Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

scan from Combo fix


  • This topic is locked This topic is locked
1 reply to this topic

#1 matka

matka

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 10 July 2009 - 11:47 AM

hello,
I have scanned my computer by Combofix, can somebody tell me if there's any virus and how can I deleted it/them





C:\autorun.inf
c:\windows\AhnRpta.exe
c:\windows\system32\e8main0.dll
c:\windows\system32\msssc.dll
c:\windows\system32\nmdfgds0.dll
D:\3j2h0tf.bat
D:\Autorun.inf
D:\be2trf.bat
D:\cahpcg.cmd
D:\uo10sn.cmd
D:\xhah66s.cmd
D:\y6yol.exe

.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVPSYS


((((((((((((((((((((((((( Pliki utworzone od 2009-06-10 do 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-06 22:58 . 2009-07-06 22:58 -------- d-----w- c:\documents and settings\Damian\Ustawienia lokalne\Dane aplikacji\Adobe
2009-07-06 22:57 . 2009-07-06 22:57 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-06 22:23 . 2009-07-06 22:28 51855 ----a-w- c:\windows\War3Unin.dat
2009-07-06 22:23 . 2009-07-06 22:25 2829 ----a-w- c:\windows\War3Unin.pif
2009-07-06 22:23 . 2009-07-06 22:25 139264 ----a-w- c:\windows\War3Unin.exe
2009-07-06 16:12 . 2009-07-07 08:36 -------- d-----w- c:\program files\Attractel
2009-07-06 14:30 . 2009-07-06 15:20 -------- d-----w- c:\program files\Common Files\MO-Call
2009-07-06 14:30 . 2009-07-06 14:30 -------- d-----w- c:\program files\Morodo
2009-07-06 11:06 . 2009-07-06 11:06 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-06 11:06 . 2009-07-06 14:32 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\skypePM
2009-07-06 09:01 . 2009-07-06 16:41 -------- d-----r- c:\program files\Skype
2009-07-06 09:01 . 2009-07-06 12:59 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Skype
2009-07-05 19:22 . 2009-07-05 19:22 96 ---ha-w- c:\windows\system32\HsInfo.dat
2009-07-05 18:28 . 2009-07-05 18:28 -------- d-----w- c:\documents and settings\Damian\Ustawienia lokalne\Dane aplikacji\Identities
2009-07-05 07:01 . 2009-07-05 07:00 109472 --sh--r- C:\9kretct.exe
2009-07-04 14:21 . 2009-07-04 14:21 -------- d-----w- c:\program files\PowerISO
2009-07-03 14:02 . 2009-07-03 14:02 -------- d-----w- c:\program files\Trend Micro
2009-07-02 12:13 . 2009-07-02 12:13 -------- d-----w- c:\documents and settings\Damian\Ustawienia lokalne\Dane aplikacji\Blizzard Entertainment
2009-06-30 12:36 . 2009-06-30 12:36 -------- d-----w- c:\windows\system32\bits
2009-06-29 22:41 . 2009-06-29 22:42 -------- d-----w- c:\program files\CCleaner
2009-06-29 20:53 . 2004-07-01 22:10 7680 -c----w- c:\windows\system32\dllcache\bitsprx2.dll
2009-06-29 20:53 . 2004-07-01 22:10 7680 ------w- c:\windows\system32\bitsprx2.dll
2009-06-29 20:53 . 2004-07-01 22:10 7168 -c----w- c:\windows\system32\dllcache\bitsprx3.dll
2009-06-29 20:53 . 2004-07-01 22:10 7168 ------w- c:\windows\system32\bitsprx3.dll
2009-06-29 20:53 . 2004-07-01 22:10 360448 -c--a-w- c:\windows\system32\dllcache\qmgr.dll
2009-06-29 20:53 . 2004-07-01 22:10 17408 -c--a-w- c:\windows\system32\dllcache\qmgrprxy.dll
2009-06-29 20:44 . 2008-10-16 12:13 202776 ----a-w- c:\windows\system32\wuweb.dll
2009-06-29 20:44 . 2008-10-16 12:12 323608 ----a-w- c:\windows\system32\wucltui.dll
2009-06-29 20:44 . 2008-10-16 12:12 561688 ----a-w- c:\windows\system32\wuapi.dll
2009-06-29 20:44 . 2008-10-16 12:08 34328 ----a-w- c:\windows\system32\wups.dll
2009-06-29 20:44 . 2004-08-03 12:04 187160 ----a-w- c:\windows\system32\wuaueng1.dll
2009-06-29 20:44 . 2004-08-03 12:03 170264 ----a-w- c:\windows\system32\wuauclt1.exe
2009-06-29 20:36 . 2002-05-23 07:34 310272 ------w- c:\windows\system32\winhttp.dll
2009-06-29 14:58 . 2009-06-29 14:58 -------- d-----w- C:\WUTemp
2009-06-28 23:05 . 2009-07-07 08:37 -------- d-----w- c:\program files\ESET
2009-06-28 22:32 . 2009-06-28 22:33 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\Tlen.pl
2009-06-28 22:32 . 2009-06-28 22:32 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Tlen.pl
2009-06-28 22:32 . 2009-06-28 22:32 -------- d-----w- c:\program files\Tlen.pl
2009-06-28 21:49 . 2009-06-29 15:18 50 ----a-w- c:\windows\system32\bridf07a.dat
2009-06-28 21:49 . 2009-06-29 15:19 -------- dc----w- c:\windows\system32\DRVSTORE
2009-06-28 21:48 . 2007-02-02 12:22 55808 ----a-w- c:\windows\system32\brinsstr.dll
2009-06-28 21:48 . 2009-06-29 15:19 -------- d-----w- c:\program files\Brother
2009-06-28 21:48 . 2007-02-15 11:54 131072 ------w- c:\windows\brunin03.dll
2009-06-28 21:12 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-06-28 21:12 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-06-28 21:12 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-06-28 21:12 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-06-28 21:12 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-06-28 21:12 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-06-28 21:12 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-06-28 21:12 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-06-28 21:12 . 2003-03-18 18:14 499712 ----a-w- c:\windows\system32\MSVCP71.dll
2009-06-28 21:12 . 2009-06-28 21:12 -------- d-----w- c:\program files\Alwil Software
2009-06-28 20:02 . 2009-06-28 20:02 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-06-28 18:29 . 2009-06-28 18:29 -------- d-----w- c:\documents and settings\Damian\Ustawienia lokalne\Dane aplikacji\Winamp Toolbar
2009-06-28 17:42 . 2009-07-03 22:40 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2009-06-28 17:42 . 2009-06-28 17:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-28 17:38 . 2009-06-28 17:38 -------- d-----w- c:\program files\Winamp Toolbar
2009-06-28 17:38 . 2009-06-28 17:38 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar
2009-06-28 17:34 . 2009-06-28 17:34 0 ----a-w- c:\windows\nsreg.dat
2009-06-28 17:34 . 2009-06-28 17:34 -------- d-----w- c:\documents and settings\Damian\Ustawienia lokalne\Dane aplikacji\Mozilla
2009-06-28 17:32 . 2009-06-28 17:32 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\BitSpirit
2009-06-28 17:32 . 2009-06-28 17:32 -------- d-----w- c:\program files\Common Files\BitSpirit
2009-06-28 17:32 . 2009-06-28 17:32 -------- d-----w- c:\program files\BitSpirit

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 21:18 . 2009-06-28 17:37 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\Winamp
2009-07-07 10:14 . 2009-06-28 17:37 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\Ahead
2009-06-29 15:19 . 2009-06-28 14:45 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 17:39 . 2009-06-28 17:37 -------- d-----w- c:\program files\Winamp
2009-06-28 16:46 . 2009-06-28 16:46 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\Media Player Classic
2009-06-28 16:46 . 2009-06-28 16:46 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-06-28 16:38 . 2009-06-28 16:36 -------- d-----w- c:\program files\SubEdit-Player
2009-06-28 16:24 . 2009-06-28 16:24 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\Gadu-Gadu
2009-06-28 16:24 . 2009-06-28 16:24 -------- d-----w- c:\program files\Gadu-Gadu
2009-06-28 16:10 . 2009-06-28 16:10 -------- d-----w- c:\program files\Analog Devices
2009-06-28 16:10 . 2009-06-28 16:10 -------- d-----w- c:\program files\Common Files\LightScribe
2009-06-28 16:06 . 2009-06-28 16:06 -------- d-----w- c:\program files\Intel
2009-06-28 16:05 . 2001-10-26 16:15 67298 ----a-w- c:\windows\system32\perfc015.dat
2009-06-28 16:05 . 2001-10-26 16:15 436322 ----a-w- c:\windows\system32\perfh015.dat
2009-06-28 15:52 . 2009-06-28 15:52 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Ahead
2009-06-28 15:51 . 2009-06-28 15:49 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-28 15:49 . 2009-06-28 15:49 -------- d-----w- c:\program files\Nero
2009-06-28 15:49 . 2009-06-28 15:49 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Nero
2009-06-28 15:47 . 2009-06-28 15:47 17144 ----a-w- c:\documents and settings\Damian\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-06-28 15:37 . 2009-06-28 15:37 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Brother
2009-06-28 15:34 . 2009-06-28 15:34 -------- d-----w- c:\program files\Lavalys
2009-06-28 15:34 . 2009-06-28 15:34 -------- d-----w- c:\program files\Intel Desktop Board
2009-06-28 15:04 . 2009-06-28 15:04 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\MSN6
2009-06-28 15:04 . 2009-06-28 15:04 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\MSN6
2009-06-28 14:49 . 2009-06-28 14:49 -------- d-----w- c:\documents and settings\Damian\Dane aplikacji\ATI
2009-06-28 14:49 . 2009-06-28 14:49 131 ----a-w- c:\documents and settings\Damian\Ustawienia lokalne\Dane aplikacji\fusioncache.dat
2009-06-28 14:48 . 2009-06-28 14:45 -------- d-----w- c:\program files\ATI Technologies
2009-06-28 14:48 . 2009-06-28 14:44 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-28 14:30 . 2009-06-28 14:30 -------- d-----w- c:\program files\microsoft frontpage
2009-06-28 14:29 . 2009-06-28 14:29 80007 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-06-28 14:27 . 2009-06-28 14:27 21856 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-28 14:26 . 2009-06-28 14:26 -------- d-----w- c:\program files\Usługi online
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\ctfmon.exe" [2001-10-26 13312]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2001-08-02 1077277]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2001-10-26 13312]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2004-08-25 28672]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
ATI CATALYST System Tray.lnk - c:\program files\ATI Technologies\ATI.ACE\CLI.exe [2004-8-25 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-06-28 114768]
S3 WRSWanDD;WinPoET PPPoE Adapter;c:\windows\system32\drivers\WrKPoETNic2000.sys [2009-06-28 65604]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-z-WrDialer - c:\program files\DialNet\WrDialer.exe


.
------- Skan uzupełniający -------
.
uStart Page = hxxp://google.pl/
IE: &Winamp Search - c:\documents and settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Pobierz z &BitSpirit - c:\program files\BitSpirit\bsurl.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: {09A7F30F-6502-442C-B910-A9F319A2BCD0} = 217.30.129.149 217.30.137.200
FF - ProfilePath - c:\documents and settings\Damian\Dane aplikacji\Mozilla\Firefox\Profiles\zdkwdxlb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Winamp Search
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampab&query=
FF - component: c:\documents and settings\Damian\Dane aplikacji\Mozilla\Firefox\Profiles\zdkwdxlb.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 18:38
Windows 5.1.2600 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\ODBC32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(676)
c:\windows\system32\mswsock.dll
c:\windows\System32\wshtcpip.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(2212)
c:\windows\System32\msi.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
c:\windows\System32\ODBC32.dll
c:\program files\Microsoft Office\Office10\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.POL
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
.
**************************************************************************
.
Czas ukończenia: 2009-07-10 18:40 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-07-10 16:40

Przed: 32 577 601 536 bajtów wolnych
Po: 32 562 876 416 bajtów wolnych

WinXP_PL_PRO_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

229 --- E O F --- 2009-06-30 12:37

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:38 AM

Posted 10 July 2009 - 12:17 PM

Hello.

Combofix logs are not suppose to be posted or analyzed in this forum nor is Hijackthis logs.

In addition, please read the noted message in blue above:

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.


Moreover, Combofix is a very strong tool and should not be ran unsupervised by an malware removal helper. Please read below for more detail:

Posted ImageCombofix Warning

ComboFix is an extremely powerful tool and you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.


This topic will be closed soon by a Moderator.

If you believe you may have a malware related issue, you can start a new topic over here in this forum describing your current problem.

If needed, someone will re-direct you over to the HJT-Malware Removal forum later on.

Thanks for understanding.

With Regards,
Extremeboy

Edited by extremeboy, 10 July 2009 - 12:18 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users