Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Monderb issue [CLOSED]

Started by Thorgar , Jun 30 2008 12:59 PM

  • This topic is locked This topic is locked

#1
Thorgar
Posted 30 June 2008 - 12:59 PM

Thorgar

    New Member

  • Member
  • Pip
  • 5 posts
Hey, i encountered some trojans attack recently, mostly becouse of my mistakes, while looking for some specific software in the internet.
However, after i got rid with my Antivir and Ad-Aware of about 300 viruses one was still present and Antivir was reminding me of him every time i started pc, so i searched on the internet and found that i have to use Combofix, and in the guide how-to-use is written, that i should put the log on such as this forums, and so i do. I also re-scanned windows folder with antivir and theres nothing found so i suppose Combofix done its work ritght.
Heres the log:

ComboFix 08-06-20.4 - Tata 2008-06-30 20:33:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.2723 [GMT 2:00]
Running from: C:\Documents and Settings\Tata\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tata\Pulpit\WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tata\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Antispyware
C:\Program Files\Antispyware\Antispyware.exe
C:\Program Files\Antispyware\Antispyware.url
C:\Program Files\Antispyware\DataBase.ref
C:\Program Files\Antispyware\Difxapi.dll
C:\Program Files\Antispyware\FilterDrv\Antispyware.amd64.sys
C:\Program Files\Antispyware\FilterDrv\Antispyware.cat
C:\Program Files\Antispyware\FilterDrv\Antispyware.inf
C:\Program Files\Antispyware\FilterDrv\Antispyware.x86.sys
C:\Program Files\Antispyware\SpyCleaner.dll
C:\Program Files\Antispyware\TCL.dll
C:\Program Files\Antispyware\vistaCPtasks.xml
C:\Program Files\Antispyware\zlib.dll
C:\WINDOWS2\system32\mcrh.tmp
C:\WINDOWS2\system32\msssc.dll
C:\WINDOWS2\system32\pgyskujo.ini
C:\WINDOWS2\system32\pmnnkLDw.dll
C:\WINDOWS2\system32\vpcljchk.ini
C:\WINDOWS2\system32\wDLknnmp.ini
C:\WINDOWS2\system32\wDLknnmp.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 )))))))))))))))))))))))))))))))
.

2008-06-30 20:39 . 2008-06-30 20:39 294 ---hs---- C:\WINDOWS2\system32\pgyskujo.ini
2008-06-30 18:01 . 2008-06-30 18:01 <DIR> d-------- C:\VundoFix Backups
2008-06-30 17:53 . 2008-06-30 17:53 <DIR> d-------- C:\Documents and Settings\Tata\Dane aplikacji\Antispyware
2008-06-30 17:35 . 2008-06-30 17:35 <DIR> d-------- C:\Documents and Settings\Tata\Dane aplikacji\DivX
2008-06-30 16:34 . 2008-06-30 16:34 <DIR> d---s---- C:\Documents and Settings\Tata\UserData
2008-06-30 11:46 . 2008-06-30 11:45 102,664 --a------ C:\WINDOWS2\system32\drivers\tmcomm.sys
2008-06-30 09:41 . 2008-06-30 09:41 <DIR> d-------- C:\Documents and Settings\Ypaev\Dane aplikacji\TmpRecentIcons
2008-06-29 22:08 . 2008-06-29 22:08 92,032 --a------ C:\WINDOWS2\system32\ojuksygp.dll
2008-06-29 21:22 . 2008-06-29 21:22 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-29 17:05 . 2008-06-29 17:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 17:05 . 2008-06-29 17:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Dane aplikacji\Lavasoft
2008-06-29 16:45 . 2008-06-29 16:47 <DIR> d-------- C:\Documents and Settings\Ypaev\Dane aplikacji\Lavasoft
2008-06-29 16:00 . 2008-06-29 16:00 28,800 --a------ C:\WINDOWS2\system32\ssqQheeE.dll.vir
2008-06-29 16:00 . 2008-06-29 16:00 28,800 --a------ C:\WINDOWS2\system32\awttrQhI.dll
2008-06-29 15:59 . 2008-06-29 10:49 303,104 --a------ C:\WINDOWS2\gfetqaxsrob.dll
2008-06-29 15:59 . 2008-06-29 10:49 233,472 --a------ C:\WINDOWS2\pntqkflv.dll
2008-06-29 15:59 . 2008-06-29 10:49 155,648 --a------ C:\WINDOWS2\gxvpsafm.dll
2008-06-17 15:09 . 2008-06-17 15:09 <DIR> d-------- C:\WINDOWS2\nvidia icons
2008-06-17 15:09 . 2008-05-03 05:46 182,347 --a------ C:\WINDOWS2\system32\nvapps.nvb
2008-06-14 17:19 . 2008-06-14 17:18 686,426 --a------ C:\WINDOWS2\unins000.exe
2008-06-14 17:19 . 2008-06-14 17:23 62,311 --a------ C:\WINDOWS2\unins000.dat
2008-06-12 18:25 . 2008-06-12 18:25 962,560 --a------ C:\WINDOWS2\system32\VSFilter.dll
2008-06-11 16:09 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS2\system32\dllcache\bthport.sys
2008-06-03 16:53 . 2008-06-14 11:29 <DIR> d-------- C:\z
2008-05-20 14:56 . 2008-05-20 14:56 5,040,377 --a------ C:\P5030108.JPG
2008-05-20 14:55 . 2008-05-20 14:55 4,483,065 --a------ C:\P5030107.JPG
2008-05-20 14:55 . 2008-05-20 14:55 4,257,747 --a------ C:\P5030106.JPG
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS2\system32\lsdelete.exe
2008-05-10 15:06 . 2008-05-10 15:06 1,288,366 --a------ C:\Zdjİcia.rar
2008-05-09 19:50 . 2008-05-09 19:50 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-05-09 19:23 . 2008-05-09 19:23 <DIR> d-------- C:\Program Files\Common Files\Native Instruments
2008-05-09 19:22 . 2008-05-09 19:22 <DIR> d-------- C:\Program Files\Native Instruments
2008-05-05 11:42 . 2008-05-05 11:43 <DIR> d-------- C:\Program Files\HLTooLz
2008-05-05 11:42 . 2008-05-05 11:42 249,856 --------- C:\WINDOWS2\Setup1.exe
2008-05-05 11:42 . 2008-05-05 11:42 73,216 --a------ C:\WINDOWS2\ST6UNST.EXE
2008-05-04 19:48 . 2008-05-04 19:48 <DIR> d-------- C:\Program Files\Lavalys
2008-05-04 19:37 . 2008-05-04 19:37 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-05-04 19:37 . 2008-05-04 19:37 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Dane aplikacji\PC Drivers HeadQuarters
2008-05-01 09:16 . 2008-04-25 20:10 4,857,512 --a------ C:\kac104.jpg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-30 18:37 262,144 ---ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-06-30 18:37 262,144 ---ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-06-30 18:37 262,144 ---ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-06-30 18:37 262,144 ---ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-06-29 15:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 12:55 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-06-14 18:01 273,024 ------w C:\WINDOWS2\system32\drivers\bthport.sys
2008-06-12 18:04 --------- d-----w C:\Program Files\Ventrilo
2008-06-05 12:32 --------- d-----w C:\Program Files\Last.fm
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS2\system32\drivers\rmcast.sys
2008-05-04 16:57 --------- d-----w C:\Program Files\Miles Sound Tools
2008-05-03 03:46 6,554,496 ----a-w C:\WINDOWS2\system32\drivers\nv4_mini.sys
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS2\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS2\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS2\system32\drivers\Awrtpd.sys
2008-01-18 13:01 1 ----a-w C:\Documents and Settings\Ypaev\SI.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36B3C8E2-EE75-4A98-9093-AB1639FB8145}]
2008-03-13 18:11 14848 --a------ C:\WINDOWS2\system32\wkssvc32.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{843DAEB1-A153-4F65-8475-0B53A505931C}]
2008-06-29 10:49 303104 --a------ C:\WINDOWS2\gfetqaxsrob.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B1E0C6DC-BBEA-4DE1-BFCA-70362CD86579}"= "C:\WINDOWS2\gxvpsafm.dll" [2008-06-29 10:49 155648]

