Yet another virus. :(

View previous topic View next topic Go down

Solved Yet another virus. :(

Post by Stephon on 28th December 2008, 11:34 pm

I decided to run both the programs to check my desktop and I found three items. I skipped the first step(the hijack thingy but I will post one anyways). So, I went to the malware remove thingy and did a quick scan, found 3 items. I deleted them but it didn't ask me to restart(just to let you know ;)). Then I proceeded to the combo program..

Here's the Combo log:
ComboFix 08-12-28.01 - Stephon 2008-12-28 15:27:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.150 [GMT -8:00]
Running from: c:\documents and settings\Stephon\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
c:\windows\NDNuninstall7_14.exe
c:\windows\system32\gdiplus.dll
c:\windows\system32\klkkj.bak1
c:\windows\system32\klkkj.bak2
c:\windows\system32\klkkj.ini
c:\windows\system32\klkkj.ini2
c:\windows\system32\klkkj.tmp
c:\windows\system32\rlxf.dll
c:\windows\system32\winio.vxd
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-28 15:20 . 2008-12-28 15:20 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 15:20 . 2008-12-28 15:20 d-------- c:\documents and settings\Stephon\Application Data\Malwarebytes
2008-12-28 15:20 . 2008-12-28 15:20 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 15:20 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 15:20 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 17:24 . 2008-12-26 17:24 d-------- C:\Nexon
2008-12-26 17:00 . 2008-12-26 17:00 d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-12-26 16:59 . 2008-12-26 16:59 d-------- c:\program files\Pando Networks
2008-12-23 09:47 . 2008-12-23 09:47 d-------- c:\program files\directx
2008-12-22 12:28 . 2008-12-26 14:16 d-------- c:\program files\WarRock
2008-12-22 11:04 . 2008-12-22 11:04 d-------- c:\program files\Common Files\aliaswavefront shared
2008-12-22 11:04 . 2008-12-22 11:04 d-------- c:\program files\Common Files\Alias Shared
2008-12-21 11:48 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2008-12-21 11:48 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2008-12-21 11:48 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2008-12-21 11:48 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2008-12-21 11:48 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2008-12-21 11:48 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2008-12-21 11:48 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2008-12-21 11:48 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2008-12-21 11:48 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2008-12-21 11:48 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2008-12-21 11:48 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2008-12-21 11:48 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2008-12-21 11:44 . 2008-12-21 11:46 d-------- c:\windows\Logs
2008-12-21 11:44 . 2008-12-21 11:44 119,120 --a------ c:\windows\dxsdkuninst.exe
2008-12-20 21:44 . 2008-12-20 21:49 d-------- c:\documents and settings\Stephon\Application Data\Dev-Cpp
2008-12-20 19:29 . 2008-12-26 14:16 d-------- c:\program files\OGPlanet
2008-12-20 19:15 . 2008-12-20 19:15 d-------- c:\program files\Microsoft SQL Server
2008-12-20 19:10 . 2008-12-26 14:34 d-------- c:\program files\Microsoft Visual Studio 9.0
2008-12-20 15:34 . 2008-12-20 19:58 318 --a------ c:\windows\WPE PRO.INI
2008-12-18 20:42 . 2008-12-18 20:42 d-------- c:\program files\Realtek AC97
2008-12-18 20:16 . 2008-12-18 20:16 d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-18 10:52 . 2008-12-18 21:02 d-------- c:\program files\Garena
2008-12-17 18:14 . 2008-12-17 18:14 d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2008-12-17 14:08 . 2008-12-21 21:21 d-------- c:\documents and settings\Stephon\Application Data\codeblocks
2008-12-15 06:29 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\e34d41c.dll
2008-12-15 06:29 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\1569020.dll
2008-12-15 06:29 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\4c1532.dll
2008-12-15 06:29 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\2570d8fe.dll
2008-12-11 12:37 . 2008-12-11 12:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-10 21:48 . 2008-12-10 21:48 d-------- c:\documents and settings\Stephon\keel
2008-12-10 21:46 . 2008-12-10 21:46 d-------- c:\documents and settings\Stephon\oni
2008-12-10 20:57 . 2008-12-24 21:34 d-------- c:\program files\Cheat Engine
2008-12-10 20:57 . 2007-12-26 17:30 1,970,176 --a------ c:\windows\system32\d3dx9.dll
2008-12-10 20:57 . 2007-12-26 17:30 679,936 --a------ c:\windows\system32\D3DX81ab.dll
2008-12-10 19:49 . 2008-12-26 14:16 d-------- c:\program files\Speed Gear
2008-12-10 19:49 . 2008-12-21 16:39 67 --a------ c:\windows\SpeedGear.INI
2008-12-10 19:36 . 2008-12-10 19:40 d-------- c:\documents and settings\Stephon\Application Data\PE Explorer
2008-12-10 17:30 . 2008-12-20 22:27 d-------- c:\program files\Quick Memory Editor
2008-12-10 12:35 . 2008-12-16 20:38 d-------- c:\program files\Xfire
2008-12-10 12:35 . 2008-12-25 14:37 d-------- c:\documents and settings\Stephon\Application Data\Xfire
2008-12-10 10:25 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\fd6bf0.dll
2008-12-10 10:25 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\453a77b.dll
2008-12-10 10:25 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\28bfa84.dll
2008-12-10 10:25 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\1159c81.dll
2008-12-10 10:24 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\9ca32b2.dll
2008-12-10 10:24 . 2008-04-13 16:11 1,689,088 ---h---t- c:\windows\system32\1eb1fe00.dll
2008-12-10 10:24 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\67bdbc.dll
2008-12-10 10:24 . 2008-04-13 16:12 82,432 ---h---t- c:\windows\system32\2000ffd0.dll
2008-12-09 22:21 . 2008-12-09 22:21 d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-09 22:12 . 2008-12-09 22:12 d-------- c:\program files\Adobe Media Player
2008-12-09 22:06 . 2008-12-09 22:06 d-------- c:\program files\Common Files\Adobe AIR
2008-12-07 18:01 . 2008-07-10 16:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2008-12-07 18:00 . 2008-07-10 16:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-07 17:58 . 2008-12-07 17:58 d-------- c:\windows\system32\RsFx
2008-12-07 17:45 . 2008-12-26 14:38 d-------- c:\program files\Microsoft.NET
2008-12-05 17:32 . 2008-12-09 20:57 d-------- c:\documents and settings\Stephon\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-26 22:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 00:58 --------- d-----w c:\documents and settings\Stephon\Application Data\Move Networks
2008-12-21 06:28 --------- d-----w c:\program files\Uniblue
2008-12-21 06:28 --------- d-----w c:\documents and settings\Stephon\Application Data\uniblue
2008-12-21 06:28 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-17 19:34 --------- d-----w c:\program files\Common Files\Adobe
2008-12-06 00:04 --------- d-----w c:\program files\Java
2008-12-05 21:45 --------- d-----w c:\documents and settings\Stephon\Application Data\gtk-2.0
2008-11-23 18:01 --------- d-----w c:\program files\KeyScrambler
2008-11-23 06:45 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-22 02:44 --------- d-----w c:\program files\BFG
2008-11-22 02:12 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-13 04:23 --------- dc-h--w c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-11-10 13:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:24 827,904 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-02 23:46 81,920 -c--a-w c:\windows\system32\frapsvid.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2005-05-20 03:13 0 -csha-w c:\windows\SMINST\HPCD.sys
2008-07-23 20:58 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072320080724\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"59057:TCP"= 59057:TCP:Pando Media Booster
"59057:UDP"= 59057:UDP:Pando Media Booster

