTaskTips - c:\windows\System32\visualtasktips.exe
HKCU-Run-TopDesk - c:\windows\System32\topdesk.exe
HKLM-Run-HPDJ Taskbar Utility - c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
HKLM-Run-Jet Detection - c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe
HKLM-Run-WINDVDPatch - CTHELPER.EXE
HKU-Default-Run-VisualTaskTips - c:\windows\System32\visualtasktips.exe
HKU-Default-Run-TopDesk - c:\windows\System32\topdesk.exe
HKU-Default-Run-reader_s - c:\users\sendy\reader_s.exe
HKU-Default-Run-services - c:\windows\services.exe
HKU-Default-Explorer_Run-services - c:\windows\services.exe
MSConfigStartUp-PromoReg - c:\windows\TEMP\BN67.tmp


.
------- Supplementary Scan -------
.
uStart Page = www.google.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\sendy\Application Data\Mozilla\Firefox\Profiles\53ayityx.default\
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - component: c:\users\sendy\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-17 15:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\users\sendy\LOCALS~1\Temp\BZO2A.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"659BD8E725A05FDCC64118EA787EAA2B534A94FABE"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,33,ec,2d,9e,01,22,47,9a,14,10,\
"3A77B377802A4B6183DDE08FDE4AD9AF647A702826"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6f,33,ec,2d,9e,01,22,47,9a,14,10,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{33c667fd-81cc-4444-a23c-4c2aeb0d67a1}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005a
"Therad"=dword:00000006
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,1b,6c,99,17,ec,d2,be,bb,49,f5,68,62,d0,c2,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):77,d8,a7,ca,2e,dd,16,bf,32,13,63,6f,96,c4,8a,b7,b8,32,18,58,e9,
1d,fe,fd,68,f6,04,a2,42,77,09,2d,c1,c4,78,af,d3,76,75,94,00,00,00,00,00,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(604)
c:\windows\system32\SETUPAPI.dll

- - - - - - - > 'explorer.exe'(6028)
c:\windows\system32\COMRes.dll
c:\program files\Nero\Nero8\InCD\NBHShx.dll
c:\program files\Nero\Nero8\InCD\NBHStr.dll
c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\System32\cscui.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\BitDefender\BitDefender 2009\vsserv.exe
c:\windows\system32\ultdrvmon.exe
c:\windows\system32\wscntfy.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\users\sendy\LOCALS~1\temp\msgup900_2152_us.exe
c:\users\sendy\LOCALS~1\temp\nsb22.tmp\msgup_us.exe
c:\users\sendy\LOCALS~1\temp\GLB23.tmp
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: ~,10time:~,-3machine was rebootedCombobatch-by
ComboFix-quarantined-files.txt 2009-04-17 08:58

Pre-Run: 13,457,715,200 bytes free
Post-Run: 12,111,851,520 bytes free

355

====================================================================

Edited by gomemasai, 17 April 2009 - 04:47 AM.


BC AdBot (Login to Remove)

 


#2 gomemasai

gomemasai
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 17 April 2009 - 04:35 AM

sorry if my grammar is bad.

when I enter my windows, there are some IEXPLORE.EXE is running ( maybe about 4 process of IEXPLORE.exe) and bn1.tmp until bn6.tmp.
as I know from google, kobcka will make my internet slower.


I go to regedit and found 1 run hidden folder (from HKLM->software->bla bla bla -> run) and the filename was bn4.tmp
i've deleted that one, but still the bn.tmp still occure when i run my windows

and then I use malwarebyes. I caught the trojan kobcka. but then, the virus occure again...
I use SUPERantispyware...caught and occure again...
I use bitdefender still the same result
I use Combofix --> nothing happen... LOL


c:\users\sendy\LOCALS~1\temp\GLB23.tmp --> this also kobcka. I don't know why the name of the virus always change from bn1.tmp -->bn6tmp . sometimes bn66.tmp sometimes bn67tmp sometimes glb23.tmp



my OS is windows XP SP3

any idea?
i want to post my screenshots. how to do that?

Edited by gomemasai, 17 April 2009 - 04:43 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users