[HKEY_CLASSES_ROOT\clsid\{b1e0c6dc-bbea-4de1-bfca-70362cd86579}]
[HKEY_CLASSES_ROOT\gxvpsafm.1]
[HKEY_CLASSES_ROOT\TypeLib\{14B8149C-A16B-429E-A48E-D00166B0B74B}]
[HKEY_CLASSES_ROOT\gxvpsafm]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS2\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]
"Antispyware"="C:\Program Files\Antispyware\Antispyware.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 09:42 380928]
"GameFace Messenger"="C:\Program Files\GameFace Messenger\GameFace.exe" [2006-11-01 14:50 2154496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 02:50 33792]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 18:12 262401]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-07 16:06 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 15:34 868352]
"NvCplDaemon"="C:\WINDOWS2\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
"nwiz"="nwiz.exe" [2008-05-03 05:46 1630208 C:\WINDOWS2\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"NvMediaCenter"="C:\WINDOWS2\system32\NvMcTray.dll" [2008-05-03 05:46 86016]
"809e9f8e"="C:\WINDOWS2\system32\ojuksygp.dll" [2008-06-29 22:08 92032]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS2\System32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qegbdmwf"= {2FC4919E-4E69-4B0A-9E69-41BDA025B46B} - C:\WINDOWS2\qegbdmwf.dll [ ]
"pntqkflv"= {12B7A4B2-895E-42DE-99B6-CF8966A16ED2} - C:\WINDOWS2\pntqkflv.dll [2008-06-29 10:49 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)
"ATKKeyboardService"=2 (0x2)
"AppMgmt"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"D:\\Program Files\\LucasArts\\SWKotOR2\\swupdate.exe"=
"D:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Counter-Strike Source\\hl2.exe"=
"D:\\Program Files\\Half-Life 2\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16838:TCP"= 16838:TCP:*:Disabled:BitComet 16838 TCP
"16838:UDP"= 16838:UDP:*:Disabled:BitComet 16838 UDP

R0 avgntmgr;avgntmgr;C:\WINDOWS2\system32\DRIVERS\avgntmgr.sys [2008-04-19 18:12]
R1 avgntdd;avgntdd;C:\WINDOWS2\system32\DRIVERS\avgntdd.sys [2008-04-19 18:12]
R2 ithsgt;ithsgt;C:\WINDOWS2\system32\DRIVERS\ithsgt.sys [2007-12-01 22:40]
R2 lilsgt;lilsgt;C:\WINDOWS2\system32\DRIVERS\lilsgt.sys [2007-12-01 22:40]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS2\system32\Drivers\Video3D32.sys [2006-09-29 10:06]
S1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS2\system32\drivers\asusgsb32.sys [2005-10-20 16:25]
S1 oreans32;oreans32;C:\WINDOWS2\system32\drivers\oreans32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7950bd-57ba-11dc-ac3c-00300a56eee8}]
\Shell\AutoRun\command - K:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7950bf-57ba-11dc-ac3c-00300a56eee8}]
\Shell\AutoRun\command - I:\USBNB.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 16:06:09 C:\WINDOWS2\Tasks\Antispyware Scheduled Scan.job"
- C:\Program Files\Antispyware\Antispyware.exe
- C:\Program Files\Antispyware
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 20:39:18
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS2\system32\pgyskujo.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS2\system32\nvsvc32.exe
C:\WINDOWS2\system32\wdfmgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS2\system32\rundll32.exe
C:\WINDOWS2\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS2\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-30 20:45:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 18:44:48

Pre-Run: 22,862,598,144 bajtów wolnych
Post-Run: 23,463,952,384 bajt˘w wolnych

WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS2
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS2="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

219 --- E O F --- 2008-06-20 22:16:07

Edited by Thorgar, 30 June 2008 - 01:00 PM.

  • 0

Advertisements

#2
greyknight17
Posted 30 June 2008 - 07:49 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Do you know what these images are? If not, delete them:

