Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Strange trojan

Started by jannis18 , Dec 18 2008 11:41 AM

  • This topic is locked This topic is locked
8 replies to this topic

#1 jannis18

jannis18

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 18 December 2008 - 11:41 AM

My pc got infected by a trojan!!
The sintoms are that my pc is very slow ,also internet navigation!! When i search something on google i got in other spam pages...
And here is the worst:
I cant install any antivirus program: i have tried to install malwarebute's antimalware, SmitfraudFix no result i got a windows message that an internal error has happened and the application is going to be closed!! I tried also in safe mode same result!!!
I cant also update my antivirus and any other antivirus proggie i have installed before , like spybot search & destroy!!
Same prb also if i try to install HjInstall.exe to post the log file .... nothing to do!!!
EVEN IF I TRIED TO ACCESS, for several times, YOUR FORUM FROM THE INFECTED PC WAS WORTHLESS...I GOT A MESSAGE , IN MY BROWSER, THAT THE COMMUNICATION CANT BE ESTABLISHED ( NOW IM WRITTING FROM MY NOTEBOOK!!!)

WHAT TO DO ?? pls help

HERE IS WHAT MY ANTIVIRUS ( kaspersky internet security 2009 ) IS WARNING ME :

generic host process for win32 services contains a link to index.php
that is used to still passwords etc....


Many thxs in advance!!!

Edited by Rorschach112, 18 December 2008 - 11:59 AM.
removed link

    Advertisements

Register to Remove

#2 jannis18

jannis18

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 19 December 2008 - 12:40 PM

No ideas????Untill know?? If nobody here cant help means that i have to format....

Edited by jannis18, 19 December 2008 - 12:43 PM.

#3 jedi

jedi

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 105 posts

Posted 19 December 2008 - 01:36 PM

Hi,

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

If you can't get Combofix to install from the infected PC, download to a Flash Drive and run it from there.

jedi
jedi
Member of ASAP since 2005

#4 jannis18

jannis18

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 20 December 2008 - 05:20 AM

i manage to install Hjack so here is the log file !!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:21, on 20/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe
C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Windows Live\Messenger\usnsvc.exe
C:\Programmi\Opera\opera.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Encarta Web Companion Oggetto helper - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Programmi\File comuni\Microsoft Shared\Encarta Web Companion\2007\ENCWCBAR.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Systran40premi.IEPlugIn - {D3919E1A-D6A5-11D6-AC3E-00B0D094B576} - C:\Programmi\Systran\4_0\Premium\IEPlugIn.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Programmi\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [USRobotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programmi\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: O?iana.lnk
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\H18\IMPOST~1\Temp\RarSFX0\jc_all.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\H18\IMPOST~1\Temp\RarSFX0\jc_link.htm
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Barra di ricerca di Encarta - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programmi\File comuni\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD81C8A6-4507-4E78-9486-F9D0B6A49758}: NameServer = 213.215.115.88,147.175.167.50
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FILECO~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Programmi\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmi\File comuni\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programmi\File comuni\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Programmi\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O23 - Service: WEP/WPA-PMK key recovery service (WZCOOK) - Unknown owner - C:\Documents and Settings\H18\Desktop\WiFi_WEP_Key_Finder\aircrack-ng-0.6.2-win\bin\wzcook.exe (file missing)
O24 - Desktop Component 0: (no name) - http://shared.live.c.../JS/AMULCore.js

--
End of file - 10786 bytes


Now im going to follow your instructions with combo fix and reply you again!
Many thxssss

#5 jannis18

jannis18

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 20 December 2008 - 06:30 AM

hello my friend , i have tried to install the combo fix but unfortunatelly no result!!! I have tried to do the same in a flash memory but same... The program doesnt start!!!! I follow all the instructions and when i click on the combo fix icon nothing happens!!!( same when i tried in the flash memory) (If i look at the task manager i can see the combfix.exe file in execution but thats all...) So i think that this f..g trojan has my computer under controll!! p.s : i cant log on also on the page you wrote me to download the combo fix, i did it from my notebook i cant also log on pages that have antivirus scans on line!!! The only progie that seems to work is Hjack.exe... many thxs for all

Edited by jannis18, 20 December 2008 - 06:39 AM.

#6 jedi

jedi

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 105 posts

Posted 20 December 2008 - 11:56 AM

OK, Right-click on the Combofix icon, select Rename. Rename Combofix.exe to Somethingelse.exe. Try it again. Does it run? jedi
jedi
Member of ASAP since 2005

#7 jannis18

jannis18

    New Member

  • Authentic Member
  • Pip
  • 5 posts

Posted 20 December 2008 - 01:54 PM

Your genius idea has worked!!!!!!
I renamed the combofix that while running detected a root infection!!!
Now my pc seems again working!!!! Im writting from the infected pc :-)))))
Everything seems ok!!!
Here is the combofix report file :

ComboFix 08-12-18.03 - H18 2008-12-20 20:02:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1253.30.1040.18.1023.648 [GMT 1:00]
Running from: c:\documents and settings\H18\Desktop\Somethingelse.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\TDSSmhxt.sys
c:\windows\system32\TDSScfub.dll
c:\windows\system32\TDSSfpmp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-20 to 2008-12-20 )))))))))))))))))))))))))))))))
.

2008-12-20 19:53 . 2008-12-20 19:53 <DIR> d-------- c:\programmi\aaaa
2008-12-18 22:21 . 2007-01-21 12:11 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2008-12-18 22:21 . 2007-01-21 12:11 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2008-12-18 22:21 . 2007-01-21 12:11 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2008-12-18 22:21 . 2007-01-21 11:20 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2008-12-18 22:21 . 2007-01-21 12:11 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2008-12-18 22:21 . 2008-12-20 20:06 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2008-12-18 22:21 . 2007-01-21 12:11 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2008-12-18 22:21 . 2008-08-31 22:47 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2008-12-18 22:21 . 2008-12-18 22:21 <DIR> d-------- c:\documents and settings\Administrator
2008-12-18 16:32 . 2008-12-18 16:32 <DIR> d-------- c:\programmi\Spybot - Search & Destroy
2008-12-18 14:46 . 2008-12-18 14:46 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\ESET
2008-12-12 17:18 . 2001-08-30 23:07 8,704 --a------ c:\windows\system32\kbdjpn.dll
2008-12-12 17:18 . 2001-08-30 23:07 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2008-12-12 17:18 . 2001-08-30 23:07 8,192 --a------ c:\windows\system32\kbdkor.dll
2008-12-12 17:18 . 2001-08-30 23:07 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2008-12-12 17:18 . 2001-08-17 22:55 5,632 --a------ c:\windows\system32\kbd103.dll
2008-12-12 17:18 . 2001-08-17 22:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2008-12-12 14:28 . 2001-08-17 22:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2008-12-12 14:28 . 2001-08-17 22:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2008-12-11 10:26 . 2008-04-14 04:12 6,144 --a------ c:\windows\system32\kbd106.dll
2008-12-11 10:26 . 2001-08-17 22:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2008-12-11 10:26 . 2008-04-14 04:12 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2008-12-11 10:26 . 2001-08-17 22:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2008-12-09 17:33 . 2008-12-09 17:33 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-26 17:59 . 2008-11-26 17:59 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-26 17:59 . 2008-11-26 17:59 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-26 17:58 . 2008-11-26 17:58 <DIR> d-------- c:\programmi\Kaspersky Lab
2008-11-26 17:58 . 2008-12-20 20:21 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab
2008-11-26 17:58 . 2008-12-20 20:18 2,232,864 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-26 17:58 . 2008-12-20 20:18 483,360 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-26 17:58 . 2008-12-20 20:18 21,668 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-26 17:58 . 2008-12-20 20:18 3,780 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-26 17:43 . 2008-12-03 18:33 <DIR> d---s---- c:\windows\Downloaded Program Files

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 18:50 --------- d---a-w c:\documents and settings\All Users\Dati applicazioni\TEMP
2008-12-20 18:47 --------- d-----w c:\programmi\Malwarebytes' Anti-Malware
2008-12-20 18:47 --------- d-----w c:\documents and settings\H18\Dati applicazioni\Skype
2008-12-20 18:41 --------- d-----w c:\documents and settings\H18\Dati applicazioni\skypePM
2008-12-19 20:02 --------- d-----w c:\programmi\File comuni\Real
2008-12-19 16:17 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Google Updater
2008-12-19 12:36 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Spybot - Search & Destroy
2008-12-17 16:38 --------- d-----w c:\programmi\Opera
2008-12-14 19:58 --------- d-----w c:\programmi\SUPERAntiSpyware
2008-12-14 19:58 --------- d-----w c:\programmi\File comuni\Wise Installation Wizard
2008-11-26 16:57 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Kaspersky Lab Setup Files
2008-11-26 16:31 --------- d-----w c:\documents and settings\H18\Dati applicazioni\Azureus
2008-11-13 17:21 --------- d-----w c:\programmi\Visiosonic
2008-11-11 18:58 25,601 ----a-w c:\windows\system32\drivers\klopp.dat
2008-10-25 17:13 --------- d-----w c:\programmi\Microsoft ActiveSync
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 15:45 44,239 ----a-w C:\sound32.dll
2008-01-28 22:16 32 ----a-w c:\documents and settings\All Users\Dati applicazioni\ezsid.dat
2008-09-09 09:40 32,768 --sha-w c:\windows\system32\config\systemprofile\Impostazioni locali\Cronologia\History.IE5\MSHist012008090920080910\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\programmi\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-19 405583]
"MsnMsgr"="c:\programmi\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\programmi\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-02-24 86016]
"USRobotics Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1290240]
"SunJavaUpdateSched"="c:\programmi\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-02-24 5537792]
"AVP"="c:\programmi\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-11-11 206088]
"nwiz"="nwiz.exe" [2005-02-24 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Symantec NetDriver Warning"="c:\progra~1\SYMNET~1\SNDWarn.exe" [2004-10-29 218232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"VIDC.ACDV"= ACDV.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programmi\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\H18\\Dati applicazioni\\SopCast\\adv\\SopAdver.exe"=
"c:\\Programmi\\myTV\\myTV.exe"=
"c:\\Programmi\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Programmi\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Programmi\\DC++\\DCPlusPlus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\Skype\\Phone\\Skype.exe"=

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2002-04-22 9490]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-12-21 33800]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
S1 SASKUTIL;SASKUTIL;\??\c:\programmi\SUPERAntiSpyware\SASKUTIL.sys []
S3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\DRIVERS\camdrv21.sys [2007-01-31 253909]
S3 WZCOOK;WEP/WPA-PMK key recovery service;"c:\documents and settings\H18\Desktop\WiFi_WEP_Key_Finder\aircrack-ng-0.6.2-win\bin\wzcook.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c56caf3-9fb2-11dd-9e61-0014c10c7bd8}]
\Shell\AutoRun\command - 1rfw8hjr.com
\Shell\explore\Command - 1rfw8hjr.com
\Shell\open\Command - 1rfw8hjr.com
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.it/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
IE: &Download All with Rapidshare Downloader - c:\docume~1\H18\IMPOST~1\Temp\RarSFX0\jc_all.htm
IE: &Download with Rapidshare Downloader - c:\docume~1\H18\IMPOST~1\Temp\RarSFX0\jc_link.htm
IE: Convert link target to Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\programmi\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {AD81C8A6-4507-4E78-9486-F9D0B6A49758} = 213.215.115.88,147.175.167.50
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\programmi\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\programmi\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\programmi\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\programmi\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\programmi\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\programmi\Microsoft ActiveSync\cenetflt.dll
FF - ProfilePath - c:\documents and settings\H18\Dati applicazioni\Mozilla\Firefox\Profiles\lzo7tgox.default\
FF - prefs.js: browser.startup.homepage - www.alpha.gr
FF - plugin: c:\programmi\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\programmi\Mozilla Firefox\plugins\npWebLaunch.dll
FF - plugin: c:\programmi\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\programmi\Opera\program\plugins\NPSWF32_back.dll
FF - plugin: c:\programmi\Opera\program\plugins\npWebLaunch.dll
FF - plugin: c:\programmi\thriXXX\WebLaunch\Binaries\npWebLaunch.dll
FF - plugin: c:\programmi\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\programmi\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 20:22:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1100)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\programmi\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wwSecure.exe
c:\windows\system32\devldr32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-20 20:26:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-20 19:25:55

Pre-Run: 2,974,896,128 byte disponibili
Post-Run: 2,969,960,448 byte disponibili

212 --- E O F --- 2008-12-18 12:27:01


Many Thxs for All !!
Wish you the best!!

#8 jedi

jedi

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 105 posts

Posted 21 December 2008 - 11:07 AM

You're welcome. I suggest you run an online scan to check for any leftovers:

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi
jedi
Member of ASAP since 2005

#9 jedi

jedi

    Authentic Member

  • Visiting Fellow
  • PipPip
  • 105 posts

Posted 01 January 2009 - 07:19 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
jedi
Member of ASAP since 2005

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·