Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware bloggish 22 some type

Started by loni , Apr 11 2008 11:42 AM

  • This topic is locked This topic is locked

#1
loni
Posted 11 April 2008 - 11:42 AM

loni

    Member

  • Member
  • PipPip
  • 19 posts
Help i think im infected by some type of Trojan or VIRUS i get poppups randomly without doing anything and it has a bad nature




ComboFix 08-04-10.9 - SaM WaI 2008-04-11 18:09:38.1 - NTFSx86
Running from: C:\Program Files\Firefox Download\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\SaM WaI\Application Data\macromedia\Flash Player\#SharedObjects\BWWHGQRR\www.broadcaster.com
C:\Documents and Settings\SaM WaI\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\SaM WaI\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\{3465C~1
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\NPF


((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-09 16:32 . 2008-04-10 13:54 <DIR> d-------- C:\Program Files\COMODO
2008-04-09 16:32 . 2008-04-10 13:54 <DIR> d-------- C:\Documents and Settings\SaM WaI\Application Data\Comodo
2008-04-09 16:32 . 2008-04-10 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-04-05 15:18 . 2008-04-05 16:10 <DIR> d-------- C:\Program Files\Wolfenstein - Enemy Territory
2008-04-03 17:45 . 2008-04-03 17:45 0 -ra------ C:\logwmemory.bin
2008-04-03 17:43 . 2008-04-04 12:59 <DIR> d-------- C:\Program Files\Soldat
2008-04-03 17:43 . 2008-04-03 17:43 <DIR> d-------- C:\Documents and Settings\SaM WaI\Application Data\Soldat
2008-04-03 00:26 . 2008-04-03 00:26 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-04-02 07:21 . 2008-04-08 16:01 <DIR> d-------- C:\Documents and Settings\SaM WaI\Application Data\AVG7
2008-04-02 07:21 . 2008-04-02 07:21 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-02 07:20 . 2008-04-02 07:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 07:20 . 2008-04-03 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-29 13:17 . 2008-04-01 16:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-29 13:16 . 2008-04-01 16:39 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-03-22 09:54 . 2008-04-01 16:28 <DIR> d-------- C:\Program Files\Call of Duty Dawnville Demo
2008-03-18 16:44 . 2007-10-30 18:20 360,064 --a------ C:\WINDOWS\system32\drivers\tcpip.sys.ORIGINAL
2008-03-18 16:44 . 2007-10-30 18:20 360,064 --a------ C:\WINDOWS\system32\dllcache\tcpip.sys.ORIGINAL
2008-03-18 16:42 . 2008-03-18 16:42 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-03-18 16:17 . 2008-03-18 16:17 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 17:05 --------- d-----w C:\Program Files\Firefox Download
2008-04-11 07:49 --------- d-----w C:\Program Files\Xfire
2008-04-10 20:08 --------- d-----w C:\Documents and Settings\SaM WaI\Application Data\Xfire
2008-04-01 15:41 --------- d-----w C:\Program Files\ESET
2008-03-18 15:44 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-03-18 15:42 --------- d-----w C:\Program Files\BitComet
2008-03-18 15:36 --------- d-----w C:\Program Files\Gpotato
2008-03-10 19:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-09 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-08 17:03 --------- d-----w C:\Documents and Settings\SaM WaI\Application Data\teamspeak2
2008-02-28 18:29 --------- d-----w C:\Program Files\Windows Live
2008-02-26 12:33 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-02-26 12:20 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-02-26 12:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-02-23 17:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-23 17:47 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-21 17:39 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-02-20 21:46 --------- d-----w C:\Program Files\Sony
2008-02-06 20:32 43,040 ----a-w C:\Documents and Settings\SaM WaI\Application Data\GDIPFONTCACHEV1.DAT
2007-11-27 10:05 22,328 ----a-w C:\Documents and Settings\SaM WaI\Application Data\PnkBstrK.sys
2007-11-05 20:53 23,582,974 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_11_03_10_33_10_full.dmp.zip
2007-05-04 16:24 105,860 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_23_16_43_14_small.dmp.zip
2005-10-25 12:20 56 --sh--r C:\WINDOWS\system32\093E353CB6.sys
2007-10-06 16:21 11,480 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-04 00:02 3,868,960 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-04 00:02 222,240 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

------- Sigcheck -------

2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 09:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-03-18 16:44 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\dllcache\tcpip.sys
2008-03-18 16:44 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-02 07:20 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-02 07:20 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%FP%Friendly fts.exe]
--a------ 2003-05-06 10:28 72192 C:\Program Files\VoyagerTest\fts.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-10-18 16:42 79448 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-11-10 00:22 497240 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
--a------ 2007-04-12 00:50 947200 C:\Documents and Settings\SaM WaI\Desktop\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 09:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
--------- 2003-08-19 13:47 16384 C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
--------- 2003-06-28 16:10 1658965 C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-11-01 16:46 2553264 C:\Program Files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2004-04-21 11:28 286720 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MAAgent]
C:\Program Files\MarkAny\ContentSafer\MAAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"helpsvc"=2 (0x2)
"BthServ"=2 (0x2)
"AresChatServer"=3 (0x3)
"AOLService"=2 (0x2)
"AOL ACS"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Documents and Settings\\SaM WaI\\Desktop\\Ares.exe"=
"C:\\Program Files\\Sierra\\Empire Earth II\\EE2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26846:TCP"= 26846:TCP:BitComet 26846 TCP
"26846:UDP"= 26846:UDP:BitComet 26846 UDP

R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 17:52]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 13:10]
S3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 13:56]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\A4.tmp []
S3 PsSdk30;PsSdk30;C:\WINDOWS\system32\Drivers\PsSdk30.drv []
S3 XDva028;XDva028;C:\WINDOWS\system32\XDva028.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-10-23 18:17:51 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 18:21:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\C:\WINDOWS\system32\A4.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\system32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
.
**************************************************************************
.
Completion time: 2008-04-11 18:26:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-11 17:26:17
Pre-Run: 3,739,693,056 bytes free
Post-Run: 3,735,310,336 bytes free
.
2008-02-13 07:27:54 --- E O F ---






HIJACKTHIS:




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:02, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\Belkinwcui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.1.2.dll/206 (file missing)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15034/CTPID.cab
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 3364 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 12 April 2008 - 06:42 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Don't make multiple topics

And DO NOT run tools like ComboFix yourself
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP