|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
02-23-2009, 08:39 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
trojan removal help.
Hello and thank you once again with your help here at techsupportforums. Ive seen to have gotten some kind of trojan on my computer that changes registry entries at startup and just hogs system memory. Please help me fix this issue, thank you in advance.
DDS (Ver_09-02-01.01) - NTFSx86 Run by John at 10:28:24.59 on 23/02/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1425 [GMT -5:00] AV: AVG Anti-Virus *On-access scanning enabled* (Updated) FW: Norton Internet Worm Protection *disabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\werkptxd.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Malwarebytes' Anti-Malware\doit.exe.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Documents and Settings\John\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://google.atcomet.com/b/ uInternet Settings,ProxyOverride = localhost;*.local uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: autorunsdisabled - No File BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File mRun: [10629] C:\werkptxd.exe dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll Notify: avgrsstarter - avgrsstx.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\6y15xtgs.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\6y15xtgs.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll ============= SERVICES / DRIVERS =============== R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-22 12552] R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-22 325128] R1 avgmfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-22 27656] R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-22 107272] R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944] R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-22 903960] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-22 298264] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-22 38496] S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-21 44928] =============== Created Last 30 ================ 2009-02-23 10:03 19,456 a------- C:\lsass.exe 2009-02-23 02:49 5,517,160 a------- C:\bitcomet_setup.exe 2009-02-23 02:39 598,016 a------- c:\windows\system32\OOD2KCRS.dll 2009-02-23 02:39 238,080 a------- c:\windows\system32\OOD2000.exe 2009-02-23 02:39 29,272 a------- c:\windows\system32\OOD2KBS.exe 2009-02-23 02:39 24,576 a------- c:\windows\system32\OODCSPRO.dll 2009-02-23 02:39 16,384 a------- c:\windows\system32\ood2kmsg.dll 2009-02-23 02:39 <DIR> --d----- c:\program files\OOD2KFRE 2009-02-23 02:37 2,178,933 a------- C:\defraglite.exe 2009-02-22 20:00 <DIR> --d----- C:\MGtools 2009-02-22 18:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-02-22 18:36 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-02-22 18:36 <DIR> --d----- c:\docume~1\john\applic~1\SUPERAntiSpyware.com 2009-02-22 18:29 3,171,208 a------- C:\ccsetup216.exe 2009-02-22 18:28 1,337,489 a------- C:\MGtools.exe 2009-02-22 18:12 161,792 a------- c:\windows\SWREG.exe 2009-02-22 18:12 98,816 a------- c:\windows\sed.exe 2009-02-22 18:12 <DIR> --d----- C:\Combo.exe 2009-02-22 17:35 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes 2009-02-22 17:34 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-02-22 17:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-22 17:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-02-22 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-02-22 16:04 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-02-22 15:47 107,272 a------- c:\windows\system32\drivers\avgtdix.sys 2009-02-22 15:47 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys 2009-02-22 15:47 10,520 a------- c:\windows\system32\avgrsstx.dll 2009-02-22 15:47 325,128 a------- c:\windows\system32\drivers\avgldx86.sys 2009-02-22 15:47 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-02-22 15:47 <DIR> --d----- c:\docume~1\john\applic~1\AVGTOOLBAR 2009-02-22 15:46 <DIR> --d----- c:\program files\AVG 2009-02-22 15:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8 2009-02-21 20:27 100,590 a------- c:\windows\system32\drivers\363db3d2.sys 2009-02-21 20:27 8,704 a------- C:\xmkuydg.exe 2009-02-21 20:27 2 a------- C:\1412995468 2009-02-21 20:27 19,456 a------- C:\werkptxd.exe 2009-02-21 12:43 168,448 a------- c:\windows\system32\unrar.dll 2009-02-21 05:28 <DIR> --d----- C:\Downloads 2009-02-03 17:55 23,392 a------- c:\windows\system32\nscompat.tlb 2009-02-03 17:55 16,832 a------- c:\windows\system32\amcompat.tlb 2009-02-03 16:31 <DIR> --d----- c:\docume~1\john\applic~1\Uniblue 2009-01-30 16:03 <DIR> --d----- c:\program files\iPod 2009-01-30 16:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-30 16:02 <DIR> --d----- c:\program files\Bonjour 2009-01-28 19:39 <DIR> --d----- c:\windows\NV19164100.TMP 2009-01-28 18:59 <DIR> --d----- c:\docume~1\john\applic~1\Acreon ==================== Find3M ==================== 2009-01-07 11:28 453,152 ac------ c:\windows\system32\NVUNINST.EXE 2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll 2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll 2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll 2008-11-26 08:55 288,024 a------- c:\windows\system32\PhysXCplUI.exe 2008-06-19 15:42 22,328 a------- c:\docume~1\john\applic~1\PnkBstrK.sys 2008-08-19 14:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat ============= FINISH: 10:28:48.53 =============== ok I did a malware scan and got these 2 programs showing up. Trojan.Agent Heuristics.reserved.word.exploit also my internet connectivity has decreased significantly, pages are loading really slow. I have these 3 exe files in my C:\ folder, werkptxd.exe, xmkuydg.exe, and lsass.exe, that i think are causing some trouble, i cant delete them. Last edited by amateur; 02-24-2009 at 03:17 AM. Reason: two posts merged to retain 0-reply status |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
02-26-2009, 10:00 PM
|
#2 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,953
OS: WinXP and Vista
|
Re: trojan removal help.
Hello stellaris,
If you still require assistance, please run a new scan with dds and post a fresh dds.txt . I'd also like to see the log produced by ComboFix. You'll find it located at C:\ComboFix.txt. |
|
|
|
|
02-27-2009, 05:38 AM
|
#3 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
Thanks for the help, heres the new file.
DDS (Ver_09-02-01.01) - NTFSx86 Run by John at 7:36:40.76 on 27/02/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1604 [GMT -5:00] AV: AVG Anti-Virus *On-access scanning enabled* (Updated) FW: Norton Internet Worm Protection *disabled* ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\John\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://google.atcomet.com/b/ uInternet Settings,ProxyOverride = localhost;*.local uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: autorunsdisabled - No File BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe" /tray mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll/206 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/pcpitstop/PCPitStop.CAB DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll Notify: avgrsstarter - avgrsstx.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\john\applic~1\mozilla\firefox\profiles\6y15xtgs.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - prefs.js: browser.startup.homepage - www.google.com FF - component: c:\documents and settings\john\application data\mozilla\firefox\profiles\6y15xtgs.default\extensions\{b042753d-f57e-4e8e-a01b-7379a6d4cefb}\components\IBitCometExtension.dll FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\john\application data\mozilla\firefox\profiles\6y15xtgs.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll ============= SERVICES / DRIVERS =============== R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-22 12552] R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-22 325128] R1 avgmfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-22 27656] R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-22 107272] R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944] R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-2-22 903960] R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-22 298264] S1 363db3d2;363db3d2;c:\windows\system32\drivers\363db3d2.sys [2009-2-21 0] S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-21 44928] =============== Created Last 30 ================ 2009-02-24 09:20 <DIR> --d----- C:\combofix 2009-02-24 09:16 46,651 a------- C:\MGlogs.zip 2009-02-23 13:37 664 a------- c:\windows\system32\d3d9caps.dat 2009-02-23 10:30 250 a------- c:\windows\gmer.ini 2009-02-23 02:39 598,016 a------- c:\windows\system32\OOD2KCRS.dll 2009-02-23 02:39 238,080 a------- c:\windows\system32\OOD2000.exe 2009-02-23 02:39 29,272 a------- c:\windows\system32\OOD2KBS.exe 2009-02-23 02:39 24,576 a------- c:\windows\system32\OODCSPRO.dll 2009-02-23 02:39 16,384 a------- c:\windows\system32\ood2kmsg.dll 2009-02-23 02:39 <DIR> --d----- c:\program files\OOD2KFRE 2009-02-23 02:37 2,178,933 a------- C:\defraglite.exe 2009-02-22 20:00 <DIR> --d----- C:\MGtools 2009-02-22 18:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-02-22 18:36 <DIR> --d----- c:\program files\SUPERAntiSpyware 2009-02-22 18:36 <DIR> --d----- c:\docume~1\john\applic~1\SUPERAntiSpyware.com 2009-02-22 18:28 1,337,489 a------- C:\MGtools.exe 2009-02-22 18:12 161,792 a------- c:\windows\SWREG.exe 2009-02-22 18:12 98,816 a------- c:\windows\sed.exe 2009-02-22 18:12 <DIR> --d----- C:\Combo.exe 2009-02-22 17:35 <DIR> --d----- c:\docume~1\john\applic~1\Malwarebytes 2009-02-22 17:34 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-02-22 17:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-22 17:34 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-02-22 17:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-02-22 16:04 <DIR> --d-h--- C:\$AVG8.VAULT$ 2009-02-22 15:47 107,272 a------- c:\windows\system32\drivers\avgtdix.sys 2009-02-22 15:47 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys 2009-02-22 15:47 10,520 a------- c:\windows\system32\avgrsstx.dll 2009-02-22 15:47 325,128 a------- c:\windows\system32\drivers\avgldx86.sys 2009-02-22 15:47 <DIR> --d----- c:\windows\system32\drivers\Avg 2009-02-22 15:47 <DIR> --d----- c:\docume~1\john\applic~1\AVGTOOLBAR 2009-02-22 15:46 <DIR> --d----- c:\program files\AVG 2009-02-22 15:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8 2009-02-21 20:27 0 a------- c:\windows\system32\drivers\363db3d2.sys 2009-02-21 20:27 8,704 a------- C:\xmkuydg.exe 2009-02-21 20:27 2 a------- C:\1412995468 2009-02-21 12:43 168,448 a------- c:\windows\system32\unrar.dll 2009-02-21 05:28 <DIR> --d----- C:\Downloads 2009-02-03 17:55 23,392 a------- c:\windows\system32\nscompat.tlb 2009-02-03 17:55 16,832 a------- c:\windows\system32\amcompat.tlb 2009-02-03 16:31 <DIR> --d----- c:\docume~1\john\applic~1\Uniblue 2009-01-30 16:03 <DIR> --d----- c:\program files\iPod 2009-01-30 16:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-30 16:02 <DIR> --d----- c:\program files\Bonjour 2009-01-28 19:39 <DIR> --d----- c:\windows\NV19164100.TMP 2009-01-28 18:59 <DIR> --d----- c:\docume~1\john\applic~1\Acreon ==================== Find3M ==================== 2009-01-07 11:28 453,152 ac------ c:\windows\system32\NVUNINST.EXE 2008-12-20 18:15 826,368 a------- c:\windows\system32\wininet.dll 2008-12-10 09:45 70,936 a------- c:\windows\system32\PhysXLoader.dll 2008-12-04 09:28 24,344 a------- c:\windows\system32\PhysXDevice.dll 2008-06-19 15:42 22,328 a------- c:\docume~1\john\applic~1\PnkBstrK.sys 2008-08-19 14:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat ============= FINISH: 7:37:26.12 =============== |
|
|
|
|
02-27-2009, 05:39 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
heres the combofix.txt file
ComboFix 09-02-21.01 - Administrator 2009-02-24 9:20:25.1 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1687 [GMT -5:00] Running from: c:\documents and settings\John\Desktop\combofix.exe AV: AVG Anti-Virus *On-access scanning enabled* (Updated) FW: Norton Internet Worm Protection *disabled* . ((((((((((((((((((((((((( Files Created from 2009-01-24 to 2009-02-24 ))))))))))))))))))))))))))))))) . 2009-02-24 09:16 . 2009-02-24 09:18 46,651 --a------ C:\MGlogs.zip 2009-02-24 08:57 . 2009-02-24 08:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-02-24 08:44 . 2009-02-24 08:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-02-23 13:37 . 2009-02-23 13:37 664 --a------ c:\windows\system32\d3d9caps.dat 2009-02-23 13:23 . 2009-02-23 13:04 19,456 --a------ C:\abpjoyey.jwx 2009-02-23 10:30 . 2009-02-23 10:30 250 --a------ c:\windows\gmer.ini 2009-02-23 02:39 . 2009-02-23 02:39 <DIR> d-------- c:\program files\OOD2KFRE 2009-02-23 02:39 . 2001-04-05 17:40 598,016 --a------ c:\windows\system32\OOD2KCRS.dll 2009-02-23 02:39 . 2001-04-06 13:57 238,080 --a------ c:\windows\system32\OOD2000.exe 2009-02-23 02:39 . 2001-04-05 17:21 29,272 --a------ c:\windows\system32\OOD2KBS.exe 2009-02-23 02:39 . 2000-11-09 19:31 24,576 --a------ c:\windows\system32\OODCSPRO.dll 2009-02-23 02:39 . 2000-11-01 14:12 16,384 --a------ c:\windows\system32\ood2kmsg.dll 2009-02-23 02:37 . 2009-02-23 02:38 2,178,933 --a------ C:\defraglite.exe 2009-02-22 20:00 . 2009-02-24 09:18 <DIR> d-------- C:\MGtools 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-22 18:28 . 2009-02-22 18:28 1,337,489 --a------ C:\MGtools.exe 2009-02-22 18:12 . 2009-02-22 18:22 <DIR> d-------- C:\Combo.exe 2009-02-22 17:35 . 2009-02-22 17:35 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-22 17:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-22 17:34 . 2009-02-22 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-22 17:34 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-22 16:04 . 2009-02-23 12:10 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-02-22 15:47 . 2009-02-23 18:54 <DIR> d-------- c:\windows\system32\drivers\Avg 2009-02-22 15:47 . 2009-02-22 17:30 <DIR> d-------- c:\documents and settings\John\Application Data\AVGTOOLBAR 2009-02-22 15:47 . 2009-02-23 02:33 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys 2009-02-22 15:47 . 2009-02-22 15:47 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 10,520 --a------ c:\windows\system32\avgrsstx.dll 2009-02-22 15:46 . 2009-02-22 15:46 <DIR> d-------- c:\program files\AVG 2009-02-22 15:46 . 2009-02-23 15:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-02-21 20:27 . 2009-02-23 13:24 19,456 --a------ C:\wzhmpkqg.tlg 2009-02-21 20:27 . 2009-02-24 03:19 19,456 --a------ C:\werkptxd.exe 2009-02-21 20:27 . 2009-02-21 20:27 8,704 --a------ C:\xmkuydg.exe 2009-02-21 20:27 . 2009-02-21 20:27 2 --a------ C:\1412995468 2009-02-21 20:27 . 2009-02-23 13:32 0 --a------ c:\windows\system32\drivers\363db3d2.sys 2009-02-21 12:43 . 2008-09-16 14:23 168,448 --a------ c:\windows\system32\unrar.dll 2009-02-21 05:28 . 2009-02-23 03:09 <DIR> d-------- C:\Downloads 2009-02-03 17:55 . 2009-02-03 17:55 23,392 --a------ c:\windows\system32\nscompat.tlb 2009-02-03 17:55 . 2009-02-03 17:55 16,832 --a------ c:\windows\system32\amcompat.tlb 2009-02-03 16:31 . 2009-02-03 16:31 <DIR> d-------- c:\documents and settings\John\Application Data\Uniblue 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\program files\iPod 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\QuickTime 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\Bonjour 2009-01-28 19:39 . 2009-01-28 19:41 <DIR> d-------- c:\windows\NV19164100.TMP 2009-01-28 18:59 . 2009-01-28 18:59 <DIR> d-------- c:\documents and settings\John\Application Data\Acreon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-23 18:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-23 15:27 --------- d-----w c:\program files\BitComet 2009-02-23 07:39 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-23 00:02 --------- d-----w c:\program files\Enigma Software Group 2009-02-22 23:48 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-22 23:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-22 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Skype 2009-02-21 16:39 --------- d-----w c:\documents and settings\John\Application Data\skypePM 2009-02-19 04:55 --------- d-----w c:\program files\World of Warcraft 2009-02-03 21:34 --------- d-----w c:\program files\Tortun 2009-02-03 21:34 --------- d-----w c:\program files\MpcStar 2009-01-30 21:03 --------- d-----w c:\program files\iTunes 2009-01-30 21:03 --------- d-----w c:\program files\Common Files\Apple 2009-01-29 00:39 --------- d-----w c:\program files\AGEIA Technologies 2009-01-12 17:10 --------- d-----w c:\documents and settings\John\Application Data\TigerPlayer 2009-01-11 12:22 --------- d-----w c:\program files\Logitech 2009-01-11 12:22 --------- d-----w c:\program files\Common Files\Logitech 2009-01-07 16:28 453,152 -c--a-w c:\windows\system32\NVUNINST.EXE 2008-12-29 03:03 --------- d-----w c:\documents and settings\John\Application Data\Ventrilo 2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll 2008-12-10 14:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-12-04 14:28 24,344 ----a-w c:\windows\system32\PhysXDevice.dll 2008-11-26 13:55 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe 2008-11-25 13:38 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe 2008-06-19 20:42 22,328 ----a-w c:\documents and settings\John\Application Data\PnkBstrK.sys 2008-08-19 19:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "1529"="C:\werkptxd.exe" [2009-02-24 19456] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-22 15:47 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP53"= SP5X_32.DLL "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL "VIDC.SP59"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Stardock ObjectDock.lnk] path=c:\documents and settings\John\Start Menu\Programs\Startup\Stardock ObjectDock.lnk backup=c:\windows\pss\Stardock ObjectDock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2007-12-22 02:20 222080 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp] -ra------ 2006-11-14 01:25 363008 c:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS] --a------ 2002-12-10 16:54 127022 c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2009-01-15 08:19 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 08:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] -ra------ 2006-10-05 08:25 868352 c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "ccSetMgr"=2 (0x2) "ccProxy"=2 (0x2) "ccISPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "StarWindServiceAE"=2 (0x2) "PnkBstrA"=2 (0x2) "Apple Mobile Device"=2 (0x2) "NVSvc"=2 (0x2) "SysmonLog"=3 (0x3) "TapiSrv"=3 (0x3) "TermService"=3 (0x3) "WmdmPmSN"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Tortun\\gui.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgam.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9891:TCP"= 9891:TCP:BitComet 9891 TCP "9891:UDP"= 9891:UDP:BitComet 9891 UDP "67:UDP"= 67:UDP:DHCP Discovery Service "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-22 12552] S1 363db3d2;363db3d2;c:\windows\system32\drivers\363db3d2.sys [2009-02-21 0] S1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-22 325128] S1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-22 107272] S1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944] S1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024] S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-22 903960] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-22 298264] S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-21 44928] . Contents of the 'Scheduled Tasks' folder 2009-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-02-22 c:\windows\Tasks\ConanPatcher.job - c:\program files\Funcom\Age of Conan\ConanPatcher.exe [2009-01-27 10:46] . . ------- Supplementary Scan ------- . FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\mp3k5tkg.default\ FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-24 09:20:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(240) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-02-24 9:22:40 ComboFix-quarantined-files.txt 2009-02-24 14:22:10 ComboFix2.txt 2009-02-23 18:42:12 ComboFix3.txt 2009-02-23 01:10:50 ComboFix4.txt 2009-02-22 23:22:20 Pre-Run: 81,338,675,200 bytes free Post-Run: 81,329,696,768 bytes free 241 --- E O F --- 2009-02-12 08:02:00 |
|
|
|
|
02-27-2009, 10:39 PM
|
#5 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,953
OS: WinXP and Vista
|
Re: trojan removal help.
You've run ComboFix quite a number of times over the last several days. I need to see the progression here. Attach all the following ComboFix.txt in your next reply:
ComboFix4.txt ComboFix3.txt ComboFix2.txt |
|
|
|
|
02-27-2009, 11:25 PM
|
#6 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
ComboFix2.txt
ComboFix 09-02-21.01 - John 2009-02-23 13:38:34.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1768 [GMT -5:00] Running from: c:\documents and settings\John\Desktop\combofix.exe AV: AVG Anti-Virus *On-access scanning enabled* (Updated) FW: Norton Internet Worm Protection *disabled* . ((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 ))))))))))))))))))))))))))))))) . 2009-02-23 13:37 . 2009-02-23 13:37 664 --a------ c:\windows\system32\d3d9caps.dat 2009-02-23 13:23 . 2009-02-23 13:04 19,456 --a------ C:\abpjoyey.jwx 2009-02-23 10:30 . 2009-02-23 10:30 250 --a------ c:\windows\gmer.ini 2009-02-23 02:39 . 2009-02-23 02:39 <DIR> d-------- c:\program files\OOD2KFRE 2009-02-23 02:39 . 2001-04-05 17:40 598,016 --a------ c:\windows\system32\OOD2KCRS.dll 2009-02-23 02:39 . 2001-04-06 13:57 238,080 --a------ c:\windows\system32\OOD2000.exe 2009-02-23 02:39 . 2001-04-05 17:21 29,272 --a------ c:\windows\system32\OOD2KBS.exe 2009-02-23 02:39 . 2000-11-09 19:31 24,576 --a------ c:\windows\system32\OODCSPRO.dll 2009-02-23 02:39 . 2000-11-01 14:12 16,384 --a------ c:\windows\system32\ood2kmsg.dll 2009-02-23 02:37 . 2009-02-23 02:38 2,178,933 --a------ C:\defraglite.exe 2009-02-22 20:00 . 2009-02-22 20:02 <DIR> d-------- C:\MGtools 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-22 18:29 . 2009-02-22 18:30 3,171,208 --a------ C:\ccsetup216.exe 2009-02-22 18:28 . 2009-02-22 18:28 1,337,489 --a------ C:\MGtools.exe 2009-02-22 18:12 . 2009-02-22 18:22 <DIR> d-------- C:\Combo.exe 2009-02-22 17:35 . 2009-02-22 17:35 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-22 17:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-22 17:34 . 2009-02-22 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-22 17:34 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-22 16:04 . 2009-02-23 12:10 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-02-22 15:47 . 2009-02-23 10:10 <DIR> d-------- c:\windows\system32\drivers\Avg 2009-02-22 15:47 . 2009-02-22 17:30 <DIR> d-------- c:\documents and settings\John\Application Data\AVGTOOLBAR 2009-02-22 15:47 . 2009-02-23 02:33 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys 2009-02-22 15:47 . 2009-02-22 15:47 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 10,520 --a------ c:\windows\system32\avgrsstx.dll 2009-02-22 15:46 . 2009-02-22 15:46 <DIR> d-------- c:\program files\AVG 2009-02-22 15:46 . 2009-02-22 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-02-21 20:27 . 2009-02-23 13:24 19,456 --a------ C:\wzhmpkqg.tlg 2009-02-21 20:27 . 2009-02-23 13:27 19,456 --a------ C:\werkptxd.exe 2009-02-21 20:27 . 2009-02-21 20:27 8,704 --a------ C:\xmkuydg.exe 2009-02-21 20:27 . 2009-02-21 20:27 2 --a------ C:\1412995468 2009-02-21 20:27 . 2009-02-23 13:32 0 --a------ c:\windows\system32\drivers\363db3d2.sys 2009-02-21 12:43 . 2008-09-16 14:23 168,448 --a------ c:\windows\system32\unrar.dll 2009-02-21 05:28 . 2009-02-23 03:09 <DIR> d-------- C:\Downloads 2009-02-03 17:55 . 2009-02-03 17:55 23,392 --a------ c:\windows\system32\nscompat.tlb 2009-02-03 17:55 . 2009-02-03 17:55 16,832 --a------ c:\windows\system32\amcompat.tlb 2009-02-03 16:31 . 2009-02-03 16:31 <DIR> d-------- c:\documents and settings\John\Application Data\Uniblue 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\program files\iPod 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\QuickTime 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\Bonjour 2009-01-28 19:39 . 2009-01-28 19:41 <DIR> d-------- c:\windows\NV19164100.TMP 2009-01-28 18:59 . 2009-01-28 18:59 <DIR> d-------- c:\documents and settings\John\Application Data\Acreon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-23 18:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-23 15:27 --------- d-----w c:\program files\BitComet 2009-02-23 07:39 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-23 00:02 --------- d-----w c:\program files\Enigma Software Group 2009-02-22 23:48 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-22 23:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-22 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Skype 2009-02-21 16:39 --------- d-----w c:\documents and settings\John\Application Data\skypePM 2009-02-19 04:55 --------- d-----w c:\program files\World of Warcraft 2009-02-03 21:34 --------- d-----w c:\program files\Tortun 2009-02-03 21:34 --------- d-----w c:\program files\MpcStar 2009-01-30 21:03 --------- d-----w c:\program files\iTunes 2009-01-30 21:03 --------- d-----w c:\program files\Common Files\Apple 2009-01-29 00:39 --------- d-----w c:\program files\AGEIA Technologies 2009-01-12 17:10 --------- d-----w c:\documents and settings\John\Application Data\TigerPlayer 2009-01-11 12:22 --------- d-----w c:\program files\Logitech 2009-01-11 12:22 --------- d-----w c:\program files\Common Files\Logitech 2009-01-07 16:28 453,152 -c--a-w c:\windows\system32\NVUNINST.EXE 2008-12-29 03:03 --------- d-----w c:\documents and settings\John\Application Data\Ventrilo 2008-12-23 14:17 --------- d-----w c:\program files\Ventrilo 2008-12-23 14:17 --------- d-----w c:\program files\DivX 2008-12-23 14:09 --------- d-----w c:\program files\Yahoo! 2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll 2008-12-10 14:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-12-04 14:28 24,344 ----a-w c:\windows\system32\PhysXDevice.dll 2008-11-26 13:55 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe 2008-11-25 13:38 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe 2008-06-19 20:42 22,328 ----a-w c:\documents and settings\John\Application Data\PnkBstrK.sys 2008-08-19 19:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-02-22_20.09.20.23 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-23 15:30:37 884,736 ----a-w c:\windows\gmer.dll + 2008-04-18 02:13:02 811,008 ----a-r c:\windows\gmer.exe + 2009-02-23 15:30:37 85,969 ----a-w c:\windows\system32\drivers\gmer.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "5886"="C:\werkptxd.exe" [2009-02-23 19456] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-22 15:47 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP53"= SP5X_32.DLL "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL "VIDC.SP59"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Stardock ObjectDock.lnk] path=c:\documents and settings\John\Start Menu\Programs\Startup\Stardock ObjectDock.lnk backup=c:\windows\pss\Stardock ObjectDock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2007-12-22 02:20 222080 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp] -ra------ 2006-11-14 01:25 363008 c:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS] --a------ 2002-12-10 16:54 127022 c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2009-01-15 08:19 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 08:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] -ra------ 2006-10-05 08:25 868352 c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "ccSetMgr"=2 (0x2) "ccProxy"=2 (0x2) "ccISPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "StarWindServiceAE"=2 (0x2) "PnkBstrA"=2 (0x2) "Apple Mobile Device"=2 (0x2) "NVSvc"=2 (0x2) "SysmonLog"=3 (0x3) "TapiSrv"=3 (0x3) "TermService"=3 (0x3) "WmdmPmSN"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Tortun\\gui.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgam.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9891:TCP"= 9891:TCP:BitComet 9891 TCP "9891:UDP"= 9891:UDP:BitComet 9891 UDP "67:UDP"= 67:UDP:DHCP Discovery Service "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-22 12552] S1 363db3d2;363db3d2;c:\windows\system32\drivers\363db3d2.sys [2009-02-21 0] S1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-22 325128] S1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-22 107272] S1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944] S1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024] S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-22 903960] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-22 298264] S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-21 44928] . Contents of the 'Scheduled Tasks' folder 2009-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-02-22 c:\windows\Tasks\ConanPatcher.job - c:\program files\Funcom\Age of Conan\ConanPatcher.exe [2009-01-27 10:46] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.atcomet.com/b/ uInternet Settings,ProxyOverride = localhost;*.local FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-23 13:40:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(240) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-02-23 13:42:11 ComboFix-quarantined-files.txt 2009-02-23 18:42:00 ComboFix2.txt 2009-02-23 01:10:50 ComboFix3.txt 2009-02-22 23:22:20 Pre-Run: 81,425,805,312 bytes free Post-Run: 81,413,173,248 bytes free 250 --- E O F --- 2009-02-12 08:02:00 |
|
|
|
|
02-27-2009, 11:26 PM
|
#7 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
comboFix3
ComboFix 09-02-21.01 - John 2009-02-23 13:38:34.2 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1768 [GMT -5:00] Running from: c:\documents and settings\John\Desktop\combofix.exe AV: AVG Anti-Virus *On-access scanning enabled* (Updated) FW: Norton Internet Worm Protection *disabled* . ((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 ))))))))))))))))))))))))))))))) . 2009-02-23 13:37 . 2009-02-23 13:37 664 --a------ c:\windows\system32\d3d9caps.dat 2009-02-23 13:23 . 2009-02-23 13:04 19,456 --a------ C:\abpjoyey.jwx 2009-02-23 10:30 . 2009-02-23 10:30 250 --a------ c:\windows\gmer.ini 2009-02-23 02:39 . 2009-02-23 02:39 <DIR> d-------- c:\program files\OOD2KFRE 2009-02-23 02:39 . 2001-04-05 17:40 598,016 --a------ c:\windows\system32\OOD2KCRS.dll 2009-02-23 02:39 . 2001-04-06 13:57 238,080 --a------ c:\windows\system32\OOD2000.exe 2009-02-23 02:39 . 2001-04-05 17:21 29,272 --a------ c:\windows\system32\OOD2KBS.exe 2009-02-23 02:39 . 2000-11-09 19:31 24,576 --a------ c:\windows\system32\OODCSPRO.dll 2009-02-23 02:39 . 2000-11-01 14:12 16,384 --a------ c:\windows\system32\ood2kmsg.dll 2009-02-23 02:37 . 2009-02-23 02:38 2,178,933 --a------ C:\defraglite.exe 2009-02-22 20:00 . 2009-02-22 20:02 <DIR> d-------- C:\MGtools 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-22 18:29 . 2009-02-22 18:30 3,171,208 --a------ C:\ccsetup216.exe 2009-02-22 18:28 . 2009-02-22 18:28 1,337,489 --a------ C:\MGtools.exe 2009-02-22 18:12 . 2009-02-22 18:22 <DIR> d-------- C:\Combo.exe 2009-02-22 17:35 . 2009-02-22 17:35 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-22 17:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-22 17:34 . 2009-02-22 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-22 17:34 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-22 16:04 . 2009-02-23 12:10 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-02-22 15:47 . 2009-02-23 10:10 <DIR> d-------- c:\windows\system32\drivers\Avg 2009-02-22 15:47 . 2009-02-22 17:30 <DIR> d-------- c:\documents and settings\John\Application Data\AVGTOOLBAR 2009-02-22 15:47 . 2009-02-23 02:33 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys 2009-02-22 15:47 . 2009-02-22 15:47 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 10,520 --a------ c:\windows\system32\avgrsstx.dll 2009-02-22 15:46 . 2009-02-22 15:46 <DIR> d-------- c:\program files\AVG 2009-02-22 15:46 . 2009-02-22 19:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-02-21 20:27 . 2009-02-23 13:24 19,456 --a------ C:\wzhmpkqg.tlg 2009-02-21 20:27 . 2009-02-23 13:27 19,456 --a------ C:\werkptxd.exe 2009-02-21 20:27 . 2009-02-21 20:27 8,704 --a------ C:\xmkuydg.exe 2009-02-21 20:27 . 2009-02-21 20:27 2 --a------ C:\1412995468 2009-02-21 20:27 . 2009-02-23 13:32 0 --a------ c:\windows\system32\drivers\363db3d2.sys 2009-02-21 12:43 . 2008-09-16 14:23 168,448 --a------ c:\windows\system32\unrar.dll 2009-02-21 05:28 . 2009-02-23 03:09 <DIR> d-------- C:\Downloads 2009-02-03 17:55 . 2009-02-03 17:55 23,392 --a------ c:\windows\system32\nscompat.tlb 2009-02-03 17:55 . 2009-02-03 17:55 16,832 --a------ c:\windows\system32\amcompat.tlb 2009-02-03 16:31 . 2009-02-03 16:31 <DIR> d-------- c:\documents and settings\John\Application Data\Uniblue 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\program files\iPod 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\QuickTime 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\Bonjour 2009-01-28 19:39 . 2009-01-28 19:41 <DIR> d-------- c:\windows\NV19164100.TMP 2009-01-28 18:59 . 2009-01-28 18:59 <DIR> d-------- c:\documents and settings\John\Application Data\Acreon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-23 18:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-23 15:27 --------- d-----w c:\program files\BitComet 2009-02-23 07:39 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-23 00:02 --------- d-----w c:\program files\Enigma Software Group 2009-02-22 23:48 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-22 23:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-22 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Skype 2009-02-21 16:39 --------- d-----w c:\documents and settings\John\Application Data\skypePM 2009-02-19 04:55 --------- d-----w c:\program files\World of Warcraft 2009-02-03 21:34 --------- d-----w c:\program files\Tortun 2009-02-03 21:34 --------- d-----w c:\program files\MpcStar 2009-01-30 21:03 --------- d-----w c:\program files\iTunes 2009-01-30 21:03 --------- d-----w c:\program files\Common Files\Apple 2009-01-29 00:39 --------- d-----w c:\program files\AGEIA Technologies 2009-01-12 17:10 --------- d-----w c:\documents and settings\John\Application Data\TigerPlayer 2009-01-11 12:22 --------- d-----w c:\program files\Logitech 2009-01-11 12:22 --------- d-----w c:\program files\Common Files\Logitech 2009-01-07 16:28 453,152 -c--a-w c:\windows\system32\NVUNINST.EXE 2008-12-29 03:03 --------- d-----w c:\documents and settings\John\Application Data\Ventrilo 2008-12-23 14:17 --------- d-----w c:\program files\Ventrilo 2008-12-23 14:17 --------- d-----w c:\program files\DivX 2008-12-23 14:09 --------- d-----w c:\program files\Yahoo! 2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll 2008-12-10 14:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-12-04 14:28 24,344 ----a-w c:\windows\system32\PhysXDevice.dll 2008-11-26 13:55 288,024 ----a-w c:\windows\system32\PhysXCplUI.exe 2008-11-25 13:38 288,024 ----a-w c:\windows\system32\PhysXCompatCplUI.exe 2008-06-19 20:42 22,328 ----a-w c:\documents and settings\John\Application Data\PnkBstrK.sys 2008-08-19 19:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-02-22_20.09.20.23 ))))))))))))))))))))))))))))))))))))))))) . + 2009-02-23 15:30:37 884,736 ----a-w c:\windows\gmer.dll + 2008-04-18 02:13:02 811,008 ----a-r c:\windows\gmer.exe + 2009-02-23 15:30:37 85,969 ----a-w c:\windows\system32\drivers\gmer.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "5886"="C:\werkptxd.exe" [2009-02-23 19456] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-22 15:47 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP53"= SP5X_32.DLL "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL "VIDC.SP59"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Stardock ObjectDock.lnk] path=c:\documents and settings\John\Start Menu\Programs\Startup\Stardock ObjectDock.lnk backup=c:\windows\pss\Stardock ObjectDock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2007-12-22 02:20 222080 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp] -ra------ 2006-11-14 01:25 363008 c:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS] --a------ 2002-12-10 16:54 127022 c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2009-01-15 08:19 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 08:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] -ra------ 2006-10-05 08:25 868352 c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "ccSetMgr"=2 (0x2) "ccProxy"=2 (0x2) "ccISPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "StarWindServiceAE"=2 (0x2) "PnkBstrA"=2 (0x2) "Apple Mobile Device"=2 (0x2) "NVSvc"=2 (0x2) "SysmonLog"=3 (0x3) "TapiSrv"=3 (0x3) "TermService"=3 (0x3) "WmdmPmSN"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Tortun\\gui.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgam.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9891:TCP"= 9891:TCP:BitComet 9891 TCP "9891:UDP"= 9891:UDP:BitComet 9891 UDP "67:UDP"= 67:UDP:DHCP Discovery Service "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-22 12552] S1 363db3d2;363db3d2;c:\windows\system32\drivers\363db3d2.sys [2009-02-21 0] S1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-22 325128] S1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-22 107272] S1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944] S1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024] S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-22 903960] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-22 298264] S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-21 44928] . Contents of the 'Scheduled Tasks' folder 2009-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-02-22 c:\windows\Tasks\ConanPatcher.job - c:\program files\Funcom\Age of Conan\ConanPatcher.exe [2009-01-27 10:46] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.atcomet.com/b/ uInternet Settings,ProxyOverride = localhost;*.local FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-23 13:40:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(240) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-02-23 13:42:11 ComboFix-quarantined-files.txt 2009-02-23 18:42:00 ComboFix2.txt 2009-02-23 01:10:50 ComboFix3.txt 2009-02-22 23:22:20 Pre-Run: 81,425,805,312 bytes free Post-Run: 81,413,173,248 bytes free 250 --- E O F --- 2009-02-12 08:02:00 |
|
|
|
|
02-27-2009, 11:26 PM
|
#8 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
comboFiX4
ComboFix 09-02-21.01 - John 2009-02-22 18:13:17.3 - NTFSx86 MINIMAL Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1793 [GMT -5:00] Running from: c:\documents and settings\John\Desktop\Combo.exe.exe AV: AVG Anti-Virus *On-access scanning enabled* (Outdated) FW: Norton Internet Worm Protection *disabled* . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\lsass.exe c:\windows\system32\404Fix.exe c:\windows\system32\dumphive.exe c:\windows\system32\IEDFix.C.exe c:\windows\system32\IEDFix.exe c:\windows\system32\o4Patch.exe c:\windows\system32\Process.exe c:\windows\system32\SrchSTS.exe c:\windows\system32\tmp.reg c:\windows\system32\VACFix.exe c:\windows\system32\VCCLSID.exe c:\windows\system32\WS2Fix.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys ((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 ))))))))))))))))))))))))))))))) . 2009-02-22 18:17 . 2009-02-22 18:17 19,456 --a------ C:\lsass.exe 2009-02-22 17:35 . 2009-02-22 17:35 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-22 17:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-22 17:34 . 2009-02-22 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-22 17:34 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-22 16:04 . 2009-02-22 16:51 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-02-22 15:47 . 2009-02-22 15:47 <DIR> d-------- c:\windows\system32\drivers\Avg 2009-02-22 15:47 . 2009-02-22 17:30 <DIR> d-------- c:\documents and settings\John\Application Data\AVGTOOLBAR 2009-02-22 15:47 . 2009-02-22 15:47 324,872 --a------ c:\windows\system32\drivers\avgldx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys 2009-02-22 15:47 . 2009-02-22 15:47 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys 2009-02-22 15:47 . 2009-02-22 15:47 10,520 --a------ c:\windows\system32\avgrsstx.dll 2009-02-22 15:46 . 2009-02-22 15:46 <DIR> d-------- c:\program files\AVG 2009-02-22 15:46 . 2009-02-22 17:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-02-21 20:27 . 2009-02-22 18:18 100,590 --a------ c:\windows\system32\drivers\363db3d2.sys 2009-02-21 20:27 . 2009-02-21 20:27 81,920 --a------ C:\arcwvqi.exe 2009-02-21 20:27 . 2009-02-22 18:18 19,456 --a------ C:\werkptxd.exe 2009-02-21 20:27 . 2009-02-21 20:27 8,704 --a------ C:\xmkuydg.exe 2009-02-21 20:27 . 2009-02-21 20:27 2 --a------ C:\1412995468 2009-02-21 12:43 . 2008-09-16 14:23 168,448 --a------ c:\windows\system32\unrar.dll 2009-02-21 05:28 . 2009-02-22 16:00 <DIR> d-------- C:\Downloads 2009-02-03 17:55 . 2009-02-03 17:55 23,392 --a------ c:\windows\system32\nscompat.tlb 2009-02-03 17:55 . 2009-02-03 17:55 16,832 --a------ c:\windows\system32\amcompat.tlb 2009-02-03 16:31 . 2009-02-03 16:31 <DIR> d-------- c:\documents and settings\John\Application Data\Uniblue 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\program files\iPod 2009-01-30 16:03 . 2009-01-30 16:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\QuickTime 2009-01-30 16:02 . 2009-01-30 16:02 <DIR> d-------- c:\program files\Bonjour 2009-01-28 19:39 . 2009-01-28 19:41 <DIR> d-------- c:\windows\NV19164100.TMP 2009-01-28 18:59 . 2009-01-28 18:59 <DIR> d-------- c:\documents and settings\John\Application Data\Acreon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-02-22 23:06 --------- d-----w c:\program files\BitComet 2009-02-22 22:56 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-22 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Skype 2009-02-21 16:39 --------- d-----w c:\documents and settings\John\Application Data\skypePM 2009-02-19 04:55 --------- d-----w c:\program files\World of Warcraft 2009-02-03 21:34 --------- d-----w c:\program files\Tortun 2009-02-03 21:34 --------- d-----w c:\program files\MpcStar 2009-01-30 21:03 --------- d-----w c:\program files\iTunes 2009-01-30 21:03 --------- d-----w c:\program files\Common Files\Apple 2009-01-29 00:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-01-29 00:39 --------- d-----w c:\program files\AGEIA Technologies 2009-01-15 13:19 6,301,248 ----a-w c:\windows\system32\drivers\nv4_mini.sys 2009-01-12 17:10 --------- d-----w c:\documents and settings\John\Application Data\TigerPlayer 2009-01-11 12:22 --------- d--h--w c:\program files\InstallShield Installation Information 2009-01-11 12:22 --------- d-----w c:\program files\Logitech 2009-01-11 12:22 --------- d-----w c:\program files\Common Files\Logitech 2008-12-29 03:03 --------- d-----w c:\documents and settings\John\Application Data\Ventrilo 2008-12-23 14:17 --------- d-----w c:\program files\Ventrilo 2008-12-23 14:17 --------- d-----w c:\program files\DivX 2008-12-23 14:09 --------- d-----w c:\program files\Yahoo! 2008-06-19 20:42 22,328 ----a-w c:\documents and settings\John\Application Data\PnkBstrK.sys 2008-08-19 19:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "12726"="C:\werkptxd.exe" [2009-02-22 19456] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-22 15:47 10520 c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP53"= SP5X_32.DLL "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL "VIDC.SP59"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Stardock ObjectDock.lnk] path=c:\documents and settings\John\Start Menu\Programs\Startup\Stardock ObjectDock.lnk backup=c:\windows\pss\Stardock ObjectDock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2007-12-22 02:20 222080 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp] -ra------ 2006-11-14 01:25 363008 c:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS] --a------ 2002-12-10 16:54 127022 c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2009-01-15 08:19 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 08:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] -ra------ 2006-10-05 08:25 868352 c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-01-28 10:43 2097488 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "ccSetMgr"=2 (0x2) "ccProxy"=2 (0x2) "ccISPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "StarWindServiceAE"=2 (0x2) "PnkBstrA"=2 (0x2) "Apple Mobile Device"=2 (0x2) "NVSvc"=2 (0x2) "SysmonLog"=3 (0x3) "TapiSrv"=3 (0x3) "TermService"=3 (0x3) "WmdmPmSN"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Tortun\\gui.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\AVG\\AVG8\\avgam.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9891:TCP"= 9891:TCP:BitComet 9891 TCP "9891:UDP"= 9891:UDP:BitComet 9891 UDP "67:UDP"= 67:UDP:DHCP Discovery Service "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-21 44928] S4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-22 903960] S4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-22 298264] S4 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-22 324872] S4 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-02-22 12552] S4 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-02-22 107272] . Contents of the 'Scheduled Tasks' folder 2009-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-02-22 c:\windows\Tasks\ConanPatcher.job - c:\program files\Funcom\Age of Conan\ConanPatcher.exe [2009-01-27 10:46] . - - - - ORPHANS REMOVED - - - - WebBrowser-{2D2DE234-AB9F-4345-9D17-94FA78BA37E3} - (no file) MSConfigStartUp-ANTIVIRUS - c:\program files\AAV\aav.exe MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe MSConfigStartUp-EM_EXEC - c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe . ------- Supplementary Scan ------- . uStart Page = hxxp://google.atcomet.com/b/ uInternet Settings,ProxyOverride = localhost;*.local FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-02-22 18:17:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\363db3d2] "ImagePath"="\SystemRoot\System32\drivers\363db3d2.sys" . ------------------------ Other Running Processes ------------------------ . c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\nvsvc32.exe C:\lsass.exe . ************************************************************************** . Completion time: 2009-02-22 18:22:19 - machine was rebooted ComboFix-quarantined-files.txt 2009-02-22 23:22:17 Pre-Run: 82,081,456,128 bytes free Post-Run: 82,010,898,432 bytes free 240 --- E O F --- 2009-02-12 08:02:00 |
|
|
|
|
02-28-2009, 09:40 PM
|
#10 (permalink) | |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,953
OS: WinXP and Vista
|
Re: trojan removal help.
Hi stellaris,
Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. *************************************************** Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. --------------------------------------------------------------------- Open notepad and copy/paste the text in the code box below into it: Quote:
in the same location as ComboFix.exe  Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. **Note** When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review:
3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.
--------------------------------------------------------------- Please include the following in your next reply: C:\ComboFix.txt Kaspersky results Update on system behavior |
|
|
|
|
|
03-02-2009, 08:58 AM
|
#11 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
thanks for the continuing help, heres the 2 files you
ComboFix 09-03-01.01 - John 2009-03-02 9:42:47.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1698 [GMT -5:00] Running from: c:\documents and settings\John\Desktop\combofix.exe Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt FW: Norton Internet Worm Protection *disabled* * Created a new restore point FILE :: C:\1412995468 c:\windows\system32\drivers\363db3d2.sys . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1412995468 c:\windows\system32\drivers\363db3d2.sys C:\xmkuydg.exe . ((((((((((((((((((((((((( Files Created from 2009-02-02 to 2009-03-02 ))))))))))))))))))))))))))))))) . 2009-02-24 09:16 . 2009-02-24 09:18 46,651 --a------ C:\MGlogs.zip 2009-02-24 08:57 . 2009-02-24 08:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-02-24 08:44 . 2009-02-24 08:44 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-02-23 13:37 . 2009-03-02 09:39 664 --a------ c:\windows\system32\d3d9caps.dat 2009-02-23 10:30 . 2009-02-23 10:30 250 --a------ c:\windows\gmer.ini 2009-02-23 02:39 . 2009-02-23 02:39 <DIR> d-------- c:\program files\OOD2KFRE 2009-02-23 02:39 . 2001-04-05 17:40 598,016 --a------ c:\windows\system32\OOD2KCRS.dll 2009-02-23 02:39 . 2001-04-06 13:57 238,080 --a------ c:\windows\system32\OOD2000.exe 2009-02-23 02:39 . 2001-04-05 17:21 29,272 --a------ c:\windows\system32\OOD2KBS.exe 2009-02-23 02:39 . 2000-11-09 19:31 24,576 --a------ c:\windows\system32\OODCSPRO.dll 2009-02-23 02:39 . 2000-11-01 14:12 16,384 --a------ c:\windows\system32\ood2kmsg.dll 2009-02-23 02:37 . 2009-02-23 02:38 2,178,933 --a------ C:\defraglite.exe 2009-02-22 20:00 . 2009-02-24 09:18 <DIR> d-------- C:\MGtools 2009-02-22 18:36 . 2009-02-27 07:41 <DIR> d-------- c:\program files\SUPERAntiSpyware 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\John\Application Data\SUPERAntiSpyware.com 2009-02-22 18:36 . 2009-02-22 18:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-02-22 18:28 . 2009-02-22 18:28 1,337,489 --a------ C:\MGtools.exe 2009-02-22 17:35 . 2009-02-22 17:35 <DIR> d-------- c:\documents and settings\John\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-22 17:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-02-22 17:34 . 2009-02-22 17:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-02-22 17:34 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-02-22 17:34 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-22 16:04 . 2009-02-27 08:47 <DIR> d--h----- C:\$AVG8.VAULT$ 2009-02-22 15:46 . 2009-02-22 15:46 <DIR> d-------- c:\program files\AVG 2009-02-22 15:46 . 2009-03-02 09:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2009-02-21 12:43 . 2008-09-16 14:23 168,448 --a------ c:\windows\system32\unrar.dll 2009-02-21 05:28 . 2009-02-25 01:08 <DIR> d-------- C:\Downloads 2009-02-03 17:55 . 2009-02-03 17:55 23,392 --a------ c:\windows\system32\nscompat.tlb 2009-02-03 17:55 . 2009-02-03 17:55 16,832 --a------ c:\windows\system32\amcompat.tlb 2009-02-03 16:31 . 2009-02-03 16:31 <DIR> d-------- c:\documents and settings\John\Application Data\Uniblue . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-02 14:41 --------- d-----w c:\program files\BitComet 2009-02-27 12:40 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-02-23 07:39 --------- d--h--w c:\program files\InstallShield Installation Information 2009-02-23 00:02 --------- d-----w c:\program files\Enigma Software Group 2009-02-22 23:48 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-22 23:35 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-02-22 20:35 --------- d-----w c:\documents and settings\All Users\Application Data\Skype 2009-02-21 16:39 --------- d-----w c:\documents and settings\John\Application Data\skypePM 2009-02-19 04:55 --------- d-----w c:\program files\World of Warcraft 2009-02-03 21:34 --------- d-----w c:\program files\Tortun 2009-02-03 21:34 --------- d-----w c:\program files\MpcStar 2009-01-30 21:03 --------- d-----w c:\program files\iTunes 2009-01-30 21:03 --------- d-----w c:\program files\iPod 2009-01-30 21:03 --------- d-----w c:\program files\Common Files\Apple 2009-01-30 21:03 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2009-01-30 21:02 --------- d-----w c:\program files\QuickTime 2009-01-30 21:02 --------- d-----w c:\program files\Bonjour 2009-01-29 00:39 --------- d-----w c:\program files\AGEIA Technologies 2009-01-28 23:59 --------- d-----w c:\documents and settings\John\Application Data\Acreon 2009-01-12 17:10 --------- d-----w c:\documents and settings\John\Application Data\TigerPlayer 2009-01-11 12:22 --------- d-----w c:\program files\Logitech 2009-01-11 12:22 --------- d-----w c:\program files\Common Files\Logitech 2009-01-07 16:28 453,152 -c--a-w c:\windows\system32\NVUNINST.EXE 2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll 2008-12-10 14:45 70,936 ----a-w c:\windows\system32\PhysXLoader.dll 2008-12-04 14:28 24,344 ----a-w c:\windows\system32\PhysXDevice.dll 2008-06-19 20:42 22,328 ----a-w c:\documents and settings\John\Application Data\PnkBstrK.sys 2008-08-19 19:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "BitComet"="c:\program files\BitComet\BitComet.exe" [2009-01-20 2523960] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.SP53"= SP5X_32.DLL "VIDC.SP54"= SP5X_32.DLL "VIDC.SP55"= SP5X_32.DLL "VIDC.SP56"= SP5X_32.DLL "VIDC.SP57"= SP5X_32.DLL "VIDC.SP58"= SP5X_32.DLL "VIDC.SP59"= SP5X_32.DLL [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Stardock ObjectDock.lnk] path=c:\documents and settings\John\Start Menu\Programs\Startup\Stardock ObjectDock.lnk backup=c:\windows\pss\Stardock ObjectDock.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] c:\windows\system32\dumprep 0 -k [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount] --a------ 2007-12-22 02:20 222080 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusStartupHelp] -ra------ 2006-11-14 01:25 363008 c:\program files\ASUS\AASP\1.00.16\AsRunHelp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS] --a------ 2002-12-10 16:54 127022 c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] --a------ 2009-01-15 08:19 86016 c:\windows\system32\nvmctray.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX] --------- 2006-07-13 08:12 729088 c:\program files\Analog Devices\SoundMAX\SMax4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP] -ra------ 2006-10-05 08:25 868352 c:\program files\Analog Devices\Core\smax4pnp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2008-02-22 03:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "iPod Service"=3 (0x3) "ccSetMgr"=2 (0x2) "ccProxy"=2 (0x2) "ccISPwdSvc"=3 (0x3) "ccEvtMgr"=2 (0x2) "WMPNetworkSvc"=3 (0x3) "WLSetupSvc"=3 (0x3) "usnjsvc"=3 (0x3) "StarWindServiceAE"=2 (0x2) "PnkBstrA"=2 (0x2) "Apple Mobile Device"=2 (0x2) "NVSvc"=2 (0x2) "SysmonLog"=3 (0x3) "TapiSrv"=3 (0x3) "TermService"=3 (0x3) "WmdmPmSN"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"= "c:\\Program Files\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "c:\\Program Files\\Tortun\\gui.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "9891:TCP"= 9891:TCP:BitComet 9891 TCP "9891:UDP"= 9891:UDP:BitComet 9891 UDP "67:UDP"= 67:UDP:DHCP Discovery Service "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "6112:TCP"= 6112:TCP:Blizzard Downloader R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944] R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024] S1 363db3d2;363db3d2;c:\windows\system32\drivers\363db3d2.sys --> c:\windows\system32\drivers\363db3d2.sys [?] S3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408] S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-01-21 44928] . Contents of the 'Scheduled Tasks' folder 2009-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-02-22 c:\windows\Tasks\ConanPatcher.job - c:\program files\Funcom\Age of Conan\ConanPatcher.exe [2009-01-27 10:46] . . ------- Supplementary Scan ------- . uStart Page = hxxp://google.atcomet.com/b/ uInternet Settings,ProxyOverride = localhost;*.local IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\ FF - prefs.js: browser.search.selectedEngine - Search FF - prefs.js: browser.startup.homepage - www.google.com FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\6y15xtgs.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npagent.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-02 09:44:38 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(880) c:\program files\SUPERAntiSpyware\SASWINLO.dll . Completion time: 2009-03-02 9:46:54 ComboFix-quarantined-files.txt 2009-03-02 14:46:39 ComboFix2.txt 2009-02-24 14:22:41 ComboFix3.txt 2009-02-23 18:42:12 ComboFix4.txt 2009-02-23 01:10:50 ComboFix5.txt 2009-03-02 14:04:28 Pre-Run: 80,679,174,144 bytes free Post-Run: 80,900,636,672 bytes free 232 --- E O F --- 2009-02-12 08:02:00 |
|
|
|
|
03-02-2009, 09:01 AM
|
#12 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
Update on system behavior: system still seems sluggish compare to how it used to be. Also I had some issues with AVG8, it wouldnt let me disable it. I had to delete it in order to run that comboFix txt file. Is there any free anti virus program you recommend? or should i keep using AVG8.
|
|
|
|
|
03-02-2009, 06:00 PM
|
#13 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,953
OS: WinXP and Vista
|
Re: trojan removal help.
Avira AntiVir PersonalEdition Classic is an excellent free AV.
Have you run the online scan at Kaspersky yet? I'd like to see those results. |
|
|
|
|
03-02-2009, 11:03 PM
|
#14 (permalink) |
|
Registered User
Join Date: Jan 2008
Posts: 20
OS: XP
|
Re: trojan removal help.
yup i did run it, i attached the file in the above post lol.
-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Monday, March 2, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Monday, March 02, 2009 14:55:22 Records in database: 1862121 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 63995 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 00:39:28 File name / Threat name / Threats count C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\491264BD.def Infected: not-a-virus:AdWare.Win32.180Solutions.ax 1 The selected area was scanned. |
|
|
|
|
03-03-2009, 02:35 PM
|
#15 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,953
OS: WinXP and Vista
|
Re: trojan removal help.
Oops. sorry about that, I wasn't looking for an attachment since it wasn't specified for you to do so.
 Empty your Norton Quarantine. Any issues that remain do not appear to be malware related as your logs are clean. You've recently installed Malwarebytes Anti Malware--uninstall SuperantiSpyware and that may help with some of the sluggishness. If there aren't any more problems, please continue with these final instructions and helpful links: The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u -------------------------------------------------------------------- To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? Think Prevention **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ----------------------------------------------------- Follow the list above and the potential for infection will reduce dramatically. **Kindly respond one more time and let me know if we may consider this thread resolved. |
|
|
|
|
03-03-2009, 09:57 PM
|
#17 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 26,953
OS: WinXP and Vista
|
Re: trojan removal help.
You're welcome, stellaris.
Since you do not use Norton anymore, navigate in Windows Explorer (Start>'My Computer') and delete this folder completely: C:\Documents and Settings\All Users\Application Data\Symantec Let me know if you were successful. |
|
|
|
| Thread Tools | |
|
|
