2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

View previous topic View next topic Go down

2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Pickzilla87 on Tue Apr 28, 2009 10:17 pm

Computer is auto scanning and throwing 34 viruses at me a couple being BankerFox.A and Win32/Nuqel.E There are others. I keep getting spammed with a 2009 Spyware thing. My desktop has a flashing message that says:


(WARNING
Dangerous Spyware
Following viruses were found on your computer: Trojan horse, PassCapture, and etc.
Your private information may be potentially transferred to third parties.

Please check computer using advanced software.
Thanks.)

So whatever you got throw it my way lol!

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Belahzur on Tue Apr 28, 2009 10:54 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Reply on dds.txt for 2009 Spyware spams etc

Post by Pickzilla87 on Tue Apr 28, 2009 11:25 pm

It says the posted message is too big. I can't send it.

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Belahzur on Tue Apr 28, 2009 11:29 pm

Split it up, use more than one post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Pickzilla87 on Wed Apr 29, 2009 12:21 am

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bryan Pickett at 17:45:14.93 on Tue 04/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.893 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\sysguard.exe
C:\DOCUME~1\BRYANP~1\LOCALS~1\Temp\1158143692.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Bryan Pickett\Local Settings\Temporary Internet Files\Content.IE5\UZ3GKTIT\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll
BHO: : {f7b1ace6-6e5a-4511-bbe6-8857a864633e} - c:\windows\system32\tyudmfn.dll
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [system tool] c:\windows\sysguard.exe
uRun: [Diagnostic Manager] c:\docume~1\bryanp~1\locals~1\temp\1158143692.exe
uRun: [autochk] rundll32.exe c:\docume~1\bryanp~1\protect.dll,_IWMPEvents@16
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_09\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Framework Windows] frmwrk32.exe
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
dRun: [] c:\windows\temp\h6ob7etrn.exe
dRun: [autochk] rundll32.exe c:\docume~1\locals~1\protect.dll,_IWMPEvents@16
StartupFolder: c:\documents and settings\bryan pickett\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\bryanp~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk - c:\program files\dell photo printer 720\dlbcserv.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: EnableProfileQuota = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\temp\ntdll64.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: cbfesphb - tyudmfn.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\yhs783ijfo3fe.dll: {b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\yhs783ijfo3fe.dll

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Pickzilla87 on Wed Apr 29, 2009 12:21 am

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-4-8 185968]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 haoklppn;Keyboard HID Support;c:\windows\system32\svchost.exe -k netsvcs [2005-8-16 14336]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-10 24652]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090424.003\naveng.sys [2009-4-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090424.003\navex15.sys [2009-4-24 876144]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]

=============== Created Last 30 ================

2009-04-28 17:45 --d----- c:\docume~1\bryanp~1\applic~1\pbzwkcla
2009-04-28 17:39 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-04-28 17:39 24,064 a--sh--- c:\documents and settings\bryan pickett\protect.dll
2009-04-28 17:39 27,648 a------- c:\windows\system32\lmppcsetup.exe
2009-04-28 17:25 104,960 a------- c:\windows\system32\ntdll64.exe
2009-04-27 17:20 1,400 a------- c:\windows\system32\ahtn.htm
2009-04-27 17:20 4,785 a------- c:\windows\system32\warning.gif
2009-04-27 17:19 439 a------- c:\windows\system32\win32hlp.cnf
2009-04-27 17:19 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-04-27 17:19 1 a------- c:\windows\system32\uniq.tll
2009-04-27 17:18 29,696 a------- c:\windows\system32\frmwrk32.exe
2009-04-27 17:18 29,696 a------- c:\windows\system32\loader49.exe
2009-04-27 17:13 15,000 a------- c:\windows\system32\yhs783ijfo3fe.dll
2009-04-27 17:13 21,504 a------- c:\windows\system32\ak1.exe
2009-04-27 17:08 10,752 a------- c:\windows\system32\iehelper.dll
2009-04-27 16:58 292,368 a------- c:\windows\sysguard.exe
2009-04-15 19:59 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-15 19:59 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-15 19:59 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-15 19:59 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-04-15 19:59 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-15 19:59 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 19:59 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-15 19:59 715,264 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-15 19:59 617,984 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-15 19:58 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 19:58 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-04 20:24 --d----- c:\docume~1\bryanp~1\applic~1\Acreon
2009-04-01 16:51 38,160 a------- c:\windows\system32\LMRTREND.dll
2009-04-01 16:51 182,032 a------- c:\windows\system32\dxtmsft3.dll
2009-04-01 16:51 140,800 a------- c:\windows\system32\tm20dec.ax
2009-04-01 16:51 63,488 a------- c:\windows\system32\unam4ie.exe
2009-04-01 16:51 4,639 a------- c:\windows\system32\dllcache\mplayer2.exe
2009-04-01 16:50 194,320 a------- c:\windows\system32\qcut.dll
2009-04-01 16:50 11,776 a------- c:\windows\system32\mciqtz.drv
2009-04-01 16:50 10,240 a------- c:\windows\system32\vidx16.dll
2009-04-01 16:50 5,672 a------- c:\windows\system32\quartz.vxd
2009-04-01 16:50 4,608 a------- c:\windows\system32\w95inf32.dll
2009-04-01 16:50 2,272 a------- c:\windows\system32\w95inf16.dll
2009-04-01 16:50 --d----- C:\TELL ME MORE CJ

==================== Find3M ====================

2009-04-27 17:19 104,960 a------- c:\windows\system32\userinit.exe
2009-03-21 10:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:00 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\dllcache\wininet.dll
2009-02-28 00:54 636,072 -------- c:\windows\system32\dllcache\iexplore.exe
2009-02-20 06:20 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 06:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-20 01:14 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2009-02-10 18:31 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 06:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-09 06:01 728,576 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:01 617,984 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:01 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:01 728,576 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 06:01 715,264 a------- c:\windows\system32\ntdll.dll
2009-02-06 06:32 2,186,112 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 06:29 2,142,720 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 06:29 2,142,720 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 06:22 110,592 a------- c:\windows\system32\services.exe
2009-02-06 05:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 05:49 2,020,864 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 05:49 2,020,864 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 05:49 2,062,976 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-03 16:08 55,808 a------- c:\windows\system32\secur32.dll
2009-02-03 16:08 55,808 -------- c:\windows\system32\dllcache\secur32.dll
2009-04-28 17:45 24,064 a--sh--- c:\windows\system32\autochk.dll
2006-03-23 15:18 104 ---shr-- c:\windows\system32\D1D2F33274.sys
2006-03-23 15:18 4,184 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 17:47:03.70 ===============

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Belahzur on Wed Apr 29, 2009 11:54 am

Hello.
What a mess you have here. We'll need to use Combofix.

Hello.
What a mess you have here. We'll need to use Combofix.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to rename Combofix before we can use it, the malware you have will block it.

    If you are using Firefox, make sure that your download settings are as follows:

    Tools->Options->Main tab
    Set to "Always ask me where to Save the files".

    During the download, rename Combofix to Combo-Fix as follows:





    It is important you rename Combofix during the download, but not after.
    Please do not rename Combofix to other names, but only to the one indicated.
    Close any open browsers.

  • We also need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Symantec)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Saved!

Post by Pickzilla87 on Wed Apr 29, 2009 9:19 pm

I did as instructed exact and it seems to me that I am virus free. How can I be sure that everything my pc had on it prior is gone now?... And... is there a way to prevent what happened to my computer in the future? Did I do something to bring the virus' on?

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Belahzur on Wed Apr 29, 2009 9:40 pm

I can't know anything until you can post the Combofix log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

combofix log

Post by Pickzilla87 on Thu Apr 30, 2009 8:49 pm

ComboFix 09-04-29.01 - Bryan Pickett 04/29/2009 16:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1103 [GMT -4:00]
Running from: c:\documents and settings\Bryan Pickett\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BRYANP~1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\BRYANP~1\LOCALS~1\Temp\ntdll64.dll
c:\documents and settings\All Users\Start Menu\Online Security Guide.url
c:\documents and settings\All Users\Start Menu\Security Troubleshooting.url
c:\documents and settings\Bryan Pickett\protect.dll
c:\documents and settings\Bryan Pickett\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Bryan Pickett\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\protect.dll
c:\program files\Altnet
c:\program files\screensavers.com
c:\program files\screensavers.com\Wallpaper\swpstart.exe
c:\windows\IE4 Error Log.txt
c:\windows\sysguard.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\ak1.exe
c:\windows\system32\autochk.dll
c:\windows\system32\bszip.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\loader49.exe
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\ntdll64.exe
c:\windows\system32\sdra64.exe
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\yhs783ijfo3fe.dll
c:\windows\Tasks\At1.job
c:\windows\TEMP\ntdll64.dll
c:\windows\system32\pvcgwobs.dll . . . . failed to delete
c:\windows\system32\tyudmfn.dll . . . . failed to delete

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe


Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\i386\sfcfiles.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HAOKLPPN
-------\Legacy_SFC
-------\Service_haoklppn
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

2009-04-28 21:39 . 2009-04-28 21:39 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-21 18:25 . 2009-04-21 18:25 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-15 23:59 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:59 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-15 23:59 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:59 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:59 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:59 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:59 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:59 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:59 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:58 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-05 00:24 . 2009-04-05 00:24 -------- d-----w c:\documents and settings\Bryan Pickett\Application Data\Acreon
2009-04-05 00:23 . 2009-04-19 18:03 -------- d-----w c:\documents and settings\Bryan Pickett\Local Settings\Application Data\._Revolution_
2009-04-01 20:51 . 1998-09-02 08:28 38160 ----a-w c:\windows\system32\LMRTREND.dll
2009-04-01 20:51 . 1998-08-27 04:51 182032 ----a-w c:\windows\system32\dxtmsft3.dll
2009-04-01 20:51 . 1998-09-02 08:28 63488 ----a-w c:\windows\system32\unam4ie.exe
2009-04-01 20:51 . 2004-08-10 11:00 4639 ----a-w c:\windows\system32\dllcache\mplayer2.exe
2009-04-01 20:50 . 1998-08-17 09:21 10240 ----a-w c:\windows\system32\vidx16.dll
2009-04-01 20:50 . 1998-08-17 09:21 11776 ----a-w c:\windows\system32\mciqtz.drv
2009-04-01 20:50 . 1998-09-02 08:02 194320 ----a-w c:\windows\system32\qcut.dll
2009-04-01 20:50 . 2009-04-01 20:50 2272 ----a-w c:\windows\system32\w95inf16.dll
2009-04-01 20:50 . 2009-04-01 20:50 4608 ----a-w c:\windows\system32\w95inf32.dll
2009-04-01 20:50 . 2009-04-01 20:51 -------- d-----w C:\TELL ME MORE CJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 21:04 . 2006-03-27 16:51 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-29 21:02 . 2005-08-16 10:18 143872 ----a-w c:\windows\system32\pvcgwobs.dll
2009-04-29 21:01 . 2005-08-16 10:18 105472 ----a-w c:\windows\system32\zkxupuf.dll
2009-04-22 23:07 . 2008-06-08 15:19 -------- d-----w c:\program files\World of Warcraft
2009-04-04 17:07 . 2006-01-05 19:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 17:06 . 2008-09-09 22:41 -------- d-----w c:\program files\Electronic Arts
2009-03-06 14:00 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2005-08-16 10:18 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2005-08-16 10:18 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2005-08-16 10:18 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2005-08-16 10:18 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2005-08-16 10:18 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-04 04:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2005-08-16 10:18 55808 ----a-w c:\windows\system32\secur32.dll
2006-03-23 19:18 . 2006-01-24 13:06 104 --sh--r c:\windows\system32\D1D2F33274.sys
2006-03-23 19:18 . 2006-01-24 13:06 4184 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51DF787E-37EC-4AF0-9634-191425954967}]
2009-04-29 21:02 143872 ----a-w c:\windows\system32\pvcgwobs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7B1ACE6-6E5A-4511-BBE6-8857A864633E}]
2004-08-10 11:00 105472 ----a-w c:\windows\system32\tyudmfn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-2-12 315392]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bryan Pickett^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Bryan Pickett\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]
S0 czqcydel;czqcydel;c:\windows\system32\drivers\czqcydel.sys [2004-08-10 23424]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [2009-03-16 101936]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll
WebBrowser-{07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll
SharedTaskScheduler-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\yhs783ijfo3fe.dll

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

combofix log cont

Post by Pickzilla87 on Thu Apr 30, 2009 8:49 pm

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-29 17:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxswvjntrd.sys 81408 bytes executable
c:\windows\system32\ovfsthxaixjxybv.dll 18432 bytes executable
c:\windows\system32\ovfsthxfvwhkywb.dat 43 bytes
c:\windows\system32\ovfsthxkvxfmqxw.dll 59904 bytes executable
c:\windows\system32\ovfsthxumqmulbt.dat 33490 bytes
c:\windows\system32\ovfsthxwbutehgb.dll 18432 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2843965866-2509467514-2980951161-1005\Software\SecuROM\License information*]
"datasecu"=hex:28,2e,40,a4,2a,59,55,f9,fc,0a,20,f8,2d,0e,3c,f4,ab,05,ea,59,f7,
1a,57,10,2b,6a,74,13,bb,ba,1d,47,57,3e,8d,73,92,ee,1a,4a,91,3c,2a,54,ca,67,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(436)
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Symantec AntiVirus\DoScan.exe
.
**************************************************************************
.
Completion time: 2009-04-29 17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 21:11

Pre-Run: 31,128,342,528 bytes free
Post-Run: 31,641,169,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

280 --- E O F --- 2009-04-16 02:47

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Belahzur on Thu Apr 30, 2009 9:10 pm

Still more to do, you really got yourself into a mess here.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
czqcydel

File::
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\pvcgwobs.dll
c:\windows\system32\tyudmfn.dll
c:\windows\system32\drivers\czqcydel.sys

DirLook::
C:\TELL ME MORE CJ

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51DF787E-37EC-4AF0-9634-191425954967}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7B1ACE6-6E5A-4511-BBE6-8857A864633E}]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Rootkit::
c:\windows\system32\drivers\ovfsthxswvjntrd.sys
c:\windows\system32\ovfsthxaixjxybv.dll
c:\windows\system32\ovfsthxfvwhkywb.dat
c:\windows\system32\ovfsthxkvxfmqxw.dll
c:\windows\system32\ovfsthxumqmulbt.dat
c:\windows\system32\ovfsthxwbutehgb.dll

DDS::
DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - [You must be registered and logged in to see this link.]
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

New ComboFix.txt log

Post by Pickzilla87 on Mon May 04, 2009 4:50 pm

Sorry took me a while to get back to ya again. Here's the next combofix log.

ComboFix 09-04-29.01 - Bryan Pickett 05/04/2009 12:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1526.1017 [GMT -4:00]
Running from: c:\documents and settings\Bryan Pickett\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bryan Pickett\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\czqcydel.sys
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\pvcgwobs.dll
c:\windows\system32\tyudmfn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\czqcydel.sys
c:\windows\system32\ovfsthxfvwhkywb.dat
c:\windows\system32\ovfsthxkvxfmqxw.dll
c:\windows\system32\ovfsthxumqmulbt.dat
c:\windows\system32\pvcgwobs.dll
c:\windows\system32\tyudmfn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CZQCYDEL
-------\Service_czqcydel


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-5-4 )))))))))))))))))))))))))))))))
.

2009-05-01 20:07 . 2009-05-01 20:07 -------- d-----w c:\program files\Norton Support
2009-05-01 19:41 . 2009-03-12 08:42 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-05-01 19:41 . 2009-05-01 19:51 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-01 19:41 . 2009-05-01 19:51 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-01 19:41 . 2009-05-01 19:56 -------- d-----w c:\windows\system32\drivers\NIS
2009-05-01 19:41 . 2009-05-01 19:41 -------- d-----w c:\program files\Norton Internet Security
2009-05-01 19:41 . 2009-05-01 19:41 -------- d-----w c:\program files\Windows Sidebar
2009-05-01 19:41 . 2009-05-01 19:41 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-05-01 19:39 . 2009-05-01 19:39 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-01 19:39 . 2009-05-01 19:39 -------- d-----w c:\program files\NortonInstaller
2009-04-21 18:25 . 2009-04-21 18:25 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-15 23:59 . 2009-03-06 14:00 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 23:59 . 2005-07-26 04:20 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-15 23:59 . 2009-02-06 09:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 23:59 . 2009-02-09 10:01 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 23:59 . 2009-02-06 10:22 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 23:59 . 2009-02-09 10:01 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 23:59 . 2009-02-06 09:41 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 23:59 . 2009-02-09 10:01 617984 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 23:59 . 2009-02-09 10:01 715264 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 23:58 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-05 00:24 . 2009-04-05 00:24 -------- d-----w c:\documents and settings\Bryan Pickett\Application Data\Acreon
2009-04-05 00:23 . 2009-05-02 00:15 -------- d-----w c:\documents and settings\Bryan Pickett\Local Settings\Application Data\._Revolution_

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-04 16:26 . 2005-08-16 10:18 23424 ----a-w c:\windows\system32\drivers\pkywidyh.sys
2009-05-02 00:12 . 2008-06-08 15:19 -------- d-----w c:\program files\World of Warcraft
2009-05-01 20:18 . 2006-03-27 16:51 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 19:51 . 2009-05-01 19:41 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-01 19:51 . 2009-05-01 19:41 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-01 19:51 . 2006-03-27 16:51 -------- d-----w c:\program files\Symantec
2009-05-01 19:22 . 2006-03-27 16:51 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-29 21:01 . 2005-08-16 10:18 105472 ----a-w c:\windows\system32\zkxupuf.dll
2009-04-04 17:07 . 2006-01-05 19:17 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-04 17:06 . 2008-09-09 22:41 -------- d-----w c:\program files\Electronic Arts
2009-04-01 20:50 . 2009-04-01 20:50 4608 ----a-w c:\windows\system32\w95inf32.dll
2009-04-01 20:50 . 2009-04-01 20:50 2272 ----a-w c:\windows\system32\w95inf16.dll
2009-03-06 14:00 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2005-08-16 10:18 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2005-08-16 10:18 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2005-08-16 10:18 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2005-08-16 10:18 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2005-08-16 10:18 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-04 04:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2005-08-16 10:18 55808 ----a-w c:\windows\system32\secur32.dll
2006-03-23 19:18 . 2006-01-24 13:06 104 --sh--r c:\windows\system32\D1D2F33274.sys
2006-03-23 19:18 . 2006-01-24 13:06 4184 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\TELL ME MORE CJ ----

2009-04-01 20:58 . 2009-04-01 21:46 668 ----a-w c:\tell me more cj\Users\BRYAN00\Count.dat
2009-04-01 20:58 . 2009-04-01 20:58 25 ----a-w c:\tell me more cj\Users\BRYAN00\MailBox\Mailbox.inv
2009-04-01 20:57 . 2009-04-01 20:57 32 ----a-w c:\tell me more cj\Users\BRYAN00\script.aur
2009-04-01 20:56 . 2009-04-01 20:56 43172 ----a-w c:\tell me more cj\Users\BRYAN00\wav\Q4R2P1.wav
2009-04-01 20:56 . 2009-04-01 20:56 47132 ----a-w c:\tell me more cj\Users\BRYAN00\wav\Q3R1P1.wav
2009-04-01 20:56 . 2009-04-01 20:56 64292 ----a-w c:\tell me more cj\Users\BRYAN00\wav\Q2R1P1.wav
2009-04-01 20:56 . 2009-04-01 20:56 79692 ----a-w c:\tell me more cj\Users\BRYAN00\wav\Q1R1P1.wav
2009-04-01 20:52 . 2009-04-01 20:52 106 ----a-w c:\tell me more cj\bin\Temp\ASR1602\user\JPN10001\Pack4b97\package.ini
2009-04-01 20:52 . 2009-04-01 20:52 4720 ----a-w c:\tell me more cj\bin\Temp\ASR1602\user\JPN10001\Pack4b97\userlex.ulx
2009-04-01 20:52 . 2009-04-01 20:52 117 ----a-w c:\tell me more cj\bin\Temp\ASR1602\user\JPN10001\user.ini
2009-04-01 20:52 . 2009-04-01 20:52 98 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax3\syntax.ini
2009-04-01 20:52 . 2009-04-01 20:52 31 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax2\iws.slx
2009-04-01 20:52 . 2009-04-01 20:52 38 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax2\iws.syn
2009-04-01 20:52 . 2009-04-01 20:52 97 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax2\syntax.ini
2009-04-01 20:52 . 2009-04-01 20:52 86 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax3\kws.slx
2009-04-01 20:52 . 2009-04-01 20:52 66 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax3\kws.syn
2009-04-01 20:52 . 2009-04-01 20:52 722 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax1\condig.slx
2009-04-01 20:52 . 2009-04-01 20:52 42 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax1\condig.syn
2009-04-01 20:52 . 2009-04-01 20:52 102 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\Syntax1\syntax.ini
2009-04-01 20:52 . 2009-04-01 20:52 299 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\dict1.dct
2009-04-01 20:52 . 2009-04-01 20:52 336896 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\JPJG2P60.DLL
2009-04-01 20:52 . 2009-04-01 20:52 930258 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\jpn_jpn.lng
2009-04-01 20:52 . 2009-04-01 20:52 63248 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\jpn_jpn.sus
2009-04-01 20:52 . 2009-04-01 20:52 657 ----a-w c:\tell me more cj\bin\Temp\ASR1602\lang\JPN_JPN\language.ini
2009-04-01 20:52 . 2009-04-01 20:52 5927 ----a-w c:\tell me more cj\bin\Temp\ASR1602\asr1602.dat
2009-04-01 20:52 . 2009-04-01 20:52 32 ----a-w c:\tell me more cj\bin\Temp\ASR1602\asr1602.ini
2009-04-01 20:52 . 2009-04-01 20:52 48 ----a-w c:\tell me more cj\bin\Temp\ASR1602\asr16DEC.ini
2009-04-01 20:52 . 2009-04-01 20:52 376 ----a-w c:\tell me more cj\bin\Temp\ASR1602\database.ini
2009-04-01 20:52 . 2009-04-01 20:52 87 ----a-w c:\tell me more cj\bin\Temp\ASR1602\userdata.ini
2009-04-01 20:52 . 2009-04-01 21:46 16384 ----a-w c:\tell me more cj\Users\BRYAN00\Tracking.atf
2009-04-01 20:52 . 2009-04-01 21:46 1471 ----a-w c:\tell me more cj\Users\BRYAN00\options.ini
2009-04-01 20:51 . 2009-04-01 20:52 16 ----a-w c:\tell me more cj\Users\UserList.dat
2009-04-01 20:51 . 2009-04-01 20:51 0 ----a-w c:\tell me more cj\bin\Temp\intro1.tmp
2009-04-01 20:51 . 2009-04-01 20:51 10682 ----a-w c:\tell me more cj\UnSetup.aui
2009-04-01 20:50 . 2003-03-31 09:51 299008 ----a-w c:\tell me more cj\bin\ame45.lan
2009-04-01 20:50 . 2002-01-04 08:35 663470 ----a-w c:\tell me more cj\bin\angum.pdf
2009-04-01 20:50 . 2001-07-26 16:20 6531 ----a-w c:\tell me more cj\bin\ang.cnt
2009-04-01 20:50 . 2001-07-26 16:20 1040438 ----a-w c:\tell me more cj\bin\ang.hlp
2009-04-01 20:50 . 2003-04-01 14:30 171 ----a-w c:\tell me more cj\bin\readme.txt
2009-04-01 20:50 . 2003-04-02 14:04 1453 ----a-w c:\tell me more cj\bin\pupildef.ini
2009-04-01 20:50 . 2009-04-01 21:46 537 ----a-w c:\tell me more cj\bin\tmm.ini
2009-04-01 20:50 . 2009-04-01 20:50 2912304 ----a-w c:\tell me more cj\bin\tmm.exe
2009-04-01 20:50 . 2009-04-01 20:50 108961 ----a-w c:\tell me more cj\bin\Intro1.png

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

New combofix.txt log

Post by Pickzilla87 on Mon May 04, 2009 4:51 pm

2009-04-01 20:50 . 2009-04-01 20:50 28672 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\tosexe.exe
2009-04-01 20:50 . 2009-04-01 20:50 28672 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\tos.dll
2009-04-01 20:50 . 2009-04-01 20:50 192512 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\spi1602.dll
2009-04-01 20:50 . 2009-04-01 20:50 8192 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\sharemem.dll
2009-04-01 20:50 . 2009-04-01 20:50 32768 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\spe1602.dll
2009-04-01 20:50 . 2009-04-01 20:50 27648 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\SH22W32.DLL
2009-04-01 20:50 . 2009-04-01 20:50 49152 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\p2su.dll
2009-04-01 20:50 . 2009-04-01 20:50 12288 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\nameseao.dll
2009-04-01 20:50 . 2009-04-01 20:50 69632 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\p2sp.dll
2009-04-01 20:50 . 2009-04-01 20:50 77878 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\MSVCIRT.DLL
2009-04-01 20:50 . 2009-04-01 20:50 94208 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\msgramco.dll
2009-04-01 20:50 . 2009-04-01 20:50 24576 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\exphdecw.dll
2009-04-01 20:50 . 2009-04-01 20:50 184320 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\grammar.dll
2009-04-01 20:50 . 2009-04-01 20:50 20480 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\exphdeca.dll
2009-04-01 20:50 . 2009-04-01 20:50 36864 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\encio.dll
2009-04-01 20:50 . 2009-04-01 20:50 12288 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\debugout.dll
2009-04-01 20:50 . 2009-04-01 20:50 172032 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\cw3215mt.DLL
2009-04-01 20:50 . 2009-04-01 20:50 143360 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\clgramco.dll
2009-04-01 20:50 . 2009-04-01 20:50 40960 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\casrapi.dll
2009-04-01 20:50 . 2009-04-01 20:50 36864 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\binimp.dll
2009-04-01 20:50 . 2009-04-01 20:50 409600 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\asrapicl.dll
2009-04-01 20:50 . 2009-04-01 20:52 937 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\Asrapi.ini
2009-04-01 20:50 . 2009-04-01 20:50 86016 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\asr1602.dll
2009-04-01 20:50 . 2009-04-01 20:50 12288 ----a-w c:\tell me more cj\bin\Asr1602\LhAsrBin\1602_exp.dll
2009-04-01 20:50 . 2009-04-01 20:50 81920 ----a-w c:\tell me more cj\bin\Asr1602\asr3234.dll
2009-04-01 20:50 . 2009-04-01 20:50 335872 ----a-w c:\tell me more cj\bin\LH34Int.dll
2009-04-01 20:50 . 2009-04-01 20:50 2333715 ----a-w c:\tell me more cj\bin\Fonts\Mheigbmd.tal
2009-04-01 20:50 . 2009-04-01 20:50 2331551 ----a-w c:\tell me more cj\bin\Fonts\MheigbAU.tal
2009-04-01 20:50 . 2009-04-01 20:50 2497919 ----a-w c:\tell me more cj\bin\Fonts\Hgrgmsj.tal
2009-04-01 20:50 . 2009-04-01 20:50 294672 ----a-w c:\tell me more cj\bin\riched20.dll
2009-04-01 20:50 . 2009-04-01 20:50 397824 ----a-w c:\tell me more cj\bin\E10Video.ECE
2009-04-01 20:50 . 2009-04-01 20:50 55808 ----a-w c:\tell me more cj\bin\E10Titre.ECE
2009-04-01 20:50 . 2009-04-01 20:50 19456 ----a-w c:\tell me more cj\bin\E10Pave.ECE
2009-04-01 20:50 . 2009-04-01 20:50 469504 ----a-w c:\tell me more cj\bin\E10Pron.ECE
2009-04-01 20:50 . 2009-04-01 20:50 694784 ----a-w c:\tell me more cj\bin\E10Ident.ECE
2009-04-01 20:50 . 2009-04-01 20:50 251904 ----a-w c:\tell me more cj\bin\E10Dlg.ECE
2009-04-01 20:50 . 2009-04-01 20:50 424448 ----a-w c:\tell me more cj\bin\E10DIAPO.ECE
2009-04-01 20:50 . 2009-04-01 20:50 377856 ----a-w c:\tell me more cj\bin\E10Dial.ECE
2009-04-01 20:50 . 2009-04-01 20:50 140288 ----a-w c:\tell me more cj\bin\E10Credi.ECE
2009-04-01 20:50 . 2009-04-01 20:50 428544 ----a-w c:\tell me more cj\bin\E10CHOP.ECE
2009-04-01 20:50 . 2009-04-01 20:50 378368 ----a-w c:\tell me more cj\bin\E10Choc.ECE
2009-04-01 20:50 . 2009-04-01 20:50 1171456 ----a-w c:\tell me more cj\bin\E10Barre.ECE
2009-04-01 20:50 . 2009-04-01 20:50 135168 ----a-w c:\tell me more cj\bin\E10Att.ECE
2009-04-01 20:50 . 2009-04-01 20:50 785408 ----a-w c:\tell me more cj\bin\E10Aide.ECE
2009-04-01 20:50 . 2009-04-01 20:50 131584 ----a-w c:\tell me more cj\bin\L06Video.ECE
2009-04-01 20:50 . 2009-04-01 20:50 28672 ----a-w c:\tell me more cj\bin\L06Titre.ECE
2009-04-01 20:50 . 2009-04-01 20:50 10240 ----a-w c:\tell me more cj\bin\L06Pave.ECE
2009-04-01 20:50 . 2009-04-01 20:50 158208 ----a-w c:\tell me more cj\bin\L06Pron.ECE
2009-04-01 20:50 . 2009-04-01 20:50 244224 ----a-w c:\tell me more cj\bin\L06Ident.ECE
2009-04-01 20:50 . 2009-04-01 20:50 77312 ----a-w c:\tell me more cj\bin\L06Dlg.ECE
2009-04-01 20:50 . 2009-04-01 20:50 95232 ----a-w c:\tell me more cj\bin\L06DIAPO.ECE
2009-04-01 20:50 . 2009-04-01 20:50 123392 ----a-w c:\tell me more cj\bin\L06Dial.ECE
