Tech Support Forum - View Single Post

ikevin · 12-06-2008, 12:52 AM

Hi,

Here is the ComboFix.txt log:

ComboFix 08-12-05.02 - Billy Ngo 2008-12-05 23:48:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1605 [GMT -8:00]
Running from: c:\documents and settings\Billy Ngo\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Billy Ngo\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jwedsfdo0.dll
c:\windows\system32\jwedsfdo1.dll
c:\windows\system32\kxvo0.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-02 21:23 . 2008-12-02 21:23 250 --a------ c:\windows\gmer.ini
2008-12-01 22:44 . 2008-12-01 22:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-01 22:44 . 2008-12-01 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-01 22:40 . 2008-12-01 22:40 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-01 22:39 . 2008-12-01 22:40 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-01 21:41 . 2008-12-01 21:41 <DIR> d-------- c:\documents and settings\Administrator
2008-11-22 00:09 . 2008-11-22 00:09 <DIR> d-------- c:\documents and settings\Guest\Application Data\CyberLink
2008-11-22 00:08 . 2008-11-22 00:08 <DIR> d-------- c:\documents and settings\Guest\Application Data\Windows Desktop Search
2008-11-22 00:08 . 2008-11-22 00:08 <DIR> d-------- c:\documents and settings\Guest
2008-11-20 00:07 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 06:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-10-24 23:58 --------- d-----w c:\program files\HuyBien
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 20:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-08-29 07:10 76 --sh--r c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ong Do.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ong Do.lnk
backup=c:\windows\pss\Ong Do.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VNI Tan Ky for Win32.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VNI Tan Ky for Win32.lnk
backup=c:\windows\pss\VNI Tan Ky for Win32.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager]
--------- 2007-07-27 15:43 118784 c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe]
--a------ 2007-05-09 16:01 36864 c:\windows\OEM02Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 10:36 50472 c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-09-05 16:13 137752 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
--------- 2008-03-20 19:23 83240 c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-05-15 11:07:00 61424]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-06-10 468224]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-08-28 105984]
R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;\??\c:\windows\system32\Drivers\OEM02Afx.sys [2007-06-07 141376]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a5be3e6-7af6-11dd-b0d5-0022695c1e25}]
\Shell\AutoRun\command - D:\SETUP.EXE
\Shell\configure\command - D:\SETUP.EXE
\Shell\install\command - D:\SETUP.EXE

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.suprememastertv.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Billy Ngo\Application Data\Mozilla\Firefox\Profiles\k68g820h.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 23:49:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
Completion time: 2008-12-05 23:50:27
ComboFix-quarantined-files.txt 2008-12-06 07:50:14

Pre-Run: 237,121,642,496 bytes free
Post-Run: 238,132,076,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

131 --- E O F --- 2008-12-03 07:11:46

Thanks :)

12-06-2008, 12:52 AM	#3 (permalink)
ikevin Registered User Join Date: Dec 2008 Posts: 6 OS: Windows XP SP3	Re: autorun.inf trojan Hi, Here is the ComboFix.txt log: ComboFix 08-12-05.02 - Billy Ngo 2008-12-05 23:48:37.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1605 [GMT -8:00] Running from: c:\documents and settings\Billy Ngo\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Billy Ngo\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\jwedsfdo0.dll c:\windows\system32\jwedsfdo1.dll c:\windows\system32\kxvo0.dll . ((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 ))))))))))))))))))))))))))))))) . 2008-12-02 21:23 . 2008-12-02 21:23 250 --a------ c:\windows\gmer.ini 2008-12-01 22:44 . 2008-12-01 22:57 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-12-01 22:44 . 2008-12-01 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-12-01 22:40 . 2008-12-01 22:40 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP 2008-12-01 22:39 . 2008-12-01 22:40 <DIR> d-------- c:\program files\SpywareBlaster 2008-12-01 21:41 . 2008-12-01 21:41 <DIR> d-------- c:\documents and settings\Administrator 2008-11-22 00:09 . 2008-11-22 00:09 <DIR> d-------- c:\documents and settings\Guest\Application Data\CyberLink 2008-11-22 00:08 . 2008-11-22 00:08 <DIR> d-------- c:\documents and settings\Guest\Application Data\Windows Desktop Search 2008-11-22 00:08 . 2008-11-22 00:08 <DIR> d-------- c:\documents and settings\Guest 2008-11-20 00:07 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-03 06:13 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-10-24 23:58 --------- d-----w c:\program files\HuyBien 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-22 20:29 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-08-29 07:10 76 --sh--r c:\windows\CT4CET.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-29 39408] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-05 141848] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-05 166424] "Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-10-25 167936] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168] "egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ong Do.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ong Do.lnk backup=c:\windows\pss\Ong Do.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VNI Tan Ky for Win32.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VNI Tan Ky for Win32.lnk backup=c:\windows\pss\VNI Tan Ky for Win32.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DELL Webcam Manager] --------- 2007-07-27 15:43 118784 c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OEM02Mon.exe] --a------ 2007-05-09 16:01 36864 c:\windows\OEM02Mon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut] --------- 2007-12-14 10:36 50472 c:\program files\CyberLink\PowerDVD8\Language\Language.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence] --a------ 2007-09-05 16:13 137752 c:\windows\system32\igfxpers.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8] --------- 2008-03-20 19:23 83240 c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312] R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\CyberLink\PowerDVD8\000.fcl [2008-05-15 11:07:00 61424] R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-06-10 468224] R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-08-28 105984] R3 OEM02Afx;Provides a software interface to control audio effects of OEM002 camera.;\??\c:\windows\system32\Drivers\OEM02Afx.sys [2007-06-07 141376] R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 235648] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 7424] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4a5be3e6-7af6-11dd-b0d5-0022695c1e25}] \Shell\AutoRun\command - D:\SETUP.EXE \Shell\configure\command - D:\SETUP.EXE \Shell\install\command - D:\SETUP.EXE Newly Created Service - PROCEXP90 . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.suprememastertv.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 FireFox -: Profile - c:\documents and settings\Billy Ngo\Application Data\Mozilla\Firefox\Profiles\k68g820h.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-05 23:49:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ [HKEY_LOCAL_MACHINE\system\ControlSet002\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl" . Completion time: 2008-12-05 23:50:27 ComboFix-quarantined-files.txt 2008-12-06 07:50:14 Pre-Run: 237,121,642,496 bytes free Post-Run: 238,132,076,544 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 131 --- E O F --- 2008-12-03 07:11:46 Thanks :)