Thread: "Spyware detected" popup - NT19F32.exe
View Single Post
Old 05-12-2008, 05:57 PM   #6 (permalink)
hellfire
Registered User
 
Join Date: May 2008
Posts: 9
OS: XP


Re: "Spyware detected" popup - NT19F32.exe
Okay that's done. I closed my anti-virus programs etc., but they reopened when the system rebooted and the log was being produced, hopefully that doesn't matter?

Here is the combofix log, I'll just attach the hijackthis log.
_____________


ComboFix 08-05-12.1 - User 2008-05-13 10:44:03.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.591 [GMT 10:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\basepcn32.dll
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\drivers\ctfmun.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Schedule
-------\Service_Schedule


((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 22:12 . 2008-05-12 22:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-12 22:12 . 2008-05-12 22:12 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-09 16:17 . 2008-05-09 16:17 <DIR> d-------- C:\Deckard
2008-05-09 15:41 . 2008-05-09 15:41 <DIR> d-------- C:\ie-spyad_zo
2008-05-09 15:35 . 2008-05-09 15:36 <DIR> d-------- C:\Program Files\Panda Security
2008-05-09 15:35 . 2008-05-09 15:35 1,823 --a------ C:\WINDOWS\mozver.dat
2008-05-09 14:50 . 2008-05-09 14:50 269,334 --a------ C:\WINDOWS\system32\ctfmonb.bmp
2008-05-09 14:50 . 2008-05-09 14:50 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-22 22:19 . 2008-04-22 22:19 <DIR> d-------- C:\Program Files\DirectVobSub
2008-04-18 19:39 . 2008-04-21 09:59 4,367 --a------ C:\WINDOWS\system32\rhs.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 00:48 --------- d-----w C:\Program Files\lg_fwupdate
2008-05-13 00:23 --------- d-----w C:\Documents and Settings\User\Application Data\AVG7
2008-05-08 00:12 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-05-08 00:00 --------- d-----w C:\Program Files\eMule
2008-03-30 23:49 --------- d-----w C:\Documents and Settings\User\Application Data\TVU Networks
2008-03-30 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU Networks
2008-03-10 12:24 16,752 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 04:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-02-28 12:00 4,096 --sha-w C:\WINDOWS\system32\sdfgkdfbg.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 10:34 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X Configure"="C:\WINDOWS\system32\JMRaidTool.exe" [2006-06-02 18:45 385024]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 00:07 8491008]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-04-05 22:20 249856]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-19 10:43 579584]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20 866584]
"AceGain LiveUpdate"="C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe" [ ]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 00:07 81920]
"ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 22:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 10:41 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 12:45 36040]
"Firewall auto setup"="C:\WINDOWS\TEMP\winlogon.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\droute]
droute.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk
backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gainward]
--a------ 2006-09-13 09:10 2154496 C:\Program Files\XpertVision\TBPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 02:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RaidTool]
-ra------ 2005-11-23 12:12 1060864 C:\Program Files\VIA\RAID\raid_tool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-11-02 19:24 32768 C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
-r------- 2006-06-01 18:48 16208384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
-r------- 2006-05-16 20:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gearsec"=2 (0x2)
"BthServ"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Documents and Settings\\User\\Desktop\\other ****\\utorrent\\utorrent.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield Vietnam\\bfvietnam.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys [2007-07-20 06:20]
S3 w900bus;Sony Ericsson 900i driver (WDM);C:\WINDOWS\system32\DRIVERS\w900bus.sys [2005-09-27 20:52]
S4 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-02 07:49]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Nvsetup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 00:51:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 10:48:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-13 10:52:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-13 00:51:51

Pre-Run: 192,687,624,192 bytes free
Post-Run: 192,722,952,192 bytes free

149 --- E O F --- 2008-05-09 05:00:29
Attached Files
File Type: txt main2.txt (13.6 KB, 1 views)
hellfire is offline