2009-04-01 20:50 . 2009-04-01 20:50 44032 ----a-w c:\tell me more cj\bin\L06Credi.ECE
2009-04-01 20:50 . 2009-04-01 20:50 124416 ----a-w c:\tell me more cj\bin\L06CHOP.ECE
2009-04-01 20:50 . 2009-04-01 20:50 150016 ----a-w c:\tell me more cj\bin\L06Choc.ECE
2009-04-01 20:50 . 2009-04-01 20:50 561152 ----a-w c:\tell me more cj\bin\L06Barre.ECE
2009-04-01 20:50 . 2009-04-01 20:50 50688 ----a-w c:\tell me more cj\bin\L06Att.ECE
2009-04-01 20:50 . 2009-04-01 20:50 287232 ----a-w c:\tell me more cj\bin\L06Aide.ECE
2009-04-01 20:50 . 2009-04-01 20:50 290304 ----a-w c:\tell me more cj\bin\E10ChiSynth.ECE
2009-04-01 20:50 . 2009-04-01 20:50 851456 ----a-w c:\tell me more cj\bin\E10ChiOpt.ECE
2009-04-01 20:50 . 2009-04-01 20:50 172032 ----a-w c:\tell me more cj\bin\E10CHIGraDi.ECE
2009-04-01 20:50 . 2009-04-01 20:50 1828864 ----a-w c:\tell me more cj\bin\E10ChiExo.ECE
2009-04-01 20:50 . 2009-04-01 20:50 1099264 ----a-w c:\tell me more cj\bin\E10ChiBarre.ECE
2009-04-01 20:50 . 2009-04-01 20:50 3421184 ----a-w c:\tell me more cj\bin\E10CHIAcc.ECE
2009-04-01 20:50 . 2009-04-01 20:50 122368 ----a-w c:\tell me more cj\bin\L06ChiSynth.ECE
2009-04-01 20:50 . 2009-04-01 20:50 341504 ----a-w c:\tell me more cj\bin\L06ChiOpt.ECE
2009-04-01 20:50 . 2009-04-01 20:50 74752 ----a-w c:\tell me more cj\bin\L06CHIGraDi.ECE
2009-04-01 20:50 . 2009-04-01 20:50 662016 ----a-w c:\tell me more cj\bin\L06ChiExo.ECE
2009-04-01 20:50 . 2009-04-01 20:50 524288 ----a-w c:\tell me more cj\bin\L06ChiBarre.ECE
2009-04-01 20:50 . 2009-04-01 20:50 2003968 ----a-w c:\tell me more cj\bin\L06CHIAcc.ECE
2009-04-01 20:50 . 2009-04-01 20:50 270848 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\G2P\SPA_EL50.DLL
2009-04-01 20:50 . 2009-04-01 20:50 333824 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\G2P\ITA_IL50.DLL
2009-04-01 20:50 . 2009-04-01 20:50 313344 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\G2P\GER_DL50.DLL
2009-04-01 20:50 . 2009-04-01 20:50 379904 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\G2P\FRE_FL50.DLL
2009-04-01 20:50 . 2009-04-01 20:50 699392 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\G2P\ENG_UL50.DLL
2009-04-01 20:50 . 2009-04-01 20:50 625152 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\G2P\ENG_GL50.DLL
2009-04-01 20:50 . 2009-04-01 20:50 183296 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\G2P\DUT_NL50.DLL
2009-04-01 20:50 . 2009-04-01 20:50 108544 ----a-w c:\tell me more cj\bin\Asr1600\Lhsp\Ttsdct32.dll
2009-04-01 20:50 . 2009-04-01 20:50 24576 ----a-w c:\tell me more cj\bin\Asr1600\TOSEXE.EXE
2009-04-01 20:50 . 2009-04-01 20:50 28672 ----a-w c:\tell me more cj\bin\Asr1600\TOS.DLL
2009-04-01 20:50 . 2009-04-01 20:50 39936 ----a-w c:\tell me more cj\bin\Asr1600\SPE1600.DLL
2009-04-01 20:50 . 2009-04-01 20:50 163840 ----a-w c:\tell me more cj\bin\Asr1600\SPI1600.DLL
2009-04-01 20:50 . 2009-04-01 20:50 8192 ----a-w c:\tell me more cj\bin\Asr1600\SHAREMEM.DLL
2009-04-01 20:50 . 2009-04-01 20:50 27648 ----a-w c:\tell me more cj\bin\Asr1600\SH22W32.DLL
2009-04-01 20:50 . 2009-04-01 20:50 12288 ----a-w c:\tell me more cj\bin\Asr1600\NAMESEAO.DLL
2009-04-01 20:50 . 2009-04-01 20:50 65536 ----a-w c:\tell me more cj\bin\Asr1600\P2SP.DLL
2009-04-01 20:50 . 2009-04-01 20:50 77878 ----a-w c:\tell me more cj\bin\Asr1600\MSVCIRT.DLL
2009-04-01 20:50 . 2009-04-01 20:50 200704 ----a-w c:\tell me more cj\bin\Asr1600\GRAMMAR.DLL
2009-04-01 20:50 . 2009-04-01 20:50 56740 ----a-w c:\tell me more cj\bin\Asr1600\DEBUGOUT.DLL
2009-04-01 20:50 . 2009-04-01 20:50 36864 ----a-w c:\tell me more cj\bin\Asr1600\ENCIO.DLL
2009-04-01 20:50 . 2009-04-01 20:50 167936 ----a-w c:\tell me more cj\bin\Asr1600\CW3215.DLL
2009-04-01 20:50 . 2009-04-01 20:50 36864 ----a-w c:\tell me more cj\bin\Asr1600\CASRAPI.DLL
2009-04-01 20:50 . 2009-04-01 20:50 36864 ----a-w c:\tell me more cj\bin\Asr1600\BINIMP.DLL
2009-04-01 20:50 . 2009-04-01 20:50 2940 ----a-w c:\tell me more cj\bin\Asr1600\ASRAPI.INI
2009-04-01 20:50 . 2009-04-01 20:50 421888 ----a-w c:\tell me more cj\bin\Asr1600\ASRAPICL.DLL
2009-04-01 20:50 . 2009-04-01 20:50 114688 ----a-w c:\tell me more cj\bin\Asr1600\ASR1600.DLL
2009-04-01 20:50 . 2009-04-01 20:50 77824 ----a-w c:\tell me more cj\bin\ASR32313.DLL
2009-04-01 20:50 . 2009-04-01 20:50 7414 ----a-w c:\tell me more cj\bin\TONE.WAV
2009-04-01 20:50 . 2009-04-01 20:50 886900 ----a-w c:\tell me more cj\bin\PENDU1.WAV
2009-04-01 20:50 . 2009-04-01 20:50 240342 ----a-w c:\tell me more cj\bin\GOOD5.WAV
2009-04-01 20:50 . 2009-04-01 20:50 222734 ----a-w c:\tell me more cj\bin\GOOD4.WAV
2009-04-01 20:50 . 2009-04-01 20:50 210514 ----a-w c:\tell me more cj\bin\GOOD3.WAV
2009-04-01 20:50 . 2009-04-01 20:50 366102 ----a-w c:\tell me more cj\bin\GOOD2.WAV
2009-04-01 20:50 . 2009-04-01 20:50 82310 ----a-w c:\tell me more cj\bin\GOOD1.WAV
2009-04-01 20:50 . 2009-04-01 20:50 121134 ----a-w c:\tell me more cj\bin\Bad8.wav
2009-04-01 20:50 . 2009-04-01 20:50 262282 ----a-w c:\tell me more cj\bin\Bad7.wav
2009-04-01 20:50 . 2009-04-01 20:50 215388 ----a-w c:\tell me more cj\bin\Bad6.wav
2009-04-01 20:50 . 2009-04-01 20:50 209454 ----a-w c:\tell me more cj\bin\Bad5.wav
2009-04-01 20:50 . 2009-04-01 20:50 126510 ----a-w c:\tell me more cj\bin\Bad4.wav
2009-04-01 20:50 . 2009-04-01 20:50 318510 ----a-w c:\tell me more cj\bin\Bad3.wav
2009-04-01 20:50 . 2009-04-01 20:50 114142 ----a-w c:\tell me more cj\bin\BAD2.WAV
2009-04-01 20:50 . 2009-04-01 20:50 158050 ----a-w c:\tell me more cj\bin\BAD1.WAV
2009-04-01 20:50 . 2009-04-01 20:50 865 ----a-w c:\tell me more cj\bin\PALETTE.PNG
2009-04-01 20:50 . 2009-04-01 20:50 550 ----a-w c:\tell me more cj\bin\PALPHON.PNG
2009-04-01 20:50 . 2009-04-01 20:50 867 ----a-w c:\tell me more cj\bin\PALACC.PNG
2009-04-01 20:50 . 2009-04-01 20:50 887 ----a-w c:\tell me more cj\bin\PALBANDE.PNG
2009-04-01 20:50 . 2009-04-01 20:50 924 ----a-w c:\tell me more cj\bin\PALCHOIX.PNG
2009-04-01 20:50 . 2009-04-01 20:50 9550 ----a-w c:\tell me more cj\bin\FONMENUE.PNG
2009-04-01 20:50 . 2009-04-01 20:50 4316 ----a-w c:\tell me more cj\bin\FONMENUL.PNG
2009-04-01 20:50 . 2009-04-01 20:50 10207 ----a-w c:\tell me more cj\bin\FONDLGSE.PNG
2009-04-01 20:50 . 2009-04-01 20:50 32107 ----a-w c:\tell me more cj\bin\FONDLGSL.PNG
2009-04-01 20:50 . 2009-04-01 20:50 11845 ----a-w c:\tell me more cj\bin\FONDLGE.PNG
2009-04-01 20:50 . 2009-04-01 20:50 24620 ----a-w c:\tell me more cj\bin\FONDLGL.PNG
2009-04-01 20:50 . 2009-04-01 20:50 21724 ----a-w c:\tell me more cj\bin\FONDLGCE.PNG
2009-04-01 20:50 . 2009-04-01 20:50 27564 ----a-w c:\tell me more cj\bin\FONDLGCL.PNG
2009-04-01 20:50 . 2009-04-01 20:50 705372 ----a-w c:\tell me more cj\bin\Fonts\Times.tal
2009-04-01 20:50 . 2009-04-01 20:50 711016 ----a-w c:\tell me more cj\bin\Fonts\Courier.tal
2009-04-01 20:50 . 2009-04-01 20:50 59087 ----a-w c:\tell me more cj\bin\Fonts\AuraPhone.tal
2009-04-01 20:50 . 2009-04-01 20:50 586356 ----a-w c:\tell me more cj\bin\Fonts\Arial.tal
2009-04-01 20:50 . 2009-04-01 20:50 77824 ----a-w c:\tell me more cj\bin\zlib.dll
2009-04-01 20:50 . 2009-04-01 20:50 792204 ----a-w c:\tell me more cj\bin\Vocablos.dic
2009-04-01 20:50 . 2009-04-01 20:50 204800 ----a-w c:\tell me more cj\bin\Unsetup.exe
2009-04-01 20:50 . 2009-04-01 20:50 188416 ----a-w c:\tell me more cj\bin\Trace.dll
2009-04-01 20:50 . 2009-04-01 20:50 129536 ----a-w c:\tell me more cj\bin\snf.dll
2009-04-01 20:50 . 2009-04-01 20:50 174352 ----a-w c:\tell me more cj\bin\RichEd32.dll
2009-04-01 20:50 . 2009-04-01 20:50 1441857 ----a-w c:\tell me more cj\bin\Receiver.exe
2009-04-01 20:50 . 2009-04-01 20:50 174352 ----a-w c:\tell me more cj\bin\RchedTUR.dll
2009-04-01 20:50 . 2009-04-01 20:50 174352 ----a-w c:\tell me more cj\bin\RchedPOL.dll
2009-04-01 20:50 . 2009-04-01 20:50 174352 ----a-w c:\tell me more cj\bin\RchedJPN.dll
2009-04-01 20:50 . 2009-04-01 20:50 174352 ----a-w c:\tell me more cj\bin\RchedHUN.dll
2009-04-01 20:50 . 2009-04-01 20:50 174352 ----a-w c:\tell me more cj\bin\RchEdGRE.dll
2009-04-01 20:50 . 2009-04-01 20:50 197392 ----a-w c:\tell me more cj\bin\RchedCHT.dll
2009-04-01 20:50 . 2009-04-01 20:50 194560 ----a-w c:\tell me more cj\bin\RchEdCHS.dll
2009-04-01 20:50 . 2009-04-01 20:50 266293 ----a-w c:\tell me more cj\bin\MSVCRT.DLL
2009-04-01 20:50 . 2009-04-01 20:50 401462 ----a-w c:\tell me more cj\bin\MSVCP60.DLL
2009-04-01 20:50 . 2009-04-01 20:50 77878 ----a-w c:\tell me more cj\bin\MSVCIRT.DLL
2009-04-01 20:50 . 2009-04-01 20:50 1667210 ----a-w c:\tell me more cj\bin\MoteurFrancais.dll
2009-04-01 20:50 . 2009-04-01 20:50 995328 ----a-w c:\tell me more cj\bin\MoteurEspagnol.dll
2009-04-01 20:50 . 2009-04-01 20:50 995383 ----a-w c:\tell me more cj\bin\MFC42.DLL
2009-04-01 20:50 . 2009-04-01 20:50 425984 ----a-w c:\tell me more cj\bin\LibImg.dll
2009-04-01 20:50 . 2009-04-01 20:50 311296 ----a-w c:\tell me more cj\bin\LH16Int.dll
2009-04-01 20:50 . 2009-04-01 20:50 450560 ----a-w c:\tell me more cj\bin\INSOsh.dll
2009-04-01 20:50 . 2009-04-01 20:50 3289885 ----a-w c:\tell me more cj\bin\Grammar.lex
2009-04-01 20:50 . 2009-04-01 20:50 1511769 ----a-w c:\tell me more cj\bin\GEN3MEN0.DAT
2009-04-01 20:50 . 2009-04-01 20:50 79984 ----a-w c:\tell me more cj\bin\gapi32.dll
2009-04-01 20:50 . 2009-04-01 20:50 217145 ----a-w c:\tell me more cj\bin\CorrectorMS.dll
2009-04-01 20:50 . 2009-04-01 20:50 815173 ----a-w c:\tell me more cj\bin\CorrectorLH.dll
2009-04-01 20:50 . 2009-04-01 20:50 602181 ----a-w c:\tell me more cj\bin\CorrectorES.dll
2009-04-01 20:50 . 2009-04-01 20:50 1761532 ----a-w c:\tell me more cj\bin\corr101.dic
2009-04-01 20:50 . 2009-04-01 20:50 1080600 ----a-w c:\tell me more cj\bin\CorLex.dic
2009-04-01 20:50 . 2009-04-01 20:50 143360 ----a-w c:\tell me more cj\bin\ConjuITA.dll
2009-04-01 20:50 . 2009-04-01 20:50 114688 ----a-w c:\tell me more cj\bin\ConjuFRA.dll
2009-04-01 20:50 . 2009-04-01 20:50 122880 ----a-w c:\tell me more cj\bin\ConjuESP.dll
2009-04-01 20:50 . 2009-04-01 20:50 118784 ----a-w c:\tell me more cj\bin\ConjuDUT.dll
2009-04-01 20:50 . 2009-04-01 20:50 69632 ----a-w c:\tell me more cj\bin\ConjuANG.dll
2009-04-01 20:50 . 2009-04-01 20:50 69632 ----a-w c:\tell me more cj\bin\ConjuAME.dll
2009-04-01 20:50 . 2009-04-01 20:50 188416 ----a-w c:\tell me more cj\bin\ConjuALL.dll

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

New combofix.txt log cont.

Post by Pickzilla87 on Mon May 04, 2009 4:52 pm

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 16:33 . 2009-05-04 16:33 16384 c:\windows\temp\Perflib_Perfdata_2a0.dat
+ 2009-05-01 19:51 . 2009-03-12 08:43 39984 c:\windows\system32\drivers\NIS\1005000.087\symndisv.sys
+ 2009-05-01 19:51 . 2009-03-12 08:43 37296 c:\windows\system32\drivers\NIS\1005000.087\symndis.sys
+ 2009-05-01 19:51 . 2009-03-12 08:43 34736 c:\windows\system32\drivers\NIS\1005000.087\symids.sys
+ 2009-05-01 19:51 . 2009-03-12 08:43 89776 c:\windows\system32\drivers\NIS\1005000.087\symfw.sys
+ 2009-05-01 19:51 . 2009-03-12 08:43 43696 c:\windows\system32\drivers\NIS\1005000.087\srtspx.sys
- 2006-01-14 08:31 . 2009-04-29 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-01-14 08:31 . 2009-05-01 19:56 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-01-14 08:31 . 2009-04-29 21:04 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-01-14 08:31 . 2009-05-01 19:56 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-01-14 08:31 . 2009-04-29 21:04 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-01-14 08:31 . 2009-05-01 19:56 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-03-27 17:12 . 2009-04-29 23:26 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 23040 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 61440 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 27136 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 11264 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 12288 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 4096 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-05-01 19:51 . 2009-03-12 08:43 217392 c:\windows\system32\drivers\NIS\1005000.087\symtdi.sys
+ 2009-05-01 19:51 . 2009-03-12 08:43 310320 c:\windows\system32\drivers\NIS\1005000.087\SymEFA.sys
+ 2009-05-01 19:51 . 2009-03-12 08:43 307760 c:\windows\system32\drivers\NIS\1005000.087\srtsp.sys
+ 2009-05-01 19:51 . 2009-05-01 19:51 482352 c:\windows\system32\drivers\NIS\1005000.087\cchpx86.sys
+ 2009-05-01 19:51 . 2009-03-12 08:43 258608 c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys
+ 2006-03-27 17:12 . 2009-04-29 23:26 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 409600 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 286720 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 249856 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 794624 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 135168 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-03-27 17:12 . 2009-04-29 23:26 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2006-03-27 17:12 . 2009-04-16 02:45 593920 c:\windows\Installer\{91110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 49263]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-5 24576]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2006-2-12 315392]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bryan Pickett^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Bryan Pickett\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\Drivers\NIS\1005000.087\BHDrvx86.sys [2009-03-12 258608]
S1 ccHP;Symantec Hash Provider;c:\windows\System32\Drivers\NIS\1005000.087\ccHPx86.sys [2009-05-01 482352]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - CZQCYDEL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-04 12:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2843965866-2509467514-2980951161-1005\Software\SecuROM\License information*]
"datasecu"=hex:28,2e,40,a4,2a,59,55,f9,fc,0a,20,f8,2d,0e,3c,f4,ab,05,ea,59,f7,
1a,57,10,2b,6a,74,13,bb,ba,1d,47,57,3e,8d,73,92,ee,1a,4a,91,3c,2a,54,ca,67,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(460)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\VentSrv\ventrilo_svc.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\VentSrv\ventrilo_srv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-04 12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-04 16:38
ComboFix2.txt 2009-04-29 21:11

Pre-Run: 31,728,250,880 bytes free
Post-Run: 31,756,283,904 bytes free

485 --- E O F --- 2009-04-29 23:26

Pickzilla87
Novice
Novice

Posts Posts : 10
Joined Joined : 2009-04-28
OS OS : XP
Points Points : 27802
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Belahzur on Mon May 04, 2009 4:57 pm

One more round, then that should do it.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
CZQCYDEL

File::
c:\windows\system32\drivers\pkywidyh.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

2009 Syware spams and Bankerfox.A and win32/nugel.E

Post by coffei on Sat May 09, 2009 1:43 am

[You must be registered and logged in to see this link.] wrote:I can't know anything until you can post the Combofix log.

I also had the same issue with my computer and I read the posts that you sent delete the items. Can you also let me know if i have all the infected files deleted? i would really appreciate it.
Here's the next combofix log.

ComboFix 09-05-08.03 - MO 05/08/2009 21:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.504.101 [GMT -4:00]
Running from: c:\documents and settings\MO\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sysguard.exe
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
.

2009-05-06 10:00 . 2009-05-06 10:00 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\SupportSoft
2009-05-06 07:05 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-06 07:05 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-06 07:05 . 2009-05-06 07:05 -------- d-----w c:\windows\system32\KB905474
2009-04-10 16:10 . 2009-05-08 17:07 -------- d--h--w C:\$AVG8.VAULT$
2009-04-09 19:09 . 2009-05-01 13:30 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 19:09 . 2009-05-01 13:30 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-09 19:09 . 2009-05-01 13:30 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 19:09 . 2009-05-08 22:37 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-09 19:09 . 2009-05-06 16:00 -------- d-----w c:\documents and settings\MO\Application Data\AVGTOOLBAR
2009-04-09 19:08 . 2009-04-09 19:08 -------- d-----w c:\program files\AVG
2009-04-09 19:08 . 2009-04-09 19:08 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-09 01:01 . 2007-07-06 20:20 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-30 18:11 . 2009-04-30 18:11 0 ----a-w C:\LOG60A.tmp
2009-04-26 23:51 . 2007-07-11 21:59 78240 -c--a-w c:\documents and settings\MO\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-25 15:05 . 2007-07-07 02:55 -------- d-----w c:\program files\Common Files\Adobe
2009-04-25 14:40 . 2008-10-26 22:41 -------- d-----w c:\program files\Free Ride Games
2009-04-24 17:55 . 2008-07-24 03:10 -------- d-----w c:\program files\NokiaFREE Unlock Codes Calculator
2009-04-22 18:58 . 2008-06-01 16:32 -------- d-----w c:\program files\Google
2009-04-22 13:36 . 2009-04-22 13:36 0 ----a-w C:\LOG44D.tmp
2009-04-20 02:30 . 2009-04-20 02:30 0 ----a-w C:\LOG238.tmp
2009-04-17 15:25 . 2009-04-17 15:25 0 ----a-w C:\LOG4A7.tmp
2009-04-10 13:13 . 2009-04-10 13:13 0 ----a-w C:\LOG1B1.tmp
2009-04-03 11:07 . 2008-12-31 22:25 -------- d-----w c:\program files\FrostWire
2009-03-27 03:52 . 2009-03-27 03:52 0 ----a-w C:\LOGB44D.tmp
2009-03-23 15:31 . 2009-03-23 15:31 0 ----a-w C:\LOG13F6.tmp
2009-03-18 13:38 . 2009-03-18 13:38 0 ----a-w C:\LOG767B.tmp
2009-03-17 13:44 . 2009-03-17 13:44 0 ----a-w C:\LOG6BD.tmp
2009-03-12 14:26 . 2009-03-12 14:26 0 ----a-w C:\LOG198A.tmp
2009-03-10 00:25 . 2009-03-10 00:25 0 ----a-w C:\LOG57F9.tmp
2009-03-06 14:44 . 2004-08-04 04:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-05 19:37 . 2009-03-05 19:37 0 ----a-w C:\LOG1A14.tmp
2009-03-04 11:32 . 2009-03-04 11:32 0 ----a-w C:\LOG19E7.tmp
2009-03-03 00:18 . 2004-08-04 04:56 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-25 04:48 . 2009-02-25 04:48 0 ----a-w C:\LOG8416.tmp
2009-02-24 14:32 . 2009-02-24 14:32 0 ----a-w C:\LOG8286.tmp
2009-02-23 17:37 . 2009-02-23 17:37 0 ----a-w C:\LOG8021.tmp
2009-02-20 18:09 . 2004-08-04 04:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 16:54 . 2009-04-28 02:04 195288 ----a-w c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2009-02-19 16:12 . 2009-02-19 16:12 0 ------w C:\LOG2D.tmp
2009-02-19 07:41 . 2009-02-19 07:41 0 ------w C:\LOGEC1.tmp
2009-02-12 05:03 . 2008-09-17 01:08 256 -c--a-w c:\windows\system32\pool.bin
2009-02-09 15:48 . 2009-02-09 15:48 0 ------w C:\LOG3185.tmp
2009-02-09 10:20 . 2004-08-04 04:56 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 04:56 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 04:56 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2004-08-04 04:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:19 . 2004-08-04 03:17 1846272 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-09 03:08 279944 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-09 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2008-06-17 2057728]
"Performance Center"="c:\program files\Ascentive\Performance Center\ApcMain.exe" [2008-08-13 3244032]
"PC SpeedScan Pro"="c:\program files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe" [2008-08-21 2093056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-04 1695744]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-06 185632]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"au"="c:\program files\Dealio\DealioAU.exe" [2007-10-09 492896]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-01 1947928]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"LTMSG"="LTMSG.exe" - c:\windows\ltmsg.exe [2003-07-14 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2008-06-17 2057728]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

c:\documents and settings\MO\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-9-3 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2007-7-25 819200]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 13:30 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/9/2009 3:09 PM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/9/2009 3:09 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/9/2009 3:08 PM 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/18/2008 9:10 PM 24652]
R2 X4HSX32Ex;X4HSX32Ex;c:\program files\Free Ride Games\X4HSX32Ex.sys [10/26/2008 6:41 PM 29856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [3/6/2009 9:03 PM 101936]
S2 gupdate1c8c405274a01c2;Google Update Service (gupdate1c8c405274a01c2);c:\program files\Google\Update\GoogleUpdate.exe [7/15/2008 9:09 PM 133104]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bb9b24f4-cd69-11dd-b63d-000ea60eb10b}]
\Shell\AutoRun\command - G:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 21:57]

2009-05-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-16 22:34]

2009-05-09 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-06 02:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - c:\windows\system32\iehelper.dll
HKCU-Run-ares - c:\program files\Ares\Ares.exe

coffei
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-05-09
OS OS : XP
Points Points : 27682
# Likes # Likes : 0

View user profile

Back to top Go down

2009 Syware spams and Bankerfox.A and win32/nugel.E

Post by coffei on Sat May 09, 2009 1:45 am

Here is the rest:

---- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mWindow Title = Windows Internet Explorer provided by Comcast
IE: Compare Prices with &Dealio - c:\documents and settings\MO\Application Data\Dealio\kb124\res\DealioSearch.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\MO\Application Data\Mozilla\Firefox\Profiles\2eauyr0w.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\MO\Application Data\Mozilla\Firefox\Profiles\2eauyr0w.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Free Ride Games\npExentCtl.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
pref(dom.disable_open_during_load, true);.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-08 21:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1202660629-113007714-682003330-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1202660629-113007714-682003330-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1202660629-113007714-682003330-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-1202660629-113007714-682003330-1003\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b
.
Completion time: 2009-05-09 21:11
ComboFix-quarantined-files.txt 2009-05-09 01:10

Pre-Run: 6,030,262,272 bytes free
Post-Run: 6,241,120,256 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

235 --- E O F --- 2009-05-06 07:05

coffei
Beginner
Beginner

Posts Posts : 2
Joined Joined : 2009-05-09
OS OS : XP
Points Points : 27682
# Likes # Likes : 0

View user profile

Back to top Go down

Re: 2009 Spyware spams and BankerFox.A and Win32/Nuqel.E

Post by Belahzur on Sat May 09, 2009 1:53 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum