Thread: MSN infected by image34
View Single Post
Old 12-05-2008, 11:41 PM   #1 (permalink)
hajar_walker
Registered User
 
Join Date: Dec 2008
Posts: 2
OS: XP Pro SP2


MSN infected by image34
Hi, my msn was infected with image34.
I have used combofix to remove the malware.
Can someone help to view my log and check that the malware has been removed properly?

thanks


ComboFix 08-12-04.04 - p0812085 2008-12-06 14:22:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2485 [GMT 8:00]
Running from: c:\documents and settings\p0812085\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\p0812085\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\admintxt.txt
c:\windows\IE4 Error Log.txt
c:\windows\service.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 21:59 . 2008-12-05 21:59 268 --ah----- C:\sqmdata05.sqm
2008-12-05 21:59 . 2008-12-05 21:59 244 --ah----- C:\sqmnoopt05.sqm
2008-11-29 19:55 . 2008-11-29 19:55 <DIR> d-------- c:\program files\Hasbro
2008-11-29 19:55 . 2008-11-29 19:55 <DIR> dr-h----- c:\documents and settings\p0812085\Application Data\SecuROM
2008-11-29 17:39 . 2008-11-30 20:35 <DIR> d-------- c:\documents and settings\p0812085\Application Data\DMCache
2008-11-29 17:12 . 2008-11-29 17:12 <DIR> d-------- c:\documents and settings\p0812085\Application Data\uniblue
2008-11-29 17:11 . 2008-11-29 17:11 <DIR> d-------- c:\program files\Uniblue
2008-11-29 17:08 . 2008-11-29 17:12 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-11-29 17:00 . 2008-11-29 17:09 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-29 17:00 . 2008-11-29 17:01 <DIR> d-------- C:\8aba3e03b1bf8e440bff8c
2008-11-29 16:48 . 2008-11-29 16:48 <DIR> dr-h----- C:\AHCache
2008-11-28 22:39 . 2008-11-28 22:39 <DIR> d-------- c:\documents and settings\p0812085\Application Data\DAEMON Tools
2008-11-28 22:39 . 2008-11-28 22:39 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-27 21:58 . 2008-11-27 21:58 <DIR> d--h----- c:\windows\PIF
2008-11-27 21:18 . 2008-11-27 21:18 34 --a------ c:\windows\NPinfotl.INI
2008-11-25 23:14 . 2008-11-25 23:14 <DIR> d--hs---- c:\documents and settings\p0812085\PrivacIE
2008-11-25 20:05 . 2008-11-25 20:06 <DIR> d--h-c--- c:\windows\ie8
2008-11-24 12:29 . 2008-11-24 12:29 <DIR> d-------- C:\spoolerlogs
2008-11-15 18:17 . 2008-11-15 18:17 <DIR> d-------- c:\documents and settings\p0812085\Application Data\Clockwork Rhino
2008-11-15 15:45 . 2008-11-15 15:45 <DIR> d-------- c:\documents and settings\p0812085\Application Data\ViquaSoft
2008-11-15 14:53 . 2008-11-25 23:16 <DIR> d-------- c:\program files\iWin.com
2008-11-15 14:46 . 2008-11-15 14:46 <DIR> d-------- c:\documents and settings\p0812085\Application Data\iWinArcade
2008-11-14 21:35 . 2008-11-14 21:35 <DIR> d-------- c:\program files\GlobFX
2008-11-14 18:51 . 2008-11-25 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\iWin Games
2008-11-14 18:49 . 2008-11-14 18:49 <DIR> d-------- c:\program files\TryMedia
2008-11-14 18:24 . 2008-11-14 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fugazo
2008-11-14 11:10 . 2008-11-14 11:10 <DIR> d-------- c:\program files\Justdo Software
2008-11-14 11:10 . 2008-11-14 11:10 <DIR> d-------- c:\program files\Common Files\Justdo
2008-11-14 10:48 . 2008-11-14 10:48 25 --a------ c:\windows\cdplayer.ini
2008-11-14 10:46 . 2008-11-14 10:46 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-09 21:57 . 2008-11-09 21:59 <DIR> d-------- c:\program files\Cradle of Rome
2008-11-09 12:30 . 2008-11-25 23:16 <DIR> d-------- c:\program files\Yahoo! Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 06:10 --------- d-----w c:\program files\Launch Manager
2008-12-05 14:44 --------- d-----w c:\documents and settings\p0812085\Application Data\BitTorrent
2008-12-05 13:58 --------- d-----w c:\program files\Windows Live
2008-12-05 13:54 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-05 13:51 --------- d-----w c:\program files\Windows Live Toolbar
2008-11-29 11:55 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-26 15:49 --------- d-----w c:\program files\Autodesk Student Community Download Tool
2008-11-25 15:17 --------- d-----w c:\program files\NCH Software
2008-11-25 14:18 --------- d-----w c:\program files\Democracy
2008-11-25 13:50 --------- d-----w c:\documents and settings\p0812085\Application Data\Skype
2008-11-18 07:03 --------- d-----w c:\documents and settings\p0812085\Application Data\DNA
2008-11-18 05:04 --------- d-----w c:\program files\DNA
2008-11-15 10:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 10:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-14 02:46 --------- d-----w c:\program files\Common Files\Real
2008-11-14 02:45 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-14 02:45 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-09 09:20 --------- d-----w c:\program files\SweetIM
2008-11-09 09:20 --------- d-----w c:\program files\Supple
2008-11-09 04:29 --------- d-----w c:\program files\Monopoly Here and Now Edition
2008-10-30 10:48 --------- d-----w c:\program files\EuroTalk
2008-10-30 10:48 --------- d-----w c:\documents and settings\p0812085\Application Data\EuroTalk
2008-10-28 05:09 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-27 12:27 --------- d-----w c:\documents and settings\p0812085\Application Data\Autodesk
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:55 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-16 13:47 --------- d-----w c:\program files\Autodesk
2008-10-16 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-16 12:54 --------- d-----w c:\program files\Apple Software Update
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 06:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 14:13 --------- d-----w c:\program files\eMachineShop
2008-10-11 13:49 --------- d-----w c:\program files\Virtual Villagers
2008-10-11 06:13 --------- d-----w c:\program files\Virtual Villagers - The Lost Children
2008-10-10 08:20 --------- d-----w c:\documents and settings\p0812085\Application Data\PlayFirst
2008-10-10 08:19 --------- d-----w c:\program files\Pirate Poppers
2008-10-10 07:52 --------- d-----w c:\program files\GameHouse
2008-10-10 07:10 --------- d-----w c:\program files\Cinema Tycoon Gold
2008-10-09 06:14 --------- d-----w c:\documents and settings\p0812085\Application Data\Chicken Chase
2008-10-08 14:43 --------- d-----w c:\program files\SpongeBob SquarePants Bubble Rush!
2008-10-08 14:43 --------- d-----w c:\program files\BFG
2008-10-08 12:01 --------- d-----w c:\program files\Virtual Villagers The Secret City
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-03-19 06:21 6,029,648 ----a-w c:\program files\Firefox Setup 2.0.0.12.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-13 850704]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MapToPDrive.bat [2006-03-01 34]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-11-12 13:07 342336 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startupmessage]
--a------ 2008-02-16 11:13 5306 C:\FY08-NB Startup Message v2.htm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
-ra------ 2008-07-06 12:32 111928 c:\program files\SweetIM\Messenger\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Valve\\Condition Zero\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo! Games\\Yahoo! Ten Pin Championship Bowling\\Yahoo Ten Pin Championship Bowling.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:shareaza
"6881:TCP"= 6881:TCP:BitTorrent

R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-02-05 39680]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-02-05 58464]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2006-02-09 578784]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2006-02-09 20704]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{668c193f-5ea0-11dd-bed4-001d7221812d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a43ca17c-9f37-11dd-bf42-9828741ed5f2}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2e4d1d0-59ef-11dd-becc-001de0632385}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\´ò¿ª\command - service.exe

*Newly Created Service* - ENTDRV51
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
MSConfigStartUp-ZangoOE - c:\program files\Zango\bin\10.3.75.0\OEAddOn.exe
MSConfigStartUp-ZangoSA - c:\program files\Zango\bin\10.3.75.0\ZangoSA.exe
MSConfigStartUp-Windows Service - service.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
IE: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm -

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}
hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
c:\windows\Downloaded Program Files\GoPetsWeb.inf
FireFox -: Profile - c:\documents and settings\p0812085\Application Data\Mozilla\Firefox\Profiles\hoiowyul.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.sp.edu.sg
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 14:25:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\EntApi.dll
.
Completion time: 2008-12-06 14:27:05
ComboFix-quarantined-files.txt 2008-12-06 06:27:01

Pre-Run: 52,814,790,656 bytes free
Post-Run: 53,339,049,984 bytes free

249 --- E O F --- 2008-11-26 14:01:03
hajar_walker is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here