Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Downloader+W32BackdoorIRC endless popups audio ads [RESOLVED]


  • This topic is locked This topic is locked

#16
Q6600isabeast

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
CFLog:

ComboFix 08-08-30.01 - Wade 2008-08-30 13:34:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1521 [GMT -5:00]
Running from: C:\Documents and Settings\Wade\My Documents\Downloaded\Malware programs\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wade\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
C:\_OTMoveIt\MovedFiles\08282008_172822.log
C:\_OTMoveIt\MovedFiles\08282008_172822.res
C:\_OTMoveIt\MovedFiles\08282008_172822.zip
C:\_OTMoveIt\MovedFiles\08282008_172822\DOCUME~1\Wade\LOCALS~1\Temp\~DF3CC9.tmp
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\afisicx.exe
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\mmchost.dll
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\noxtcyr.exe
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\roxtctm.exe
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\sotpeca.exe
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\system32\wsldoekd.exe
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\temp\mta55029.dll
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\temp\mta55971.dll
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\temp\mta59849.dll
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\temp\mta64789.dll
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\temp\mta77231.dll
C:\_OTMoveIt\MovedFiles\08282008_172822\WINDOWS\temp\mtaw65556.dll
C:\_OTMoveIt\MovedFiles\08292008_085147.log
C:\_OTMoveIt\MovedFiles\08292008_085147.res
C:\_OTMoveIt\MovedFiles\08292008_085147\DOCUME~1\Wade\LOCALS~1\Temp\~DF797F.tmp
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\system32\afisicx.exe
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\system32\noxtcyr.exe
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\system32\roxtctm.exe
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\system32\sotpeca.exe
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\system32\wsldoekd.exe
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\temp\mta100770.dll
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\temp\mta104633.dll
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\temp\mta106569.dll
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\temp\mta109384.dll
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\temp\mta31840.dll
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\temp\mta80094.dll
C:\_OTMoveIt\MovedFiles\08292008_085147\WINDOWS\temp\mta97156.dll
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\winimgr.exe
C:\WINDOWS\system32\winlogs.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-30 09:39 . 2008-08-30 09:39 <DIR> d-------- C:\WINDOWS\Sun
2008-08-30 09:37 . 2008-08-30 09:37 <DIR> d-------- C:\Program Files\Sun
2008-08-30 09:37 . 2008-08-30 09:37 <DIR> d-------- C:\Program Files\Java
2008-08-30 09:37 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-30 09:36 . 2008-08-30 09:36 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-27 21:58 . 2008-08-27 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 20:19 . 2008-08-27 20:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-08-27 20:08 . 2008-08-27 20:08 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\Wade\Application Data\Malwarebytes
2008-08-27 19:50 . 2008-08-27 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 19:50 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 19:50 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-27 19:48 . 2008-08-27 19:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-08-27 19:44 . 2008-08-27 19:45 <DIR> d-------- C:\Program Files\ERUNT
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-26 19:33 . 2008-08-26 19:33 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-26 19:30 . 2008-08-26 19:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-26 19:10 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-26 18:55 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-26 18:53 . 2008-07-18 22:09 25,800 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-08-26 11:40 . 2008-08-27 19:58 <DIR> d-------- C:\WINDOWS\system32\inf
2008-08-16 12:51 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-08-16 12:49 . 2008-08-16 12:49 <DIR> d-------- C:\WINDOWS\Logs
2008-08-16 10:57 . 2008-08-29 23:03 <DIR> d-------- C:\Program Files\ShotOnline International
2008-08-14 19:11 . 2003-07-16 10:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-08-14 19:11 . 2004-12-31 01:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-08-14 19:10 . 2008-08-14 19:10 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-07-07 15:26 . 2008-07-07 15:26 253,952 -----c--- C:\WINDOWS\system32\dllcache\es.dll
2008-07-01 18:19 . 2008-07-01 18:19 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-07-01 18:19 . 2008-07-01 18:19 <DIR> d-------- C:\Program Files\ATT
2008-07-01 18:19 . 2008-07-01 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 20:42 --------- d-----w C:\Program Files\PokerStars
2008-08-29 18:18 --------- d-----w C:\Program Files\lg_fwupdate
2008-08-28 02:45 --------- d-----w C:\Program Files\BFG
2008-08-27 01:14 --------- d-----w C:\Program Files\NavNT
2008-08-23 21:38 --------- d-----w C:\Documents and Settings\Wade\Application Data\Vso
2008-07-31 15:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 15:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 15:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-26 02:34 288,763 ----a-w C:\WINDOWS\system32\Windll32.dll
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:08 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-12 13:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 13:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 13:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-05-30 19:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 19:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 19:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 19:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 19:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 19:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 19:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-26 13:09 47,360 ----a-w C:\Documents and Settings\Wade\Application Data\pcouffin.sys
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((( [email protected]_13.19.37.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\8-29-2008\ERDNT.EXE
+ 2008-08-29 23:17:29 4,853,760 ----a-w C:\WINDOWS\ERDNT\8-29-2008\Users\00000001\NTUSER.DAT
+ 2008-08-29 23:17:29 151,552 ----a-w C:\WINDOWS\ERDNT\8-29-2008\Users\00000002\UsrClass.dat
+ 2008-06-10 06:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 06:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 07:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [2006-03-23 11:41 417792]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-10-31 11:59 73728]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2006-03-16 03:00 1397760]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-05 03:46 249856]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-05-11 11:47 151552]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-04-24 21:52 385024]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-19 13:26 86016]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"nwiz"="nwiz.exe" [2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-10 18:08 16342528 C:\WINDOWS\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Freelancer\\EXE\\Freelancer.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\PokerStars\\PokerStarsUpdate.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\ShotOnline International\\ShotOnline.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3680:TCP"= 3680:TCP:*:Disabled:Ares
"27158:TCP"= 27158:TCP:*:Disabled:BitComet 27158 TCP
"27158:UDP"= 27158:UDP:*:Disabled:BitComet 27158 UDP
"16180:TCP"= 16180:TCP:*:Disabled:BitComet 16180 TCP
"16180:UDP"= 16180:UDP:*:Disabled:BitComet 16180 UDP

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 13:46]
R2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.sys [2003-12-21 03:21]
R2 cvintdrv;cvintdrv;C:\WINDOWS\system32\drivers\cvintdrv.sys [2007-02-21 10:00]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-08-25 15:00]
S3 CBBCM43;BUFFALO WLI-CB-XXX Series Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2005-07-11 00:46]
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 19:49]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 13:35:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-08-30 13:36:03
ComboFix-quarantined-files.txt 2008-08-30 18:35:55
ComboFix2.txt 2008-08-29 22:02:20
ComboFix3.txt 2008-08-29 18:19:49

Pre-Run: 258,919,104,512 bytes free
Post-Run: 258,939,084,800 bytes free

206 --- E O F --- 2008-08-29 12:54:48
  • 0

Advertisements


#17
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
How is your PC running?
  • 0

#18
Q6600isabeast

Q6600isabeast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
PC is running good as ever... though i thought so before we removed the last group of nasties.

I need to make sure this doesn't happen to me again.

Thanks Mike, for all your help. :)

By the way this is all because i never had automatic updates turned on on this comp. Goes to show u how important they really are.
Would you say that Kaspersky is better in terms of recognizing the viruses than Norton? Norton didn't even know about 3/4 of the stuff that had to be removed.

Edited by Q6600isabeast, 30 August 2008 - 01:34 PM.

  • 0

#19
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Your logs look good here :)

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.

Make a final check by running a full scan with your antivirus.

MBAM needs to be uninstalled manually if you wish to remove it!



Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:
  • Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
    Things you can do to avoid downloading bad programs:
    • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
    • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
    • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
    • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
  • Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
  • Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
  • Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.
I have listed two programs to boost your security while using no resources.
  • SpywareBlaster Take a look at the tutorial here.
  • ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#20
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
I assume from the PM (which was very kind by the way, it's very much appreciated) that everything is OK here :)

So I will mark this thread as resolved.

Take care and have a great day still!

Mike
  • 0

#21
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP