Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse PSW online games & Generic etc..

Started by carloshonkauk , Nov 03 2008 03:48 AM

  • Please log in to reply

#1
carloshonkauk
Posted 03 November 2008 - 03:48 AM

carloshonkauk

    New Member

  • Member
  • Pip
  • 1 posts
Hi all.
I'm very new to this so I hope you will all be gentle :)
I've read some topics on Trojan Horses & It seems I have the same problem!
Cant seem to remove them & keep being detected.

Please help!!

Thanks :)


COMBOFIX REPORT LOG :

ComboFix 08-11-02.05 - Carlos 2008-11-03 10:47:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.269 [GMT 0:00]
Running from: c:\documents and settings\Carlos\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Carlos\LOCALS~1\Temp\tmp1.tmp
c:\windows\jestertb.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xuntxn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 )))))))))))))))))))))))))))))))
.

2008-10-24 05:54 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-21 07:22 . 2008-10-21 07:19 39,164 --a------ C:\Lodgico Logo.pdf
2008-10-15 15:37 . 2008-09-08 10:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-15 15:35 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-15 15:34 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-15 15:34 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-15 15:34 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-15 15:34 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-03 10:57 --------- d-----w c:\documents and settings\Carlos\Application Data\Skype
2008-11-03 10:55 --------- d-----w c:\documents and settings\All Users\Application Data\RetroExp
2008-10-31 13:43 --------- d-----w c:\program files\MioNet
2008-10-16 13:25 --------- d-----w c:\program files\Archicad 6.5
2008-10-16 12:44 --------- d-----w c:\documents and settings\Carlos\Application Data\U3
2008-09-18 09:42 --------- d-----w c:\program files\Common Files\Adobe
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-09-03 13:46 --------- d-----w c:\program files\Paint.NET
2008-03-20 15:18 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-05-25 08:32 252 ----a-w c:\documents and settings\Carlos\Application Data\wklnhst.dat
2007-04-18 07:28 25,755,448 ----a-w c:\program files\wmp11-windowsxp-x86-enu.exe
2007-04-18 09:47 56 --sh--r c:\windows\system32\1F5E94BA2B.sys
2007-08-21 09:28 2,098 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2005-04-15 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-29 94208]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-29 77824]
"Persistence"="c:\windows\system32\igfxpers.exe" [2005-06-29 114688]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-13 45056]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-01-20 167936]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-07-20 32768]
"Biomenu"="c:\program files\Protector Suite QL\menusw.exe" [2005-07-25 1073664]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-09-19 352256]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"bgsmsnd.exe"="c:\windows\system32\bgsmsnd.exe" [2007-03-09 161496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-11-27 155648]
"HPWOTOOLBOX"="c:\program files\HP\HP Officejet Pro K850 Series\Toolbox\HPWOTBX.exe" [2006-11-03 352256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TalkAndWrite"="c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe" [2008-02-07 3042816]
"RetroExpress"="c:\progra~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2007-01-18 9371648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-16 185896]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 14:22 63040 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2005-07-25 18:06 39936 c:\windows\system32\fusstub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 16:42 73728 c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli fusstub

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\HP Officejet Pro K550 Series\\Toolbox\\HPWUTBX.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\Retrospect.exe"=
"c:\\Program Files\\Retrospect\\Retrospect Express HD 2.0\\retrorun.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Graphisoft\\ArchiCAD 10\\ArchiCAD.exe"=
"c:\\Program Files\\HP\\HP Officejet Pro K850 Series\\Toolbox\\HPWOTBX.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-08-29 97928]
R1 PrivateDisk;PrivateDisk;c:\windows\system32\Drivers\PrivateDiskM.sys [2004-07-06 45627]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [2005-07-25 13440]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [2005-07-25 33024]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2007-04-05 46112]
R2 MioNet;MioNet Service;c:\program files\MioNet\MioNetManager.exe [2006-06-02 139264]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2006-04-14 28933976]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2005-06-10 35968]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2005-07-20 214272]
R3 Wibukey2;Wibukey2;c:\windows\system32\drivers\wibukey2.sys [2006-05-09 17408]
S2 559BBC30;559BBC30;c:\windows\Fonts\E3BD2820.EXE [ ]
S2 Crypto;Crypto;c:\windows\system32\Drivers\Crypto.sys [ ]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\VMC_PBStarter.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c438b70c-ac79-11dc-a0b8-00166fb9eed5}]
\Shell\AutoRun\command - I:\VMC_PBStarter.exe
.
Contents of the 'Scheduled Tasks' folder

2008-05-12 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Carlos.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Mp4 Player - c:\program files\Mp4 Player\Mp4Player.exe
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
HKU-Default-RunOnce-IETI - c:\program files\Skype\Phone\IEPlugin\unins000.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.co.uk/ig?hl=en
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

O16 -: {2A493D5F-8914-4D3E-8BF3-767F281862F4} - hxxp://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
c:\windows\Downloaded Program Files\TraderMediaX.ocx

O16 -: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://www.americangreetings.9874209.com/ultrashim.cab
c:\windows\Downloaded Program Files\install.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-03 10:52:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\ati2evxx.exe
c:\program files\MioNet\jvm\bin\MioNet.exe
c:\program files\Apoint2K\ApntEx.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\progra~1\RETROS~1\RETROS~1.0\retrorun.exe
c:\windows\system32\UStorSrv.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\progra~1\RETROS~1\RETROS~1.0\Retrospect.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-11-03 11:00:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-03 11:00:10

Pre-Run: 14,461,906,944 bytes free
Post-Run: 16,081,735,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

208 --- E O F --- 2008-10-24 06:32:04

Edited by carloshonkauk, 03 November 2008 - 05:13 AM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP