MSN infected by image34

[hajar_walker]

Hi, my msn was infected with image34.
I have used combofix to remove the malware.
Can someone help to view my log and check that the malware has been removed properly?

thanks


ComboFix 08-12-04.04 - p0812085 2008-12-06 14:22:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2485 [GMT 8:00]
Running from: c:\documents and settings\p0812085\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\p0812085\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\admintxt.txt
c:\windows\IE4 Error Log.txt
c:\windows\service.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 21:59 . 2008-12-05 21:59 268 --ah----- C:\sqmdata05.sqm
2008-12-05 21:59 . 2008-12-05 21:59 244 --ah----- C:\sqmnoopt05.sqm
2008-11-29 19:55 . 2008-11-29 19:55 <DIR> d-------- c:\program files\Hasbro
2008-11-29 19:55 . 2008-11-29 19:55 <DIR> dr-h----- c:\documents and settings\p0812085\Application Data\SecuROM
2008-11-29 17:39 . 2008-11-30 20:35 <DIR> d-------- c:\documents and settings\p0812085\Application Data\DMCache
2008-11-29 17:12 . 2008-11-29 17:12 <DIR> d-------- c:\documents and settings\p0812085\Application Data\uniblue
2008-11-29 17:11 . 2008-11-29 17:11 <DIR> d-------- c:\program files\Uniblue
2008-11-29 17:08 . 2008-11-29 17:12 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-11-29 17:00 . 2008-11-29 17:09 <DIR> d-------- c:\windows\SxsCaPendDel
2008-11-29 17:00 . 2008-11-29 17:01 <DIR> d-------- C:\8aba3e03b1bf8e440bff8c
2008-11-29 16:48 . 2008-11-29 16:48 <DIR> dr-h----- C:\AHCache
2008-11-28 22:39 . 2008-11-28 22:39 <DIR> d-------- c:\documents and settings\p0812085\Application Data\DAEMON Tools
2008-11-28 22:39 . 2008-11-28 22:39 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2008-11-27 21:58 . 2008-11-27 21:58 <DIR> d--h----- c:\windows\PIF
2008-11-27 21:18 . 2008-11-27 21:18 34 --a------ c:\windows\NPinfotl.INI
2008-11-25 23:14 . 2008-11-25 23:14 <DIR> d--hs---- c:\documents and settings\p0812085\PrivacIE
2008-11-25 20:05 . 2008-11-25 20:06 <DIR> d--h-c--- c:\windows\ie8
2008-11-24 12:29 . 2008-11-24 12:29 <DIR> d-------- C:\spoolerlogs
2008-11-15 18:17 . 2008-11-15 18:17 <DIR> d-------- c:\documents and settings\p0812085\Application Data\Clockwork Rhino
2008-11-15 15:45 . 2008-11-15 15:45 <DIR> d-------- c:\documents and settings\p0812085\Application Data\ViquaSoft
2008-11-15 14:53 . 2008-11-25 23:16 <DIR> d-------- c:\program files\iWin.com
2008-11-15 14:46 . 2008-11-15 14:46 <DIR> d-------- c:\documents and settings\p0812085\Application Data\iWinArcade
2008-11-14 21:35 . 2008-11-14 21:35 <DIR> d-------- c:\program files\GlobFX
2008-11-14 18:51 . 2008-11-25 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\iWin Games
2008-11-14 18:49 . 2008-11-14 18:49 <DIR> d-------- c:\program files\TryMedia
2008-11-14 18:24 . 2008-11-14 18:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fugazo
2008-11-14 11:10 . 2008-11-14 11:10 <DIR> d-------- c:\program files\Justdo Software
2008-11-14 11:10 . 2008-11-14 11:10 <DIR> d-------- c:\program files\Common Files\Justdo
2008-11-14 10:48 . 2008-11-14 10:48 25 --a------ c:\windows\cdplayer.ini
2008-11-14 10:46 . 2008-11-14 10:46 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-09 21:57 . 2008-11-09 21:59 <DIR> d-------- c:\program files\Cradle of Rome
2008-11-09 12:30 . 2008-11-25 23:16 <DIR> d-------- c:\program files\Yahoo! Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 06:10 --------- d-----w c:\program files\Launch Manager
2008-12-05 14:44 --------- d-----w c:\documents and settings\p0812085\Application Data\BitTorrent
2008-12-05 13:58 --------- d-----w c:\program files\Windows Live
2008-12-05 13:54 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-12-05 13:51 --------- d-----w c:\program files\Windows Live Toolbar
2008-11-29 11:55 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-11-26 15:49 --------- d-----w c:\program files\Autodesk Student Community Download Tool
2008-11-25 15:17 --------- d-----w c:\program files\NCH Software
2008-11-25 14:18 --------- d-----w c:\program files\Democracy
2008-11-25 13:50 --------- d-----w c:\documents and settings\p0812085\Application Data\Skype
2008-11-18 07:03 --------- d-----w c:\documents and settings\p0812085\Application Data\DNA
2008-11-18 05:04 --------- d-----w c:\program files\DNA
2008-11-15 10:46 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-14 10:49 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-14 02:46 --------- d-----w c:\program files\Common Files\Real
2008-11-14 02:45 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-14 02:45 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-09 09:20 --------- d-----w c:\program files\SweetIM
2008-11-09 09:20 --------- d-----w c:\program files\Supple
2008-11-09 04:29 --------- d-----w c:\program files\Monopoly Here and Now Edition
2008-10-30 10:48 --------- d-----w c:\program files\EuroTalk
2008-10-30 10:48 --------- d-----w c:\documents and settings\p0812085\Application Data\EuroTalk
2008-10-28 05:09 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-27 12:27 --------- d-----w c:\documents and settings\p0812085\Application Data\Autodesk
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 13:55 --------- d-----w c:\program files\Common Files\Autodesk Shared
2008-10-16 13:47 --------- d-----w c:\program files\Autodesk
2008-10-16 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Autodesk
2008-10-16 12:54 --------- d-----w c:\program files\Apple Software Update
2008-10-16 06:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 06:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 06:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 06:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 06:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 06:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 06:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 06:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 06:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 06:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-13 14:13 --------- d-----w c:\program files\eMachineShop
2008-10-11 13:49 --------- d-----w c:\program files\Virtual Villagers
2008-10-11 06:13 --------- d-----w c:\program files\Virtual Villagers - The Lost Children
2008-10-10 08:20 --------- d-----w c:\documents and settings\p0812085\Application Data\PlayFirst
2008-10-10 08:19 --------- d-----w c:\program files\Pirate Poppers
2008-10-10 07:52 --------- d-----w c:\program files\GameHouse
2008-10-10 07:10 --------- d-----w c:\program files\Cinema Tycoon Gold
2008-10-09 06:14 --------- d-----w c:\documents and settings\p0812085\Application Data\Chicken Chase
2008-10-08 14:43 --------- d-----w c:\program files\SpongeBob SquarePants Bubble Rush!
2008-10-08 14:43 --------- d-----w c:\program files\BFG
2008-10-08 12:01 --------- d-----w c:\program files\Virtual Villagers The Secret City
2008-09-30 08:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-03-19 06:21 6,029,648 ----a-w c:\program files\Firefox Setup 2.0.0.12.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-06-13 850704]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-05-24 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-15 579584]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-16 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MapToPDrive.bat [2006-03-01 34]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-11-12 13:07 342336 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\startupmessage]
--a------ 2008-02-16 11:13 5306 C:\FY08-NB Startup Message v2.htm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SweetIM]
-ra------ 2008-07-06 12:32 111928 c:\program files\SweetIM\Messenger\SweetIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-05-27 21:58 4269296 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Valve\\Condition Zero\\hl.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo! Games\\Yahoo! Ten Pin Championship Bowling\\Yahoo Ten Pin Championship Bowling.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:TCP"= 6346:TCP:shareaza
"6881:TCP"= 6881:TCP:BitTorrent

R0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2008-02-05 39680]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-02-05 58464]
R2 CcmExec;SMS Agent Host;c:\windows\system32\CCM\CcmExec.exe [2006-02-09 578784]
R3 prepdrvr;SMS Process Event Driver;\??\c:\windows\system32\CCM\prepdrv.sys [2006-02-09 20704]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 [2006-12-02 2805000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{668c193f-5ea0-11dd-bed4-001d7221812d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a43ca17c-9f37-11dd-bf42-9828741ed5f2}]
\Shell\AutoRun\command - F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d2e4d1d0-59ef-11dd-becc-001de0632385}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\´ò¿ª\command - service.exe

*Newly Created Service* - ENTDRV51
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
MSConfigStartUp-ZangoOE - c:\program files\Zango\bin\10.3.75.0\OEAddOn.exe
MSConfigStartUp-ZangoSA - c:\program files\Zango\bin\10.3.75.0\ZangoSA.exe
MSConfigStartUp-Windows Service - service.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
IE: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm -

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}
hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
c:\windows\Downloaded Program Files\GoPetsWeb.inf
FireFox -: Profile - c:\documents and settings\p0812085\Application Data\Mozilla\Firefox\Profiles\hoiowyul.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.sp.edu.sg
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\NPinfotl.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 14:25:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\EntApi.dll
.
Completion time: 2008-12-06 14:27:05
ComboFix-quarantined-files.txt 2008-12-06 06:27:01

Pre-Run: 52,814,790,656 bytes free
Post-Run: 53,339,049,984 bytes free

249 --- E O F --- 2008-11-26 14:01:03

[sUBs]

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Vista users right click on the Internet Explorer shortcut, and choose Run As Administrator.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

[hajar_walker]

hi,
ive tried running my com for the online virus scanner. bt each time half way thru the scan, my com will show this error screen that says that some ati2dvag is the cause. that my com is stuck in some loop.

need some help here.

tnx

[sUBs]

Seen this yet?

http://www.sightsea.com/pghpchd/page...nite_loop.html

[sUBs]

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.