Thread: PC which infected tena_79's pc
View Single Post
Old 12-09-2007, 11:14 PM   #5 (permalink)
scort
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: XP SP1


Re: PC which infected tena_79's pc
Okay this is the combofix report:

ComboFix 07-12-09.1 - imatera 2007-12-10 1450.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.115 [GMT 8:00]
Running from: C:\Documents and Settings\imatera\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\imatera\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\DOCUME~1\imatera\LOCALS~1\Temp\qmirtpyoB7974D2.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\imatera\LOCALS~1\Temp\qmirtpyoB7974D2.dll
C:\Program Files\prjJtksmERA
C:\Program Files\prjJtksmERA\EXCEL.EXE
C:\Program Files\prjJtksmERA\prjJtksmEra.exe
C:\Program Files\prjJtksmERA\prjJtksmEra1.exe
C:\Program Files\prjJtksmERA\ST6UNST.LOG

.
((((((((((((((((((((((((( Files Created from 2007-11-10 to 2007-12-10 )))))))))))))))))))))))))))))))
.

2007-12-10 10:12 . 2007-12-10 10:12 11,961,740 -----c--- C:\avg7qt.dat
2007-12-06 15:51 . 2007-12-06 15:51 <DIR> d----c--- C:\Program Files\Trend Micro
2007-12-06 15:45 . 2007-12-06 15:45 <DIR> d----c--- C:\Deckard
2007-12-06 14:26 . 2007-12-06 14:26 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-12-06 14:08 . 2007-12-07 08:29 <DIR> d----c--- C:\Program Files\WinClamAVShield
2007-12-06 13:52 . 2007-12-06 13:53 <DIR> d----c--- C:\Program Files\Crawler
2007-12-06 13:52 . 2007-12-07 14:25 <DIR> d----c--- C:\Documents and Settings\imatera\Application Data\Spyware Terminator
2007-12-06 13:52 . 2007-12-07 12:49 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-12-06 13:51 . 2007-12-07 13:52 <DIR> d----c--- C:\Program Files\Spyware Terminator
2007-12-06 10:08 . 2007-12-07 11:38 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-06 10:08 . 2007-12-07 09:51 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-06 10:08 . 2007-12-07 09:51 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-06 10:08 . 2007-12-07 09:51 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-03 10:00 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-03 10:00 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-03 10:00 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-03 10:00 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 02:24 --------- dc----w C:\Documents and Settings\imatera\Application Data\AVG7
2007-12-07 08:58 --------- dc----w C:\Documents and Settings\imatera\Application Data\MySQL
2007-12-07 00:32 --------- dc----w C:\Documents and Settings\All Users\Application Data\Avg7
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 09:20]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-12-06 14:07]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 09:20]

R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys

.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2800.1106]
-> C:\DOCUME~1\imatera\LOCALS~1\Temp\qmirtpyoB7974D2.dll
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-10 14:15:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-10 14:19:05 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-10 11:12
C:\ComboFix3.txt ... 2007-12-06 10:01
.
--- E O F ---



And this is the new hijackthis report:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:22:15, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\xampp\apache\bin\Apache.exe
C:\Program Files\xampp\mysql\bin\mysqld-max-nt.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.mohr.gov.my:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *mohr.gov.my;10.21*;<local>
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1181109283758
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E29FA32-96ED-4E6B-8B0F-CB069AC13198}: NameServer = 10.21.81.214,10.20.16.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E29FA32-96ED-4E6B-8B0F-CB069AC13198}: NameServer = 10.21.81.214,10.20.16.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{7E29FA32-96ED-4E6B-8B0F-CB069AC13198}: NameServer = 10.21.81.214,10.20.16.2
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\Apache.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: mysql - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 4344 bytes
scort is offline