R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2008-06-10 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-07-12 113896]
S2 WUSB300NSvc;WUSB300NSvc;"c:\program files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" [2008-07-12 53307]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\Drivers\LTower.sys [2005-11-29 36981]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" []
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS); []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f63278d-8557-11d9-be24-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ec6b61-710a-11d9-b301-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Stephon\Application Data\Mozilla\Firefox\Profiles\0xa47ahn.default\
FF - component: c:\documents and settings\Stephon\Application Data\Mozilla\Firefox\Profiles\0xa47ahn.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Stephon\Application Data\Mozilla\Firefox\Profiles\0xa47ahn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-28 15:29:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-28 15:30:26
ComboFix-quarantined-files.txt 2008-12-28 23:29:48

Pre-Run: 124,328,464,384 bytes free
Post-Run: 126,237,978,624 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

208 --- E O F --- 2008-12-11 06:03:19

So is everything okay now?

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another virus. :(

Post by Belahzur on 28th December 2008, 11:42 pm

Hello.
Maybe a leftover or two.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\e34d41c.dll
c:\windows\system32\1569020.dll
c:\windows\system32\4c1532.dll
c:\windows\system32\2570d8fe.dll
c:\windows\system32\fd6bf0.dll
c:\windows\system32\453a77b.dll
c:\windows\system32\28bfa84.dll
c:\windows\system32\1159c81.dll
c:\windows\system32\67bdbc.dll
c:\windows\system32\2000ffd0.dll
c:\windows\system32\9ca32b2.dll
c:\windows\system32\1eb1fe00.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f63278d-8557-11d9-be24-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ec6b61-710a-11d9-b301-806d6172696f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another virus. :(

Post by Stephon on 28th December 2008, 11:45 pm

[You must be registered and logged in to see this link.] wrote:Hello.
Maybe a leftover or two.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\e34d41c.dll
c:\windows\system32\1569020.dll
c:\windows\system32\4c1532.dll
c:\windows\system32\2570d8fe.dll
c:\windows\system32\fd6bf0.dll
c:\windows\system32\453a77b.dll
c:\windows\system32\28bfa84.dll
c:\windows\system32\1159c81.dll
c:\windows\system32\67bdbc.dll
c:\windows\system32\2000ffd0.dll
c:\windows\system32\9ca32b2.dll
c:\windows\system32\1eb1fe00.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f63278d-8557-11d9-be24-806d6172696f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e1ec6b61-710a-11d9-b301-806d6172696f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

This is my desktop, so it's another computer. The first one that you helped me with is my labtop. xD

So do I still do the things you posted Or do you want me to do the entire process?

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another virus. :(

Post by Belahzur on 28th December 2008, 11:46 pm

Yes, please run the CFScript that this CF log was run from, the infection is a flash drive infection and we need to clean them off.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another virus. :(

Post by Stephon on 28th December 2008, 11:59 pm

ComboFix 08-12-28.01 - Stephon 2008-12-28 15:56:44.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.149 [GMT -8:00]
Running from: c:\documents and settings\Stephon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Stephon\Desktop\CFscript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\1159c81.dll
c:\windows\system32\1569020.dll
c:\windows\system32\1eb1fe00.dll
c:\windows\system32\2000ffd0.dll
c:\windows\system32\2570d8fe.dll
c:\windows\system32\28bfa84.dll
c:\windows\system32\453a77b.dll
c:\windows\system32\4c1532.dll
c:\windows\system32\67bdbc.dll
c:\windows\system32\9ca32b2.dll
c:\windows\system32\e34d41c.dll
c:\windows\system32\fd6bf0.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\1159c81.dll
c:\windows\system32\1569020.dll
c:\windows\system32\1eb1fe00.dll
c:\windows\system32\2000ffd0.dll
c:\windows\system32\2570d8fe.dll
c:\windows\system32\28bfa84.dll
c:\windows\system32\453a77b.dll
c:\windows\system32\4c1532.dll
c:\windows\system32\67bdbc.dll
c:\windows\system32\9ca32b2.dll
c:\windows\system32\e34d41c.dll
c:\windows\system32\fd6bf0.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-28 )))))))))))))))))))))))))))))))
.

