Tech Support Forum - View Single Post

flame87 · 01-24-2008, 10:24 AM

ComboFix 08-01-23.2 - Owner 2008-01-25 1:10:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1047 [GMT 8:00]
Running from: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wmilibb.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\wmilibb.sys
.
---- Previous Run -------
.
C:\WINDOWS\system32\internet.exe
C:\WINDOWS\system32\update.exe
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_WMILIBB
-------\wmilibb

((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-25 00:44 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-25 00:44 . 2007-05-12 06:29 281 --a------ C:\Boot.bak
2008-01-24 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 16:37 . 2008-01-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-14 21:23 . 2008-01-14 21:23 <DIR> d-------- C:\Deckard
2008-01-14 17:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-14 17:28 . 2008-01-14 18:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-14 17:28 . 2008-01-14 17:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-14 17:28 . 2008-01-14 17:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-14 17:28 . 2008-01-14 17:28 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-13 16:44 . 2008-01-13 16:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-01-12 13:10 . 2008-01-12 13:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-22 08:38 --------- d-----w C:\Program Files\Lavasoft
2008-01-14 10:40 --------- d-----w C:\Program Files\PowerISO
2008-01-14 10:39 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 10:39 --------- d-----w C:\Program Files\MagicISO
2008-01-14 10:37 --------- d-----w C:\Program Files\iTunes
2008-01-14 10:27 --------- d-----w C:\Program Files\Bonjour
2008-01-13 08:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-13 08:44 --------- d-----w C:\Program Files\Macromedia
2008-01-03 18:21 --------- d-----w C:\Program Files\New Folder
2007-12-17 16:04 --------- d-----w C:\Program Files\VideoLAN
2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-29 06:20 --------- d-----w C:\Program Files\LimeWire
2007-11-27 12:56 --------- d-----w C:\Program Files\BitComet
2007-11-20 13:10 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
2006-04-20 16:39 1,568,211 ----a-w C:\Program Files\war3.exe
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-24_ 0.49.52.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-23 16:42:16 159,744 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 17:10:24 159,744 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-23 16:42:16 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 17:10:24 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-23 16:42:16 163,840 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 17:10:24 163,840 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-23 16:42:16 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 17:10:24 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-23 16:42:16 6,565,888 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 17:10:24 6,565,888 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-23 16:42:17 372,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 17:10:24 372,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-07 10:32 23395368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-10-16 02:49 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00 191488]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"AME_CSA"="amecsa.cpl" [2003-01-30 11:46 757760 C:\WINDOWS\system32\AmeCSA.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 13:09 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 13:10 219136]

R3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-10-28 12:17]
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782efe-6793-11dc-9d5c-00c0a8a3a3b3}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 05:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 01:14:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

The pop-ups are gone! but i'm not sure if i'm free of the trojans. :(

01-24-2008, 10:24 AM	#11 (permalink)
flame87 Registered User Join Date: Apr 2007 Posts: 47 OS: Windows XP	Re: Trojan Horse PSW.OnlineGames.IBA ComboFix 08-01-23.2 - Owner 2008-01-25 1:10:30.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1047 [GMT 8:00] Running from: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Owner.ADMIN-CDB184AE0\Desktop\CFScript.txt * Created a new restore point FILE C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\wmilibb.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\drivers\core.cache.dsk C:\WINDOWS\system32\drivers\wmilibb.sys . ---- Previous Run ------- . C:\WINDOWS\system32\internet.exe C:\WINDOWS\system32\update.exe C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_WMILIBB -------\wmilibb ((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 ))))))))))))))))))))))))))))))) . 2008-01-25 00:44 . 2004-08-03 23:00 260,272 --a------ C:\cmldr 2008-01-25 00:44 . 2007-05-12 06:29 281 --a------ C:\Boot.bak 2008-01-24 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe 2008-01-22 16:37 . 2008-01-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-01-14 21:23 . 2008-01-14 21:23 <DIR> d-------- C:\Deckard 2008-01-14 17:47 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS 2008-01-14 17:28 . 2008-01-14 18:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-01-14 17:28 . 2008-01-14 17:28 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2008-01-14 17:28 . 2008-01-14 17:28 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2008-01-14 17:28 . 2008-01-14 17:28 1,406 --a------ C:\WINDOWS\system32\Help.ico 2008-01-13 16:44 . 2008-01-13 16:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared 2008-01-12 13:10 . 2008-01-12 13:10 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-01-22 08:38 --------- d-----w C:\Program Files\Lavasoft 2008-01-14 10:40 --------- d-----w C:\Program Files\PowerISO 2008-01-14 10:39 --------- d-----w C:\Program Files\MSN Messenger 2008-01-14 10:39 --------- d-----w C:\Program Files\MagicISO 2008-01-14 10:37 --------- d-----w C:\Program Files\iTunes 2008-01-14 10:27 --------- d-----w C:\Program Files\Bonjour 2008-01-13 08:44 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-13 08:44 --------- d-----w C:\Program Files\Macromedia 2008-01-03 18:21 --------- d-----w C:\Program Files\New Folder 2007-12-17 16:04 --------- d-----w C:\Program Files\VideoLAN 2007-12-14 03:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2007-11-29 06:20 --------- d-----w C:\Program Files\LimeWire 2007-11-27 12:56 --------- d-----w C:\Program Files\BitComet 2007-11-20 13:10 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll 2007-11-07 09:50 727,040 ----a-w C:\WINDOWS\system32\lsasrv.dll 2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll 2007-10-27 09:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll 2006-04-20 16:39 1,568,211 ----a-w C:\Program Files\war3.exe 2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll 2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((( snapshot@2008-01-24_ 0.49.52.48 ))))))))))))))))))))))))))))))))))))))))) . - 2008-01-23 16:42:16 159,744 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT + 2008-01-24 17:10:24 159,744 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT - 2008-01-23 16:42:16 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat + 2008-01-24 17:10:24 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat - 2008-01-23 16:42:16 163,840 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT + 2008-01-24 17:10:24 163,840 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT - 2008-01-23 16:42:16 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat + 2008-01-24 17:10:24 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat - 2008-01-23 16:42:16 6,565,888 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT + 2008-01-24 17:10:24 6,565,888 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT - 2008-01-23 16:42:17 372,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2008-01-24 17:10:24 372,736 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat + 2000-08-31 00:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824] "Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-07 10:32 23395368] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2006-10-16 02:49 208952] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2005-06-14 20:00 455168] "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-12 21:10 335872] "Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [2001-12-26 02:00 191488] "WINDVDPatch"="CTHELPER.EXE" [2002-07-02 17:56 24576 C:\WINDOWS\system32\CTHELPER.EXE] "UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112] "Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" [2001-11-29 01:00 28672] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975] "AME_CSA"="amecsa.cpl" [2003-01-30 11:46 757760 C:\WINDOWS\system32\AmeCSA.cpl] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55 267064] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 13:09 579072] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 13:10 219136] R3 AmeAtmPc;AmeAtmPc;C:\WINDOWS\system32\DRIVERS\AmeAtmPc.sys [2002-10-28 12:17] S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00] S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2005-06-14 20:00] S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;C:\WINDOWS\system32\ZDBRGSYS.SYS [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H] \Shell\AutoRun\command - H:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{10782efe-6793-11dc-9d5c-00c0a8a3a3b3}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder "2007-11-23 05:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************ catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-25 01:14:55 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . The pop-ups are gone! but i'm not sure if i'm free of the trojans. :(