|
-
July 4th, 2009, 12:44 AM
#5
Scan stopped!
I downloaded and ran combofix... everything seems to be going smoothly so far. It restarted my computer while i was away. I have some worries because i didnt have an active internet connection on the computer that is infected [i unplugged it to save the other computers on my network and stop any instructions or files it may be downloading]
I plugged back in the network cable but i still dont have internet. gonna try a reboot.
Explorer has stopped crashing and recrashing and wnzip32 has stoppd loading.. i think it may have worked!
Ill append the log to this message as text.
ComboFix 09-07-03.03 - Admin 07/04/2009 0:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.2047.1569 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\Admin\LOCALS~1\Temp\1.wmv
c:\docume~1\Admin\LOCALS~1\Temp\csrss.exe
c:\docume~1\Admin\LOCALS~1\Temp\lsass.exe
c:\docume~1\Admin\LOCALS~1\Temp\services.exe
c:\docume~1\Admin\LOCALS~1\Temp\svchost.exe
c:\docume~1\Admin\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Admin\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\Admin\Application Data\wiaserva.log
c:\documents and settings\Admin\Application Data\wiaservg.log
c:\documents and settings\All Users\Application Data\15150314
c:\documents and settings\All Users\Application Data\15150314\15150314
c:\documents and settings\All Users\Application Data\15150314\15150314.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-0243636035-3055115376-381863306-1556
c:\recycler\S-1-5-21-2710152531-5817782112-121369617-8295\wnzip32.exe
C:\test.txt
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\Installer\15b139.msi
c:\windows\Installer\167bd.msi
c:\windows\Installer\3670e3.msi
c:\windows\ld12.exe
c:\windows\patch.exe
c:\windows\start.exe
c:\windows\sysguard.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\avast!Antivirus.exe
c:\windows\system32\drivers\7248779e.sys
c:\windows\system32\drivers\a0ef47d7.sys
c:\windows\system32\drivers\b4f10cb0.sys
c:\windows\system32\drivers\e19d35ed.sys
c:\windows\system32\drivers\Xprotector.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\msnmssgr.exe
c:\windows\system32\skinboxer43.dll
c:\windows\system32\wbem\proquota.exe
C:\xcrashdump.dat
----- BITS: Possible infected sites -----
hxxp://npepatch.starwarsgalaxies.com:7040
c:\windows\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_avast!antivirus
-------\Legacy_OREANS32
-------\Legacy_XPROTECTOR
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_avast!antivirus
-------\Service_b4f10cb0
-------\Service_e19d35ed
-------\Service_XPROTECTOR
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.
2009-07-04 00:14 . 2009-07-04 00:57 -------- d-----w- C:\VundoFix Backups
2009-07-03 23:51 . 2009-07-03 23:51 197120 -c--a-w- c:\windows\system32\dllcache\ndis.sys
2009-07-03 23:11 . 2009-07-03 23:11 -------- d-----w- c:\documents and settings\Admin\Application Data\Malwarebytes
2009-07-03 23:11 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-03 23:11 . 2009-07-03 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-03 23:11 . 2009-07-03 23:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-03 23:11 . 2009-06-17 15:27 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 22:50 . 2009-07-03 22:50 -------- d-----w- c:\program files\drv
2009-07-03 22:49 . 2009-07-03 23:51 -------- d-sh--w- c:\windows\System Volume Information
2009-06-06 04:30 . 2009-06-06 04:30 10134 ----a-r- c:\documents and settings\Admin\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-06-06 04:30 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll
2009-06-06 04:30 . 2009-06-06 04:30 -------- d-----w- c:\program files\Microsoft WSE
2009-06-05 08:26 . 2009-06-13 11:12 -------- d-----w- c:\documents and settings\Admin\Application Data\uTorrent
2009-06-05 00:00 . 2009-06-05 02:47 -------- d-----w- c:\windows\mssrvc
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 23:51 . 2007-10-28 06:40 197120 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-06-10 23:58 . 2007-12-07 06:27 41 ----a-w- c:\windows\popcinfot.dat
2009-06-06 04:30 . 2005-08-22 17:03 15808 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 04:27 . 2005-04-19 02:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 23:34 . 2009-06-03 23:34 -------- d-----w- c:\program files\Trend Micro
2009-06-03 23:20 . 2009-06-03 23:20 16896 ----a-w- c:\windows\system32\fltlib.dll
2009-06-03 23:17 . 2009-06-03 23:17 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-03 23:17 . 2009-06-03 23:17 -------- d-----w- c:\program files\Lavasoft
2009-06-03 23:17 . 2009-06-03 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-05-30 03:16 . 2005-04-21 04:28 -------- d-----w- c:\program files\Common Files\Logitech
2009-05-26 20:18 . 2009-05-26 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2009-05-24 00:43 . 2007-04-05 04:51 -------- d-----w- c:\program files\Toribash-2.4
2009-05-19 21:59 . 2007-11-16 01:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-19 21:58 . 2009-05-19 21:58 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-16 01:19 . 2008-12-29 20:29 -------- d-----w- c:\documents and settings\Admin\Application Data\U3
2005-09-28 23:17 . 2005-04-18 23:05 56 --sh--r- c:\windows\system32\D9CD4FB184.sys
2007-04-26 17:20 . 2005-04-18 23:05 13146 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-08-17 8478720]
[HKLM\~\startupfolder\C:^Documents and Settings^Admin^Start Menu^Programs^Startup^Sins of a Solar Empire Launcher.lnk]
path=c:\documents and settings\Admin\Start Menu\Programs\Startup\Sins of a Solar Empire Launcher.lnk
backup=c:\windows\pss\Sins of a Solar Empire Launcher.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast!antivirus"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [6/18/2007 11:01 AM 11264]
R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [4/29/2002 3:33 AM 5543]
S0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/3/2009 7:19 PM 64160]
S1 LStone;Pinnacle Systems Studio AV/DV Overlay;c:\windows\System32\DRIVERS\lstone2k.sys --> c:\windows\System32\DRIVERS\lstone2k.sys [?]
S3 lredbooo;lredbooo;\??\c:\docume~1\Admin\LOCALS~1\Temp\lredbooo.sys --> c:\docume~1\Admin\LOCALS~1\Temp\lredbooo.sys [?]
S3 mbamswissarmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/3/2009 7:11 PM 38160]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
S3 PRISM_USB;D-Link Air DWL-121 Wireless USB Adapter Driver;c:\windows\system32\drivers\PRISMUSB.sys [4/10/2003 7:43 PM 636416]
S3 tipinip;tipinip;\??\c:\docume~1\Admin\LOCALS~1\Temp\tipinip.sys --> c:\docume~1\Admin\LOCALS~1\Temp\tipinip.sys [?]
S3 VNICPKT5;VNICPKT5 Protocol Driver;c:\windows\system32\VNICPKT5.sys [3/19/2008 7:28 PM 16066]
S3 XDva189;XDva189;\??\c:\windows\System32\XDva189.sys --> c:\windows\System32\XDva189.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
drv REG_MULTI_SZ drv
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\olq5svxk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.ctrlaltdel-online.com/
FF - plugin: c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\olq5svxk.default\extensions\[email protected]\plugins\npiaplayer.dll
FF - plugin: c:\importants\Acrobat\Reader\browser\nppdf32.dll
FF - plugin: c:\importants\Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\importants\Quicktime\Plugins\npqtplugin.dll
FF - plugin: c:\importants\Quicktime\Plugins\npqtplugin2.dll
FF - plugin: c:\importants\Quicktime\Plugins\npqtplugin3.dll
FF - plugin: c:\importants\Quicktime\Plugins\npqtplugin4.dll
FF - plugin: c:\importants\Quicktime\Plugins\npqtplugin5.dll
FF - plugin: c:\importants\Quicktime\Plugins\npqtplugin6.dll
FF - plugin: c:\importants\Quicktime\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - localfilelinks);
user_pref(capability.policy.localfilelinks.sites, hxxp://www.meneda.com:37337);
user_pref(capability.policy.localfilelinks.checkloaduri.enabled, allAccess
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-04 00:33
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1645522239-1060284298-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:83,b8,d8,19,c1,c7,86,68,6e,7b,13,cb,18,1a,45,a8,57,c6,02,82,58,44,a6,
26,65,cc,0e,5b,f8,52,d0,43,f6,18,fc,f3,41,e9,f8,f8,e9,63,2f,26,cc,c7,86,a2,\
"??"=hex:83,14,61,ee,99,95,dc,c3,83,d9,49,0e,31,5f,3e,d8
[HKEY_USERS\S-1-5-21-1645522239-1060284298-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:c9,54,3b,7b,58,26,f3,19,a7,56,83,19,a2,d9,74,f1,8a,66,dc,34,5b,
1e,1e,ec,bc,ed,f6,e4,a9,30,93,f8,57,d5,79,b9,85,35,af,fd,2e,f9,04,dc,ea,84,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(928)
c:\windows\System32\ODBC32.dll
- - - - - - - > 'lsass.exe'(988)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\avast!Antivirus.exe
^- note from me, avast! seemed to be part of the virus. Its still running now but i dont see any adverse affects..
.
**************************************************************************
.
Completion time: 2009-07-04 0:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 04:37
Pre-Run: 15,113,605,120 bytes free
Post-Run: 19,337,187,328 bytes free
Current=5 Default=5 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6
197
Last edited by Magelan; July 4th, 2009 at 12:47 AM.
All Your Base Are Belong To Us
/* this is my desktop, currently not in use.
Windows XP
ASRock AGP/PCIE Motherboard.
Intel E4400 Processor, 2 GHz, Core2 Duo
Geforce 7800 GS CO 256mb AGP
Corsair 2gb DDR2 PC5400? 2 sticks
ULTRA X2 750W Modular Power Supply
[C] 127 GB Drive, currently 22GB free. Main Windows
[E] 127 GB Drive, currently 9GB Free. Backup Windows
[F] 250 GB SATA Drive. Storage
*/
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