2008-12-28 15:20 . 2008-12-28 15:20 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 15:20 . 2008-12-28 15:20 d-------- c:\documents and settings\Stephon\Application Data\Malwarebytes
2008-12-28 15:20 . 2008-12-28 15:20 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-28 15:20 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 15:20 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-26 17:24 . 2008-12-26 17:24 d-------- C:\Nexon
2008-12-26 17:00 . 2008-12-26 17:00 d-------- c:\documents and settings\All Users\Application Data\PMB Files
2008-12-26 16:59 . 2008-12-26 16:59 d-------- c:\program files\Pando Networks
2008-12-23 09:47 . 2008-12-23 09:47 d-------- c:\program files\directx
2008-12-22 12:28 . 2008-12-26 14:16 d-------- c:\program files\WarRock
2008-12-22 11:04 . 2008-12-22 11:04 d-------- c:\program files\Common Files\aliaswavefront shared
2008-12-22 11:04 . 2008-12-22 11:04 d-------- c:\program files\Common Files\Alias Shared
2008-12-21 11:48 . 2008-10-10 04:52 4,379,984 --a------ c:\windows\system32\D3DX9_40.dll
2008-12-21 11:48 . 2008-10-10 04:52 2,036,576 --a------ c:\windows\system32\D3DCompiler_40.dll
2008-12-21 11:48 . 2008-07-10 11:00 1,493,528 --a------ c:\windows\system32\D3DCompiler_39.dll
2008-12-21 11:48 . 2008-10-27 10:04 514,384 --a------ c:\windows\system32\XAudio2_3.dll
2008-12-21 11:48 . 2008-07-30 06:20 509,448 --a------ c:\windows\system32\XAudio2_2.dll
2008-12-21 11:48 . 2008-07-10 11:01 467,984 --a------ c:\windows\system32\d3dx10_39.dll
2008-12-21 11:48 . 2008-10-10 04:52 452,440 --a------ c:\windows\system32\d3dx10_40.dll
2008-12-21 11:48 . 2008-07-30 06:20 238,088 --a------ c:\windows\system32\xactengine3_2.dll
2008-12-21 11:48 . 2008-10-27 10:04 235,856 --a------ c:\windows\system32\xactengine3_3.dll
2008-12-21 11:48 . 2008-10-27 10:04 70,992 --a------ c:\windows\system32\XAPOFX1_2.dll
2008-12-21 11:48 . 2008-07-30 06:20 68,616 --a------ c:\windows\system32\XAPOFX1_1.dll
2008-12-21 11:48 . 2008-10-27 10:04 23,376 --a------ c:\windows\system32\X3DAudio1_5.dll
2008-12-21 11:44 . 2008-12-21 11:46 d-------- c:\windows\Logs
2008-12-21 11:44 . 2008-12-21 11:44 119,120 --a------ c:\windows\dxsdkuninst.exe
2008-12-20 21:44 . 2008-12-20 21:49 d-------- c:\documents and settings\Stephon\Application Data\Dev-Cpp
2008-12-20 19:29 . 2008-12-26 14:16 d-------- c:\program files\OGPlanet
2008-12-20 19:15 . 2008-12-20 19:15 d-------- c:\program files\Microsoft SQL Server
2008-12-20 19:10 . 2008-12-26 14:34 d-------- c:\program files\Microsoft Visual Studio 9.0
2008-12-20 15:34 . 2008-12-20 19:58 318 --a------ c:\windows\WPE PRO.INI
2008-12-18 20:42 . 2008-12-18 20:42 d-------- c:\program files\Realtek AC97
2008-12-18 20:16 . 2008-12-18 20:16 d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2008-12-18 10:52 . 2008-12-18 21:02 d-------- c:\program files\Garena
2008-12-17 18:14 . 2008-12-17 18:14 d-------- c:\documents and settings\NetworkService\Application Data\Xfire
2008-12-17 14:08 . 2008-12-21 21:21 d-------- c:\documents and settings\Stephon\Application Data\codeblocks
2008-12-11 12:37 . 2008-12-11 12:37 42,320 --a------ c:\windows\system32\xfcodec.dll
2008-12-10 21:48 . 2008-12-10 21:48 d-------- c:\documents and settings\Stephon\keel
2008-12-10 21:46 . 2008-12-10 21:46 d-------- c:\documents and settings\Stephon\oni
2008-12-10 20:57 . 2008-12-24 21:34 d-------- c:\program files\Cheat Engine
2008-12-10 20:57 . 2007-12-26 17:30 1,970,176 --a------ c:\windows\system32\d3dx9.dll
2008-12-10 20:57 . 2007-12-26 17:30 679,936 --a------ c:\windows\system32\D3DX81ab.dll
2008-12-10 19:49 . 2008-12-26 14:16 d-------- c:\program files\Speed Gear
2008-12-10 19:49 . 2008-12-21 16:39 67 --a------ c:\windows\SpeedGear.INI
2008-12-10 19:36 . 2008-12-10 19:40 d-------- c:\documents and settings\Stephon\Application Data\PE Explorer
2008-12-10 17:30 . 2008-12-20 22:27 d-------- c:\program files\Quick Memory Editor
2008-12-10 12:35 . 2008-12-16 20:38 d-------- c:\program files\Xfire
2008-12-10 12:35 . 2008-12-25 14:37 d-------- c:\documents and settings\Stephon\Application Data\Xfire
2008-12-09 22:21 . 2008-12-09 22:21 d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-12-09 22:12 . 2008-12-09 22:12 d-------- c:\program files\Adobe Media Player
2008-12-09 22:06 . 2008-12-09 22:06 d-------- c:\program files\Common Files\Adobe AIR
2008-12-07 18:01 . 2008-07-10 16:28 50,200 --a------ c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2008-12-07 18:00 . 2008-07-10 16:28 79,896 --a------ c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2008-12-07 17:58 . 2008-12-07 17:58 d-------- c:\windows\system32\RsFx
2008-12-07 17:45 . 2008-12-26 14:38 d-------- c:\program files\Microsoft.NET
2008-12-05 17:32 . 2008-12-09 20:57 d-------- c:\documents and settings\Stephon\Application Data\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 22:41 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-26 22:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 00:58 --------- d-----w c:\documents and settings\Stephon\Application Data\Move Networks
2008-12-21 06:28 --------- d-----w c:\program files\Uniblue
2008-12-21 06:28 --------- d-----w c:\documents and settings\Stephon\Application Data\uniblue
2008-12-21 06:28 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-17 19:34 --------- d-----w c:\program files\Common Files\Adobe
2008-12-06 00:04 --------- d-----w c:\program files\Java
2008-12-05 21:45 --------- d-----w c:\documents and settings\Stephon\Application Data\gtk-2.0
2008-11-23 18:01 --------- d-----w c:\program files\KeyScrambler
2008-11-23 06:45 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-11-22 02:44 --------- d-----w c:\program files\BFG
2008-11-22 02:12 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-13 04:23 --------- dc-h--w c:\documents and settings\All Users\Application Data\{51019853-129C-4EDE-9030-D5FD7BBD9AD0}
2008-11-10 13:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:24 827,904 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-02 23:46 81,920 -c--a-w c:\windows\system32\frapsvid.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2005-05-20 03:13 0 -csha-w c:\windows\SMINST\HPCD.sys
2008-07-23 20:58 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008072320080724\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-06-10 1447168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"59057:TCP"= 59057:TCP:Pando Media Booster
"59057:UDP"= 59057:UDP:Pando Media Booster

R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2008-06-10 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-07-12 113896]
S2 WUSB300NSvc;WUSB300NSvc;"c:\program files\Linksys\WUSB300N\WLService.exe" "WUSB300N.exe" [2008-07-12 53307]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\Drivers\LTower.sys [2005-11-29 36981]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;"c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" []
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS); []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank

O16 -: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\Stephon\Application Data\Mozilla\Firefox\Profiles\0xa47ahn.default\
FF - component: c:\documents and settings\Stephon\Application Data\Mozilla\Firefox\Profiles\0xa47ahn.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Stephon\Application Data\Mozilla\Firefox\Profiles\0xa47ahn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-28 15:58:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1184)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-28 15:59:41
ComboFix-quarantined-files.txt 2008-12-28 23:59:06
ComboFix2.txt 2008-12-28 23:30:27

Pre-Run: 126,326,226,944 bytes free
Post-Run: 126,285,524,992 bytes free

202 --- E O F --- 2008-12-11 06:03:19

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another virus. :(

Post by Belahzur on 29th December 2008, 12:00 am

Hello.
Looks good, any problems on this machine?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Yet another virus. :(

Post by Stephon on 29th December 2008, 12:01 am

[You must be registered and logged in to see this link.] wrote:Hello.
Looks good, any problems on this machine?

Nope.

Thanks for the help. Big Grin

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30190
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Yet another virus. :(

Post by Doctor Inferno on 14th February 2009, 3:57 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104620
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum