Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vIrUs?


  • This topic is locked This topic is locked
2 replies to this topic

#1 billbryson

billbryson

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:44 AM

Posted 13 April 2011 - 01:03 PM

thank..

Edit: Moved topic from XP to the more appropriate forum. ~ Animal


ComboFix 11-04-12.02 - ADRIANO 13/04/2011 17.08.39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.39.1040.18.503.86 [GMT 2:00]
Eseguito da: c:\documents and settings\ADRIANO\Desktop\ComboFix.exe
AV: Sistema Antivirus NOD32 2.70 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: PC Tools Firewall Plus *Enabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ADRIANO\Dati applicazioni\Cizoi
c:\documents and settings\ADRIANO\Dati applicazioni\Cizoi\opogp.loa
c:\documents and settings\ADRIANO\Dati applicazioni\OfferBox
c:\documents and settings\ADRIANO\Dati applicazioni\OfferBox\config.dat
c:\documents and settings\ADRIANO\Dati applicazioni\OfferBox\config.xml
c:\documents and settings\ADRIANO\Dati applicazioni\Pozoif
c:\documents and settings\ADRIANO\Dati applicazioni\Pozoif\sozex.qon
c:\documents and settings\ADRIANO\Dati applicazioni\Raerp
c:\documents and settings\ADRIANO\Dati applicazioni\Raerp\apceu.uqe
c:\documents and settings\ADRIANO\Dati applicazioni\Sycoop
c:\documents and settings\ADRIANO\Dati applicazioni\Sycoop\yrexn.ysg
c:\documents and settings\ADRIANO\Dati applicazioni\Uknyys
c:\documents and settings\ADRIANO\Dati applicazioni\Uknyys\dyvis.ero
c:\documents and settings\ADRIANO\Dati applicazioni\Ymen
c:\documents and settings\ADRIANO\Dati applicazioni\Ymen\haun.liw
c:\documents and settings\ADRIANO\WINDOWS
c:\documents and settings\All Users\Dati applicazioni\ceNQJDAVBWkpog.exe
c:\documents and settings\All Users\Dati applicazioni\VOSwDthSgMPbD.exe
.
La copia infetta di c:\windows\regedit.exe è stata trovata e disinfettata
ipristinata copia da - c:\system volume information\_restore{AF8D6C2D-DB84-49EF-99D8-3AC6DF68498E}\RP263\A0267982.exe
.
.
((((((((((((((((((((((((( Files Creati Da 2011-03-13 al 2011-04-13 )))))))))))))))))))))))))))))))))))
.
.
2011-04-13 15:24 . 2011-04-13 15:25 -------- d-----w- c:\windows\LastGood
2011-04-09 16:40 . 2011-04-09 16:51 -------- d-----w- c:\documents and settings\ADRIANO\Dati applicazioni\PrimoPDF
2011-04-09 16:38 . 2011-02-28 22:37 180624 ----a-w- c:\windows\system32\Primomonnt.dll
2011-04-09 16:37 . 2011-04-09 16:51 -------- d-----w- c:\programmi\Nitro PDF
2011-04-04 15:18 . 2011-04-04 15:18 -------- d-----w- c:\programmi\File comuni\Java
2011-04-04 15:16 . 2011-02-02 19:40 472808 ----a-w- c:\programmi\Mozilla Firefox\plugins\npdeployJava1.dll
2011-04-04 15:16 . 2011-02-02 19:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-02 18:37 . 2011-04-02 18:37 -------- d--h--w- c:\documents and settings\LocalService\Risorse di rete
2011-04-01 23:41 . 2011-04-01 23:41 -------- d--h--w- c:\documents and settings\NetworkService\Risorse di rete
2011-03-21 22:47 . 2011-03-21 22:47 -------- d-----w- c:\documents and settings\ADRIANO\Dati applicazioni\QuickScan
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 17:19 . 2010-03-18 20:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\ADRIANO\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe" [2010-03-03 135664]
"Advanced SystemCare 3"="c:\programmi\IObit\Advanced SystemCare 3\AWC.exe" [2009-02-22 2272592]
"DAEMON Tools Lite"="c:\programmi\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
"uTorrent"="c:\programmi\uTorrent\uTorrent.exe" [2010-07-06 322352]
"PC Suite Tray"="c:\programmi\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-05-14 1479680]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-18 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-18 137752]
"QlbCtrl.exe"="c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-06-03 177456]
"nod32kui"="c:\programmi\Eset\nod32kui.exe" [2010-03-03 949376]
"DivXUpdate"="c:\programmi\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"Adobe Reader Speed Launcher"="c:\programmi\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\programmi\File comuni\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"UpdateReminder"="c:\programmi\Eset\UpdateReminder.exe" [2010-11-03 413696]
"TrojanScanner"="c:\programmi\Trojan Remover\Trjscan.exe" [2010-11-24 1233856]
"00PCTFW"="c:\programmi\PC Tools Firewall Plus\FirewallGUI.exe" [2010-11-29 2676696]
"SunJavaUpdateSched"="c:\programmi\File comuni\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\uTorrent\\uTorrent.exe"=
"c:\\Programmi\\EA GAMES\\La Battaglia per la Terra di Mezzo™\\game.dat"=
"c:\\Documents and Settings\\ADRIANO\\Desktop\\Battlefield Vietnam\\bfvietnam.exe"=
"c:\\Programmi\\UrbanTerror\\ioUrbanTerror.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Programmi\\eMule\\emule.exe"=
"c:\\Programmi\\Mozilla Firefox\\firefox.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=
"c:\\Programmi\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
"c:\\Programmi\\File comuni\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [09/03/2010 22.00.46 64288]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [08/03/2011 0.10.26 28552]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/10/2010 0.59.35 691696]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [03/03/2010 16.09.15 15424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [13/03/2011 13.19.44 249616]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [13/03/2011 13.19.47 160448]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [03/03/2010 15.24.06 14976]
R3 Com4QLBEx;Com4QLBEx;c:\programmi\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [03/03/2010 15.37.01 193840]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [13/03/2011 13.18.05 89192]
R3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [13/03/2011 13.18.05 57536]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\programmi\Lavasoft\Ad-Aware\AAWService.exe [05/02/2010 11.03.30 1352832]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys --> c:\windows\system32\DRIVERS\ewusbnet.sys [?]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\DRIVERS\ewusbfake.sys --> c:\windows\system32\DRIVERS\ewusbfake.sys [?]
S3 Installer Service;Installer Service;c:\documents and settings\All Users\Dati applicazioni\NokiaInstallerCache\ProductCache\{D5878294-C113-43c5-A24F-FC333C52015A}\{3FC42713-B6E7-49AA-A553-A224FE9828A8}\Installer\InstallerService.exe [15/02/2011 23.26.39 119296]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [12/01/2011 2.23.01 137600]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [12/01/2011 2.23.04 8576]
S3 pctNdis;PC Tools Firewall Intermediate Filter Service;c:\windows\system32\drivers\pctNdis.sys [13/03/2011 13.18.05 57536]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [13/03/2011 13.17.59 124992]
.
Contenuto della cartella 'Scheduled Tasks'
.
2011-03-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\programmi\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 19:02]
.
2011-04-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1715567821-1417001333-1003Core.job
- c:\documents and settings\ADRIANO\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-03-03 14:48]
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1715567821-1417001333-1003UA.job
- c:\documents and settings\ADRIANO\Impostazioni locali\Dati applicazioni\Google\Update\GoogleUpdate.exe [2010-03-03 14:48]
.
.
------- Scansione supplementare -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\ADRIANO\Dati applicazioni\Mozilla\Firefox\Profiles\voly93g6.default\
FF - prefs.js: browser.startup.homepage - www.google.it
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\programmi\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\programmi\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\programmi\Java\jre6\lib\deploy\jqs\ff
FF - Ext: PC Sync 2 Synchronisation Extension: bkmrksync@nokia.com - c:\programmi\Nokia\Nokia PC Suite 7\bkmrksync
FF - Ext: Firefox Synchronisation Extension: {A27F3FEF-1113-4cfb-A032-8E12D7D8EE70} - c:\programmi\Nokia\Nokia Ovi Suite\Connectors\Bookmarks Connector\FirefoxExtension
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - CHIAVI ORFANE RIMOSSE - - - -
.
URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-hpWirelessAssistant - %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-13 17:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scansione processi nascosti ...
.
scansione entrate autostart nascoste ...
.
Scansione files nascosti ...
.
.
c:\windows\system32\wuapi.dll.mui_it 15584 bytes executable
c:\windows\system32\wuapi.dll.wusetup.322031.bak 432128 bytes executable
c:\windows\system32\wuauclt.exe.wusetup.326593.bak 111616 bytes executable
c:\windows\system32\wuaucpl.cpl.mui_it 15584 bytes executable
c:\windows\system32\wuaucpl.cpl.wusetup.327937.bak 162816 bytes executable
c:\windows\system32\SoftwareDistribution
c:\windows\system32\cdm.dll.wusetup.315562.bak 66560 bytes executable
c:\windows\system32\wups2.dll 44768 bytes executable
.
Scansione completata con successo
Files nascosti: 8
.
**************************************************************************
.
--------------------- CHIAVI DI REGISTRO BLOCCATE ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Dlls caricate dai processi in esecuzione ---------------------
.
- - - - - - - > 'lsass.exe'(1324)
c:\windows\system32\imon.dll
c:\programmi\Eset\pr_imon.dll
.
- - - - - - - > 'explorer.exe'(3784)
c:\windows\system32\WPDShServiceObj.dll
c:\programmi\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\programmi\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\programmi\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_ita.nlr
c:\programmi\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Java\jre6\bin\jqs.exe
c:\programmi\Eset\nod32krn.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\programmi\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
c:\programmi\Hewlett-Packard\Shared\hpqwmiex.exe
c:\programmi\OpenOffice.org 3\program\soffice.exe
c:\programmi\OpenOffice.org 3\program\soffice.bin
c:\programmi\PC Connectivity Solution\ServiceLayer.exe
c:\programmi\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\programmi\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Ora fine scansione: 2011-04-13 17:33:41 - Il pc è stato riavviato
ComboFix-quarantined-files.txt 2011-04-13 15:33
.
Pre-Run: 4.696.973.312 byte disponibili
Post-Run: 4.723.613.696 byte disponibili
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ITA.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7C1CC0F9B05C3051963DEF493DD61D6D

Attached Files

  • Attached File  log.txt   15.14KB   5 downloads

Edited by SweetTech, 22 April 2011 - 03:34 PM.
expanded CF log.--ST


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:44 AM

Posted 22 April 2011 - 07:04 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:44 AM

Posted 27 April 2011 - 07:28 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users