Thread: Downloader.Agent.APKO and Crypt.AXH
View Single Post
Old 12-09-2008, 09:08 AM   #5 (permalink)
tybomb
Registered User
 
Join Date: Dec 2006
Posts: 10
OS: XP


Re: Downloader.Agent.APKO and Crypt.AXH
K I did that but I wasn't asked to submit anything. Here is the log.
As for AVG, the problem seems to be that when I update avg it then shows as being in error until I restart the computer and let the updates take effect. Perhaps at some point I clicked to no longer prompt for a restart after updating. Adaware however still wont update. It says "error retrieving updates" but I guess that could be my ethernet switch configuration or windows firewall or anything really.
A good alternative to AVG would be great. Especially something that doesn't take over my whole computer.

ComboFix 08-12-07.04 - Administrator 2008-12-09 7:39:20.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\virus\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\virus\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-04 00:37 . 2008-12-08 18:03 250 --a------ c:\windows\gmer.ini
2008-12-03 19:33 . 2008-12-04 04:13 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-12-03 19:33 . 2008-06-13 05:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2008-12-03 19:33 . 2008-06-13 05:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-03 18:05 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 16:01 . 2007-10-27 20:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-11-27 17:56 . 2008-11-27 17:56 <DIR> d-------- c:\program files\uTorrent
2008-11-27 17:56 . 2008-12-08 21:17 <DIR> d-------- c:\documents and settings\Administrator\Application Data\uTorrent
2008-11-24 00:13 . 2008-11-24 00:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Move Networks
2008-11-22 00:58 . 2008-12-08 03:15 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-22 00:58 . 2008-11-22 00:58 1,409 --a------ c:\windows\QTFont.for
2008-11-21 01:03 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\MSBuild
2008-11-21 00:57 . 2008-11-21 00:57 <DIR> d-------- c:\program files\Microsoft Works
2008-11-21 00:52 . 2008-11-21 00:52 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-11-21 00:51 . 2008-11-21 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-21 00:50 . 2008-11-21 00:50 <DIR> dr-h----- C:\MSOCache
2008-11-15 19:45 . 2008-11-15 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\TVU Networks
2008-11-12 18:23 . 2008-11-12 19:50 <DIR> d-------- C:\New Folder
2008-11-10 23:21 . 2008-11-12 09:45 45,016,576 --a------ C:\120.-.Oil.Painting.avi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 15:29 --------- d-----w c:\program files\MetFileRegenerator
2008-12-09 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-09 02:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-08 19:21 --------- d-----w c:\program files\eMule
2008-12-08 16:00 --------- d-----w c:\documents and settings\Administrator\Application Data\AVG7
2008-11-23 11:15 --------- d-----w c:\program files\DynDNS Updater
2008-11-22 23:56 --------- d-----w c:\documents and settings\Administrator\Application Data\dvdcss
2008-11-07 08:00 --------- d-----w c:\program files\Perfect Privacy SSH Client
2008-11-07 00:08 --------- d-----w c:\program files\Eraser
2008-11-02 17:17 --------- d-----w c:\program files\DC++
2008-11-02 05:58 --------- d-----w c:\program files\OpenVPN
2008-10-30 20:50 --------- d-----w c:\documents and settings\Administrator\Application Data\QQ
2008-10-30 20:47 --------- d-----w c:\program files\Tencent
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2007-11-27 02:54 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-04-29 08:20 92,064 ----a-w c:\documents and settings\Administrator\mqdmmdm.sys
2007-04-29 08:20 9,232 ----a-w c:\documents and settings\Administrator\mqdmmdfl.sys
2007-04-29 08:20 79,328 ----a-w c:\documents and settings\Administrator\mqdmserd.sys
2007-04-29 08:20 66,656 ----a-w c:\documents and settings\Administrator\mqdmbus.sys
2007-04-29 08:20 6,208 ----a-w c:\documents and settings\Administrator\mqdmcmnt.sys
2007-04-29 08:20 5,936 ----a-w c:\documents and settings\Administrator\mqdmwhnt.sys
2007-04-29 08:20 4,048 ----a-w c:\documents and settings\Administrator\mqdmcr.sys
2007-04-29 08:20 25,600 ----a-w c:\documents and settings\Administrator\usbsermptxp.sys
2007-04-29 08:20 22,768 ----a-w c:\documents and settings\Administrator\usbsermpt.sys
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((( snapshot_2008-12-08_18.11.17.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-24 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-13 1397760]
"AVG7_CC"="c:\progra~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-10-30 590848]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2007-12-11 307200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"openvpn-gui"="c:\program files\OpenVPN\bin\openvpn-gui.exe" [2005-08-18 99328]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 c:\windows\system32\HdAShCut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-27 219136]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
PartMetBackup.lnk - c:\program files\Java\jre1.5.0_10\bin\javaw.exe [2006-12-18 53346]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-12-15 389120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"c:\\Program Files\\Edonkey Lite 1.4.3.2\\edonkey2000.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Curious Labs\\Poser 6\\Poser.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\e frontier\\Poser 7\\Poser.exe"=
"c:\\dc\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Tencent\\QQ\\QQ.exe"=
"c:\\Program Files\\Autodesk\\3ds Max 9\\3dsmax.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"c:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"c:\\Program Files\\e-on software\\Vue 6 xStream\\Application\\Vue 6 xStream.eon"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Motorola\\UID Extraction Tool 2.2\\UIDExtraction.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FTPVoyager.exe"=
"c:\\Program Files\\RhinoSoft.com\\FTP Voyager\\FVScheduler.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\stuff\\Mirc\\mirc.exe"=
"c:\\Program Files\\Electronic Arts\\Medal of Honor Airborne\\UnrealEngine3\\Binaries\\MOHA.exe"=
"c:\\stuff\\PI\\pi232.1146921652.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8681:TCP"= 8681:TCP:WWW

R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\DRIVERS\cledx.sys [2007-06-09 33792]
R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-04-30 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-04-30 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-04-30 40832]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 npkycryp;npkycryp;\??\c:\program files\Tencent\QQ\npkycryp.sys []
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\DRIVERS\SaiHFF0C.sys [2004-06-11 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\DRIVERS\SaiUFF0C.sys [2004-06-11 19584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\SETUP.EXE
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2008-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = localhost:8020
uInternet Settings,ProxyOverride = *.local
IE: Add to QQ Customized Panel - c:\program files\Tencent\QQ\AddPanel.htm
IE: Add to QQ Emotions - c:\program files\Tencent\QQ\AddEmotion.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send picture by MMS - c:\program files\Tencent\QQ\SendMMS.htm
IE: Upload to QQ Network Hard Disk - c:\program files\Tencent\QQ\AddToNetDisk.htm
FireFox -: Profile - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\p5yuydfw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.com
FF -: plugin - c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF -: plugin - c:\program files\Adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 07:41:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-09 7:42:33
ComboFix-quarantined-files.txt 2008-12-09 15:42:30
ComboFix2.txt 2008-12-09 15:35:44
ComboFix3.txt 2008-12-09 02:25:36
ComboFix4.txt 2008-12-09 02:12:03
ComboFix5.txt 2008-12-09 15:38:45

Pre-Run: 136,717,832,192 bytes free
Post-Run: 136,705,081,344 bytes free

209 --- E O F --- 2008-12-09 01:34:17
tybomb is offline   Reply With Quote