C:\P5030108.JPG
C:\P5030107.JPG
C:\P5030106.JPG
C:\kac104.jpg

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

DirLook::
C:\z
File::
C:\WINDOWS2\system32\pgyskujo.ini
C:\WINDOWS2\system32\ojuksygp.dll
C:\WINDOWS2\system32\ssqQheeE.dll.vir
C:\WINDOWS2\system32\awttrQhI.dll
C:\WINDOWS2\gfetqaxsrob.dll
C:\WINDOWS2\pntqkflv.dll
C:\WINDOWS2\gxvpsafm.dll
C:\WINDOWS2\system32\wkssvc32.dll
C:\WINDOWS2\gfetqaxsrob.dll
Folder::
C:\Documents and Settings\Tata\Dane aplikacji\Antispyware
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36B3C8E2-EE75-4A98-9093-AB1639FB8145}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{843DAEB1-A153-4F65-8475-0B53A505931C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B1E0C6DC-BBEA-4DE1-BFCA-70362CD86579}"=-
[-HKEY_CLASSES_ROOT\clsid\{b1e0c6dc-bbea-4de1-bfca-70362cd86579}]
[-HKEY_CLASSES_ROOT\gxvpsafm.1]
[-HKEY_CLASSES_ROOT\TypeLib\{14B8149C-A16B-429E-A48E-D00166B0B74B}]
[-HKEY_CLASSES_ROOT\gxvpsafm]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Antispyware"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"809e9f8e"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"qegbdmwf"=-
"pntqkflv"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
Thorgar
Posted 01 July 2008 - 04:49 AM

Thorgar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
these files above are just pics made with camera, they are clean. Also the z folder is clean as it contains more such pics.

Heres the log:


ComboFix 08-06-20.4 - Tata 2008-07-01 12:36:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.2832 [GMT 2:00]
Running from: C:\Documents and Settings\Tata\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tata\Pulpit\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS2\gfetqaxsrob.dll
C:\WINDOWS2\gxvpsafm.dll
C:\WINDOWS2\pntqkflv.dll
C:\WINDOWS2\system32\awttrQhI.dll
C:\WINDOWS2\system32\ojuksygp.dll
C:\WINDOWS2\system32\pgyskujo.ini
C:\WINDOWS2\system32\ssqQheeE.dll.vir
C:\WINDOWS2\system32\wkssvc32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tata\Dane aplikacji\Antispyware
C:\Documents and Settings\Tata\Dane aplikacji\Antispyware\Log\2008 Jun 30 - 05_53_05 PM_171.log
C:\Documents and Settings\Tata\Dane aplikacji\Antispyware\Log\2008 Jun 30 - 06_06_08 PM_093.log
C:\Documents and Settings\Tata\Dane aplikacji\Antispyware\rs.dat
C:\Documents and Settings\Tata\Dane aplikacji\Antispyware\Settings\ScanResults.pie
C:\WINDOWS2\gfetqaxsrob.dll
C:\WINDOWS2\gxvpsafm.dll
C:\WINDOWS2\pntqkflv.dll
C:\WINDOWS2\system32\awttrQhI.dll
C:\WINDOWS2\system32\mcrh.tmp
C:\WINDOWS2\system32\ojuksygp.dll
C:\WINDOWS2\system32\pgyskujo.ini
C:\WINDOWS2\system32\ssqQheeE.dll.vir
C:\WINDOWS2\system32\wkssvc32.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 18:01 . 2008-06-30 18:01 <DIR> d-------- C:\VundoFix Backups
2008-06-30 17:35 . 2008-06-30 17:35 <DIR> d-------- C:\Documents and Settings\Tata\Dane aplikacji\DivX
2008-06-30 16:34 . 2008-06-30 16:34 <DIR> d---s---- C:\Documents and Settings\Tata\UserData
2008-06-30 11:46 . 2008-06-30 11:45 102,664 --a------ C:\WINDOWS2\system32\drivers\tmcomm.sys
2008-06-30 09:41 . 2008-06-30 09:41 <DIR> d-------- C:\Documents and Settings\Ypaev\Dane aplikacji\TmpRecentIcons
2008-06-29 21:22 . 2008-06-29 21:22 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-29 17:05 . 2008-06-29 17:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 17:05 . 2008-06-29 17:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Dane aplikacji\Lavasoft
2008-06-29 16:45 . 2008-06-29 16:47 <DIR> d-------- C:\Documents and Settings\Ypaev\Dane aplikacji\Lavasoft
2008-06-17 15:09 . 2008-06-17 15:09 <DIR> d-------- C:\WINDOWS2\nvidia icons
2008-06-17 15:09 . 2008-05-03 05:46 182,347 --a------ C:\WINDOWS2\system32\nvapps.nvb
2008-06-14 17:19 . 2008-06-14 17:18 686,426 --a------ C:\WINDOWS2\unins000.exe
2008-06-14 17:19 . 2008-06-14 17:23 62,311 --a------ C:\WINDOWS2\unins000.dat
2008-06-12 18:25 . 2008-06-12 18:25 962,560 --a------ C:\WINDOWS2\system32\VSFilter.dll
2008-06-11 16:09 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS2\system32\dllcache\bthport.sys
2008-06-03 16:53 . 2008-06-14 11:29 <DIR> d-------- C:\z

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 10:39 262,144 ---ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-01 10:39 262,144 ---ha-w C:\Documents and Settings\NetworkService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-01 10:39 262,144 ---ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-07-01 10:39 262,144 ---ha-w C:\Documents and Settings\LocalService.ZARZąDZANIE NT\NTUSER.DAT
2008-06-29 15:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 12:55 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-06-14 18:01 273,024 ------w C:\WINDOWS2\system32\drivers\bthport.sys
2008-06-12 18:04 --------- d-----w C:\Program Files\Ventrilo
2008-06-05 12:32 --------- d-----w C:\Program Files\Last.fm
2008-05-09 17:50 --------- d-----w C:\Program Files\ASIO4ALL v2
2008-05-09 17:23 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-05-09 17:22 --------- d-----w C:\Program Files\Native Instruments
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS2\system32\drivers\rmcast.sys
2008-05-05 09:43 --------- d-----w C:\Program Files\HLTooLz
2008-05-05 09:42 73,216 ----a-w C:\WINDOWS2\ST6UNST.EXE
2008-05-05 09:42 249,856 ------w C:\WINDOWS2\Setup1.exe
2008-05-04 17:48 --------- d-----w C:\Program Files\Lavalys
2008-05-04 17:37 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-05-04 17:37 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Dane aplikacji\PC Drivers HeadQuarters
2008-05-04 16:57 --------- d-----w C:\Program Files\Miles Sound Tools
2008-05-03 03:46 6,554,496 ----a-w C:\WINDOWS2\system32\drivers\nv4_mini.sys
2008-01-18 13:01 1 ----a-w C:\Documents and Settings\Ypaev\SI.bin
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\z ----

2008-06-14 11:31 31744 --ahs---- C:\z\psi\Thumbs.db
2008-06-14 11:29 8704 --ahs---- C:\z\Thumbs.db
2008-06-12 20:59 86934 --a------ C:\z\psi\edc931b3acaf951e.jpg
2008-06-12 20:59 84716 --a------ C:\z\psi\23ea4216af0e4a25.jpg
2008-06-12 20:59 83826 --a------ C:\z\psi\b305e06e45e084c8.jpg
2008-06-12 20:59 83467 --a------ C:\z\psi\e258ee666272df47.jpg
2008-06-12 20:59 82632 --a------ C:\z\psi\5368965a03491c9a.jpg
2008-06-12 20:59 81889 --a------ C:\z\psi\07e4ff6bbda19ee7.jpg
2008-06-12 20:59 79065 --a------ C:\z\psi\03de942cf59c0c60.jpg
2008-06-03 17:03 433899 --------- C:\z\101_0076.JPG
2008-06-03 17:03 411945 --------- C:\z\101_0077.JPG
2008-06-03 17:02 415355 --------- C:\z\101_0062.JPG
2008-06-03 17:01 514141 --------- C:\z\101_0042.JPG
2008-06-03 17:01 467273 --------- C:\z\101_0039.JPG
2008-06-03 17:01 431653 --------- C:\z\101_0037.JPG
2008-06-03 16:59 189088 --------- C:\z\101_0008.JPG
2008-06-03 16:59 163100 --------- C:\z\101_0003.JPG
2008-06-03 16:59 155619 --------- C:\z\101_0016.JPG
2008-06-03 16:58 175541 --------- C:\z\100_9990.JPG
2008-06-03 16:58 167536 --------- C:\z\100_9995.JPG
2008-06-03 16:58 157448 --------- C:\z\100_9997.JPG
2008-06-03 16:58 145348 --------- C:\z\100_9991.JPG
2008-06-03 16:58 144623 --------- C:\z\100_9986.JPG
2008-06-03 16:57 261164 --------- C:\z\100_9974.JPG
2008-06-03 16:57 246007 --------- C:\z\100_9976.JPG
2008-06-03 16:57 175298 --------- C:\z\100_9982.JPG
2008-06-03 16:56 219864 --------- C:\z\100_9971.JPG
2008-06-03 16:56 186173 --------- C:\z\100_9964.JPG
2008-05-25 13:17 854925 --------- C:\z\DSC00382.JPG
2008-05-22 09:00 803620 --------- C:\z\DSC00379.JPG
2008-04-28 17:47 837706 --------- C:\z\DSC00364.JPG
2008-04-28 17:41 866941 --------- C:\z\DSC00362.JPG
2008-04-27 17:08 840173 --------- C:\z\DSC00357.JPG
2008-04-27 17:07 880014 --------- C:\z\DSC00355.JPG
2008-04-27 17:06 854239 --------- C:\z\DSC00352.JPG
2008-03-27 07:17 809381 --------- C:\z\DSC00322.JPG


((((((((((((((((((((((((((((( snapshot@2008-06-30_20.44.36.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 18:38:40 2,048 --s-a-w C:\WINDOWS2\bootstat.dat
+ 2008-07-01 10:39:56 2,048 --s-a-w C:\WINDOWS2\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS2\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 09:42 380928]
"GameFace Messenger"="C:\Program Files\GameFace Messenger\GameFace.exe" [2006-11-01 14:50 2154496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 02:50 33792]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 18:12 262401]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-07 16:06 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 15:34 868352]
"NvCplDaemon"="C:\WINDOWS2\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
"nwiz"="nwiz.exe" [2008-05-03 05:46 1630208 C:\WINDOWS2\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"NvMediaCenter"="C:\WINDOWS2\system32\NvMcTray.dll" [2008-05-03 05:46 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS2\System32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)
"ATKKeyboardService"=2 (0x2)
"AppMgmt"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"D:\\Program Files\\LucasArts\\SWKotOR2\\swupdate.exe"=
"D:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Counter-Strike Source\\hl2.exe"=
"D:\\Program Files\\Half-Life 2\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16838:TCP"= 16838:TCP:*:Disabled:BitComet 16838 TCP
"16838:UDP"= 16838:UDP:*:Disabled:BitComet 16838 UDP

R0 avgntmgr;avgntmgr;C:\WINDOWS2\system32\DRIVERS\avgntmgr.sys [2008-04-19 18:12]
R1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS2\system32\drivers\asusgsb32.sys [2005-10-20 16:25]
R1 avgntdd;avgntdd;C:\WINDOWS2\system32\DRIVERS\avgntdd.sys [2008-04-19 18:12]
R2 ithsgt;ithsgt;C:\WINDOWS2\system32\DRIVERS\ithsgt.sys [2007-12-01 22:40]
R2 lilsgt;lilsgt;C:\WINDOWS2\system32\DRIVERS\lilsgt.sys [2007-12-01 22:40]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS2\system32\Drivers\Video3D32.sys [2006-09-29 10:06]
S1 oreans32;oreans32;C:\WINDOWS2\system32\drivers\oreans32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7950bd-57ba-11dc-ac3c-00300a56eee8}]
\Shell\AutoRun\command - K:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7950bf-57ba-11dc-ac3c-00300a56eee8}]
\Shell\AutoRun\command - I:\USBNB.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-30 16:06:09 C:\WINDOWS2\Tasks\Antispyware Scheduled Scan.job"
- C:\Program Files\Antispyware\Antispyware.exe
- C:\Program Files\Antispyware
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 12:41:30
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS2\system32\nvsvc32.exe
C:\WINDOWS2\system32\wdfmgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS2\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS2\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-01 12:47:23 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 10:47:02
ComboFix2.txt 2008-06-30 18:45:10

Pre-Run: 27,910,602,752 bajtów wolnych
Post-Run: 27,897,147,392 bajt˘w wolnych

224 --- E O F --- 2008-06-20 22:16:07

Edited by Thorgar, 01 July 2008 - 04:51 AM.

  • 0

#4
greyknight17
Posted 01 July 2008 - 06:52 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

DirLook::
C:\WINDOWS2\nvidia icons
File::
C:\WINDOWS2\Tasks\Antispyware Scheduled Scan.job
Folder::
C:\Program Files\Antispyware

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
Thorgar
Posted 02 July 2008 - 03:12 AM

Thorgar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
It says that my copy of ComboFix has expired and asks me to d/l an updated copy, where can i get updated one from?

ok i got it

Heres The Log:

ComboFix 08-07-01.5 - Tata 2008-07-02 23:43:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.2860 [GMT 2:00]
Running from: C:\Documents and Settings\Tata\Pulpit\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tata\Pulpit\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS2\Tasks\Antispyware Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS2\Tasks\Antispyware Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-07-02 11:58 . 2008-07-02 11:58 <DIR> d-------- C:\Documents and Settings\Tata\Dane aplikacji\Ventrilo
2008-07-02 10:53 . 2008-07-02 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-01 13:37 . 2008-07-01 13:37 <DIR> d-------- C:\Deckard
2008-06-30 18:01 . 2008-06-30 18:01 <DIR> d-------- C:\VundoFix Backups
2008-06-30 17:35 . 2008-06-30 17:35 <DIR> d-------- C:\Documents and Settings\Tata\Dane aplikacji\DivX
2008-06-30 16:34 . 2008-06-30 16:34 <DIR> d---s---- C:\Documents and Settings\Tata\UserData
2008-06-30 11:46 . 2008-06-30 11:45 102,664 --a------ C:\WINDOWS2\system32\drivers\tmcomm.sys
2008-06-30 09:41 . 2008-06-30 09:41 <DIR> d-------- C:\Documents and Settings\Ypaev\Dane aplikacji\TmpRecentIcons
2008-06-29 21:22 . 2008-06-29 21:22 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-06-29 17:05 . 2008-06-29 17:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 17:05 . 2008-06-29 17:06 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS2\Dane aplikacji\Lavasoft
2008-06-29 16:45 . 2008-06-29 16:47 <DIR> d-------- C:\Documents and Settings\Ypaev\Dane aplikacji\Lavasoft
2008-06-17 15:09 . 2008-06-17 15:09 <DIR> d-------- C:\WINDOWS2\nvidia icons
2008-06-17 15:09 . 2008-05-03 05:46 182,347 --a------ C:\WINDOWS2\system32\nvapps.nvb
2008-06-14 17:19 . 2008-06-14 17:18 686,426 --a------ C:\WINDOWS2\unins000.exe
2008-06-14 17:19 . 2008-06-14 17:23 62,311 --a------ C:\WINDOWS2\unins000.dat
2008-06-12 18:25 . 2008-06-12 18:25 962,560 --a------ C:\WINDOWS2\system32\VSFilter.dll
2008-06-11 16:09 . 2008-06-14 20:01 273,024 -----c--- C:\WINDOWS2\system32\dllcache\bthport.sys
2008-06-03 16:53 . 2008-06-14 11:29 <DIR> d-------- C:\z

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-29 15:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 12:55 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-06-14 18:01 273,024 ------w C:\WINDOWS2\system32\drivers\bthport.sys
2008-06-12 18:04 --------- d-----w C:\Program Files\Ventrilo
2008-06-05 12:32 --------- d-----w C:\Program Files\Last.fm
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS2\system32\lsdelete.exe
2008-05-09 17:50 --------- d-----w C:\Program Files\ASIO4ALL v2
2008-05-09 17:23 --------- d-----w C:\Program Files\Common Files\Native Instruments
2008-05-09 17:22 --------- d-----w C:\Program Files\Native Instruments
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS2\system32\drivers\rmcast.sys
2008-05-07 05:16 1,291,264 ----a-w C:\WINDOWS2\system32\quartz.dll
2008-05-05 09:43 --------- d-----w C:\Program Files\HLTooLz
2008-05-05 09:42 73,216 ----a-w C:\WINDOWS2\ST6UNST.EXE
2008-05-05 09:42 249,856 ------w C:\WINDOWS2\Setup1.exe
2008-05-04 17:48 --------- d-----w C:\Program Files\Lavalys
2008-05-04 17:37 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-05-04 17:37 --------- d-----w C:\Documents and Settings\All Users.WINDOWS2\Dane aplikacji\PC Drivers HeadQuarters
2008-05-04 16:57 --------- d-----w C:\Program Files\Miles Sound Tools
2008-04-30 15:27 442,368 ----a-w C:\WINDOWS2\system32\NVUNINST.EXE
2008-04-21 07:03 662,016 ----a-w C:\WINDOWS2\system32\wininet.dll
2008-01-18 13:01 1 ----a-w C:\Documents and Settings\Ypaev\SI.bin
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS2\nvidia icons ----

2008-03-03 16:06 3262 --a------ C:\WINDOWS2\nvidia icons\Portal_48x48.ico
2008-03-03 16:06 3262 --a------ C:\WINDOWS2\nvidia icons\Portal_32x32.ico


((((((((((((((((((((((((((((( snapshot@2008-06-30_20.44.36.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-30 18:38:40 2,048 --s-a-w C:\WINDOWS2\bootstat.dat
+ 2008-07-02 16:09:02 2,048 --s-a-w C:\WINDOWS2\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS2\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GamerOSD"="C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" [2007-02-14 09:42 380928]
"GameFace Messenger"="C:\Program Files\GameFace Messenger\GameFace.exe" [2006-11-01 14:50 2154496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2003-12-13 02:50 33792]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-19 18:12 262401]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-01-07 16:06 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 15:34 868352]
"NvCplDaemon"="C:\WINDOWS2\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"NvMediaCenter"="C:\WINDOWS2\system32\NvMcTray.dll" [2008-05-03 05:46 86016]
"nwiz"="nwiz.exe" [2008-05-03 05:46 1630208 C:\WINDOWS2\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS2\System32\CTFMON.EXE" [2004-08-04 00:44 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=3 (0x3)
"ATKKeyboardService"=2 (0x2)
"AppMgmt"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Motorola Phone Tools\\mPhonetools.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Last.fm\\LastFM.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Jedi Knight Jedi Academy\\GameData\\jamp.exe"=
"D:\\Program Files\\LucasArts\\SWKotOR2\\swupdate.exe"=
"D:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"C:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"D:\\Program Files\\Counter-Strike Source\\hl2.exe"=
"D:\\Program Files\\Half-Life 2\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16838:TCP"= 16838:TCP:*:Disabled:BitComet 16838 TCP
"16838:UDP"= 16838:UDP:*:Disabled:BitComet 16838 UDP

R0 avgntmgr;avgntmgr;C:\WINDOWS2\system32\DRIVERS\avgntmgr.sys [2008-04-19 18:12]
R1 asusgsb;ASUS Virtual Video Capture Device Driver;C:\WINDOWS2\system32\drivers\asusgsb32.sys [2005-10-20 16:25]
R1 avgntdd;avgntdd;C:\WINDOWS2\system32\DRIVERS\avgntdd.sys [2008-04-19 18:12]
R2 ithsgt;ithsgt;C:\WINDOWS2\system32\DRIVERS\ithsgt.sys [2007-12-01 22:40]
R2 lilsgt;lilsgt;C:\WINDOWS2\system32\DRIVERS\lilsgt.sys [2007-12-01 22:40]
R3 Video3D;ASUS Video3D Service;C:\WINDOWS2\system32\Drivers\Video3D32.sys [2006-09-29 10:06]
S1 oreans32;oreans32;C:\WINDOWS2\system32\drivers\oreans32.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7950bd-57ba-11dc-ac3c-00300a56eee8}]
\Shell\AutoRun\command - K:\USBNB.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac7950bf-57ba-11dc-ac3c-00300a56eee8}]
\Shell\AutoRun\command - I:\USBNB.exe

*Newly Created Service* - CATCHME
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{E55E1C86-434D-46F9-A253-2DE4AB3F9734} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 23:46:26
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-02 23:47:06
ComboFix-quarantined-files.txt 2008-07-02 21:47:02
ComboFix2.txt 2008-07-01 10:47:24
ComboFix3.txt 2008-06-30 18:45:10

Pre-Run: 45,433,982,976 bajtów wolnych
Post-Run: 45,424,889,856 bajtów wolnych

153 --- E O F --- 2008-06-20 22:16:07

Edited by Thorgar, 02 July 2008 - 03:48 PM.

  • 0

#6
greyknight17
Posted 02 July 2008 - 06:38 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No need to get a newer version. We are done here. Combofix is not a tool you want to run unsupervised by a security helper as it can have negative effects....

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
Thorgar
Posted 03 July 2008 - 01:33 AM

Thorgar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
there are only the things infection changed on one of my desktops(unable to log out, restricted process manager, cant use communicators and cant use control pannel there.)
i got my dss logs in my second topic here(which is closed) but i can paste 'em here if you want
  • 0

#8
greyknight17
Posted 04 July 2008 - 01:18 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK...remove Combofix using my instructions I last posted. Then download the new version. Run it by double clicking on it. Post the log here.

Do you still have the same problems? What communicators?
  • 0

#9
greyknight17
Posted 09 July 2008 - 11:35 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP