Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Trojan horse from stupid p2p
   
BullGuard Antivirus Forum > Virus > Virus Questions > Trojan horse from stupid p2p  
Forum Quick Jump
 
New Topic Post reply to : Trojan horse from stupid p2p Printable version of : Trojan horse from stupid p2p
[ << Previous Thread | Next Thread >> ]

kungfukahuna
New Member


Date Joined Jun 2007
Total Posts : 38
  		   Posted 9-20-2008 6:59 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
REceived trojan horse from download.

Will get rid of p2p and torrent software but i cant until i can get rid of this trojan.

It brings up active desktop recovery, so i cant access much, and my control panel among other items are gone from the start menu. Ive run AVGAS and superantispyware-it's cut down on some of the hassel, but still some problems remain. Please Help!!!
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 9-20-2008 7:37 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
Hello smile
 
 
Please download Malwarebytes' Anti-Malware:
http://www.spywarefri.dk/downloads1/mbam-setup.exe
 
Or here:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;pop&cdlPid=10878968
 
 to your desktop.
 
Double-click mbam-setup.exe and follow the prompts to install the program.
                     
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch


Malwarebytes' Anti-Malware, then click Finish.
                     
If an update is found, it will download and install the latest version.
                     
Once the program has loaded, select Perform full scan, then click Scan.
                     
When the scan is complete, click OK, then Show Results to view the results.
 
Be sure that everything is checked, and click Remove Selected.
 
When completed, a log will open in Notepad. Please save it to a convenient location.
 
 
 
NB: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
 
-------------------------------------------
 
Please download Combofix:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
 
And save to the desktop.

Close all other browser windows.
 
 
 
 
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
 
 
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
 
Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

 When finished, it will produce a logfile located at C:\combofix.txt.
 

Post the contents of that log in your next reply, along with Malwarebytes' Anti-Malware log
 
 

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

kungfukahuna
New Member


Date Joined Jun 2007
Total Posts : 38
  		   Posted 9-21-2008 12:59 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

9/20/2008 7:39:01 PM
mbam-log-2008-09-20 (19-39-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 107370
Time elapsed: 1 hour(s), 0 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 16
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{f9fa603d-697c-4900-a950-e54f08324a24} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.bemv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-640-8365391-23140) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (h:mm:ss tt) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\User\Local Settings\Temp\TDSS63.tmp (Trojan.Multis) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\TDSSca11.tmp (Trojan.Multis) -> Quarantined and deleted successfully.
C:\WINNT\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\mqgldfvo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\x (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\MicroAV.cpl (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.exe (Rogue.MicroAntivirus) -> Delete on reboot.
C:\Documents and Settings\User\desktop\QUALITY PORN.url (Rogue.Link) -> Quarantined and deleted successfully.



----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




ComboFix 08-09-20.05 - User 2008-09-20 19:49:18.2 - NTFSx86
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MicroAV
C:\Program Files\MicroAV\MicroAV.cpl
C:\Program Files\MicroAV\MicroAV.ooo
C:\Program Files\MicroAV\MicroAV1.dat
C:\WINNT\eflx.exe

.
((((((((((((((((((((((((( Files Created from 2008-08-20 to 2008-09-20 )))))))))))))))))))))))))))))))
.

2008-09-20 15:25 . 2008-09-20 15:25 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-09-20 15:17 . 2008-09-20 15:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 15:17 . 2008-09-20 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 15:17 . 2008-09-20 15:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-20 15:17 . 2008-09-10 00:04 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-20 15:17 . 2008-09-10 00:03 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-09-20 15:11 . 2008-09-20 15:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2008-09-20 15:10 . 2008-09-20 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-09-20 15:10 . 2008-09-20 15:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-16 17:00 . 2008-04-14 00:16 48,128 --a------ C:\WINNT\system32\drivers\61883.sys
2008-09-16 17:00 . 2008-04-14 00:16 48,128 --a--c--- C:\WINNT\system32\dllcache\61883.sys
2008-09-16 17:00 . 2008-04-14 00:16 38,912 --a------ C:\WINNT\system32\drivers\avc.sys
2008-09-16 17:00 . 2008-04-14 00:16 38,912 --a--c--- C:\WINNT\system32\dllcache\avc.sys
2008-09-16 16:55 . 2008-09-16 16:55 <DIR> d-------- C:\Program Files\Digital Photo Navigator 1.5
2008-09-04 21:50 . 2008-09-04 21:51 38 --a------ C:\WINNT\AviSplitter.INI
2008-09-02 01:24 . 2008-09-02 01:24 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-09-02 01:24 . 2008-07-09 04:05 421,888 --a------ C:\WINNT\system32\ac3filter.acm
2008-08-30 01:35 . 2008-09-01 18:15 <DIR> d-------- C:\Program Files\ICE Book Reader Professional
2008-08-30 01:27 . 2008-08-30 01:28 <DIR> d-------- C:\Program Files\Microsoft Reader
2008-08-30 01:27 . 2003-06-05 17:15 57,436 --a------ C:\WINNT\DASShp.dll
2008-08-29 19:58 . 2008-08-29 19:58 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-29 19:56 . 2008-08-29 21:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rosetta Stone
2008-08-28 18:19 . 2008-09-02 01:25 <DIR> d-------- C:\MTV_OUTPUT
2008-08-20 22:50 . 2008-08-20 23:01 <DIR> d-------- C:\Program Files\PFConfig
2008-08-20 22:44 . 2008-08-20 22:44 <DIR> d-------- C:\Program Files\uTorrent
2008-08-20 22:44 . 2008-09-19 18:03 <DIR> d-------- C:\Documents and Settings\User\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 06:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-20 05:48 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-19 20:58 --------- d-----w C:\Program Files\PeerGuardian2
2008-09-19 19:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-18 18:18 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2008-09-18 03:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-16 20:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-07 23:49 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2008-09-02 21:39 --------- d-----w C:\Program Files\MySpace
2008-09-02 21:38 --------- d-----w C:\Program Files\BitComet
2008-09-02 05:53 --------- d-----w C:\Documents and Settings\User\Application Data\DNA
2008-09-01 21:27 --------- d-----w C:\Program Files\DNA
2008-08-30 04:50 --------- d-----w C:\Program Files\Java
2008-08-21 06:47 361,600 ----a-w C:\WINNT\system32\drivers\TCPIP.SYS.ORIGINAL
2008-08-21 06:47 361,600 ----a-w C:\WINNT\system32\drivers\TCPIP.SYS
2008-08-16 00:02 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-13 22:29 29,696 ----a-w C:\WINNT\mickey32.dll
2008-08-13 22:29 232,784 ----a-w C:\WINNT\Matrix Code.scr
2008-08-13 22:29 2,285,222 ----a-w C:\WINNT\Matrix Code.exe
2008-08-08 00:11 --------- d-----w C:\Documents and Settings\User\Application Data\Amazon
2008-08-08 00:09 --------- d-----w C:\Program Files\Amazon
2008-08-02 02:40 --------- d-----w C:\Program Files\LimeWire
2008-07-28 11:40 1,003,520 ----a-w C:\WINNT\system32\VSFilter.dll
2008-07-23 16:12 --------- d-----w C:\Documents and Settings\User\Application Data\GlarySoft
2008-07-23 16:09 --------- d-----w C:\Program Files\Glary Utilities
2008-07-20 03:01 --------- d-----w C:\Program Files\AIMTunes
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINNT\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINNT\system32\es.dll
2008-07-05 10:14 456,192 ----a-w C:\WINNT\system32\libmplayer.dll
2008-07-05 10:14 3,591,168 ----a-w C:\WINNT\system32\libavcodec.dll
2008-07-05 10:13 708,096 ----a-w C:\WINNT\system32\ff_x264.dll
2008-06-24 22:12 295,936 ----a-w C:\WINNT\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINNT\system32\mscms.dll
2008-06-23 15:09 666,112 ----a-w C:\WINNT\system32\wininet.dll
2008-06-22 16:34 177,664 ----a-w C:\WINNT\system32\ff_theora.dll
2008-06-20 17:46 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2007-07-12 17:10 827,392 -c--a-w C:\WINNT\system32\config\systemprofile\NTUSER(2).DAT
2007-05-27 08:35 271 --sh--w C:\Program Files\desktop.ini
2007-05-27 08:35 21,952 -c-ha-w C:\Program Files\folder.htt
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINNT\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINNT\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINNT\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-02-27 00:36 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINNT\$NtServicePackUninstall$\tcpip.sys
2007-08-09 01:19 359040 80082776f5f39852ee40c521806e1135 C:\WINNT\$NtUninstallKB917953$\tcpip.sys
2007-08-25 02:19 359808 8d8949936913b041c6a0e184fbf1030b C:\WINNT\$NtUninstallKB941644$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINNT\$NtUninstallKB951748$\tcpip.sys
2003-06-19 15:05 332144 5f1be742b1f2196663255991ae7acc83 C:\WINNT\$NtUpdateRollupPackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINNT\ServicePackFiles\i386\TCPIP.SYS
2008-08-21 02:47 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINNT\system32\dllcache\TCPIP.SYS
2008-08-21 02:47 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINNT\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run"="8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run" [X]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 1382400]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-06 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-20 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run"="8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run" [X]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CRBroadCasting"="C:\Program Files\CardReader2.0\CRBroadCasting.exe" [2004-02-26 24576]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 139264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RemoteControl"="C:\WINNT\System32\rmctrl.exe" [2000-10-16 32768]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2007-01-17 496640]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 36864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"Monitor"="C:\WINNT\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Synchronization Manager"="mobsync.exe" [2008-04-14 C:\WINNT\system32\mobsync.exe]
"VTTimer"="VTTimer.exe" [2005-03-07 C:\WINNT\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-04-11 C:\WINNT\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 C:\WINNT\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 44544]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-08-26 557568]
YouTube Uploader.lnk - C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 71152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PC Alert 4.lnk - C:\Program Files\MSI\PC Alert 4\PCAlert4.exe [2007-06-06 552960]
SecureDoc.lnk - C:\Program Files\MSI\SecureDoc\Logon.exe [2007-05-27 82944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-20 01:48 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.FFDS"= ffdshow.ax
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Monitor"=C:\WINNT\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitPim\\bitpimw.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINNT\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6999:TCP"= 6999:TCP:BitTorrent
"49153:TCP"= 49153:TCP:BitComet 11718 TCP
"49153:UDP"= 49153:UDP:BitComet 11718 UDP


*Newly Created Service* - PCALERTDRIVER
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Google Update - C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.1.25.0\GoogleUpdate.exe
SSODL-mgxfebsq-{1CB9EE2A-9FCC-4689-9C94-E98E22116D8B} - C:\WINNT\mgxfebsq.dll
SSODL-dtseqrxk-{8AB856FB-A088-4B21-B432-CA89B6DFB99F} - C:\WINNT\dtseqrxk.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7ts6m72u.default\
FF -: plugin - C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.121.7\npGoogleOneClick.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-20 19:51:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\ginamsi.dll
.
Completion time: 2008-09-20 19:55:33
ComboFix-quarantined-files.txt 2008-09-20 23:54:30

Pre-Run: 13,039,947,776 bytes free
Post-Run: 13,042,737,152 bytes free

218 --- E O F --- 2008-09-16 13:03:52
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 9-22-2008 6:13 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
Please upload and  have this file scanned:
 
C:\WINNT\system32\dllcache\TCPIP.SYS
 
Here:
 
http://virusscan.jotti.org/
 
 
Post back the results
 

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

kungfukahuna
New Member


Date Joined Jun 2007
Total Posts : 38
  		   Posted 9-23-2008 11:10 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
I couldn't find the folder marked dllcache in the system32 folder. Did a systemwide search and didnt yield any results.
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 9-24-2008 6:15 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
It can be a hidden file -
 
1. Click Start button, then go to Programs, Accessories and click on Windows Explorer.
2. Select the Tools menu and click Folder Options.
3. Select the View Tab.
4. Under the "Hidden files and folders" heading please check Show hidden files and folders.
5. Uncheck the Hide protected operating system files (Recommended) option.
6. Click Yes to confirm.
7. Click OK.
See if you can find it now

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

kungfukahuna
New Member


Date Joined Jun 2007
Total Posts : 38
  		   Posted 9-27-2008 5:15 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
Found it! Here's the results:



Service
Service load:
0% 100%
File: TCPIP.SYS
Status:
OK
MD5: cbeebeb899e31ef52b962cb31fc8ca5c
Packers detected:
-
Scanner results
Scan taken on 27 Sep 2008 04:09:35 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in !!!!e of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: test1.exe (MD5: ca83f66d629263a2a75066916339e815, size: 51841 bytes), detected by:

Scanner Malware name
A-Squared Trojan-Dropper.Win32.VB.xl!IK
AntiVir TR/Drop.VB.XL.1
ArcaVir Trojan.Dropper.Vb.Xl
Avast Win32:VB-HDH
AVG Antivirus VB.BXT
BitDefender Trojan.Generic.273990
ClamAV Trojan.Dropper-4869
CPsecure Troj.Dropper.W32.VB.xl
Dr.Web Trojan.MulDrop.11190
F-Prot Antivirus W32/Dropper.INK
F-Secure Anti-Virus Trojan-Dropper.Win32.VB.xl
G DATA Win32:VB-HDH
Ikarus Trojan-Dropper.Win32.VB.xl
Kaspersky Anti-Virus Trojan-Dropper.Win32.VB.xl
NOD32 probably a variant of Win32/Cryptoz
Norman Virus Control W32/Smalltroj.CKSR
Panda Antivirus X
Sophos Antivirus Mal/Dropper-AF
VirusBuster Trojan.DR.VB.DRVC
VBA32 Trojan-Dropper.Win32.VB.xl
Back to Top
 

kungfukahuna
New Member


Date Joined Jun 2007
Total Posts : 38
  		   Posted 9-27-2008 5:16 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
Found it! Here's the results:



Service
Service load:
0% 100%
File: TCPIP.SYS
Status:
OK
MD5: cbeebeb899e31ef52b962cb31fc8ca5c
Packers detected:
-
Scanner results
Scan taken on 27 Sep 2008 04:09:35 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in !!!!e of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: test1.exe (MD5: ca83f66d629263a2a75066916339e815, size: 51841 bytes), detected by:

Scanner Malware name
A-Squared Trojan-Dropper.Win32.VB.xl!IK
AntiVir TR/Drop.VB.XL.1
ArcaVir Trojan.Dropper.Vb.Xl
Avast Win32:VB-HDH
AVG Antivirus VB.BXT
BitDefender Trojan.Generic.273990
ClamAV Trojan.Dropper-4869
CPsecure Troj.Dropper.W32.VB.xl
Dr.Web Trojan.MulDrop.11190
F-Prot Antivirus W32/Dropper.INK
F-Secure Anti-Virus Trojan-Dropper.Win32.VB.xl
G DATA Win32:VB-HDH
Ikarus Trojan-Dropper.Win32.VB.xl
Kaspersky Anti-Virus Trojan-Dropper.Win32.VB.xl
NOD32 probably a variant of Win32/Cryptoz
Norman Virus Control W32/Smalltroj.CKSR
Panda Antivirus X
Sophos Antivirus Mal/Dropper-AF
VirusBuster Trojan.DR.VB.DRVC
VBA32 Trojan-Dropper.Win32.VB.xl
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 16319
  		   Posted 9-27-2008 7:16 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
Looks clean smile
 
 
Uninstall ComboFix

Go to Start->Run, and type in ComboFix /u
Make sure there is a space between ComboFix and /u
Click Enter

This will ->
Uninstall ComboFix. Delete its related folders and files.
 
 
Then download newest version:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
 
 
And save to the desktop.

Close all other browser windows.
 
Important-> Temporarily disable your anti-virus, real-time protection before performing a scan. They can interfere with combofix or remove some of its embedded files which may cause "unpredictable results".
 
 
Go to Start->Run and copy/paste: ComboFix /snapshot and hit OK. It should run Combofix.
 
 
Post combofix log

Do NOT post your problem in someone elses thread.
A non-profit, volunteer network.

Back to Top
 

kungfukahuna
New Member


Date Joined Jun 2007
Total Posts : 38
  		   Posted 10-5-2008 5:42 (GMT +1)    Quote: Trojan horse from stupid p2pAlert an admin about: Trojan horse from stupid p2p
Here's the new log results:






ComboFix 08-10-04.07 - User 2008-10-05 12:19:55.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.205 [GMT -4:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

J:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2008-09-05 to 2008-10-05 )))))))))))))))))))))))))))))))
.

2008-09-23 23:36 . 2008-09-23 23:39 20,358 --a------ C:\WINNT\vgirl.prf
2008-09-23 23:34 . 2008-09-23 23:34 <DIR> d-------- C:\Program Files\Common Files\Totem Shared
2008-09-23 22:42 . 2008-09-23 22:44 152,920 --a------ C:\WINNT\system32\vghd.scr
2008-09-23 22:39 . 2008-09-24 00:27 <DIR> d-------- C:\Documents and Settings\User\Application Data\vghd
2008-09-20 15:25 . 2008-09-20 15:25 <DIR> d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-09-20 15:17 . 2008-09-20 15:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 15:17 . 2008-09-20 15:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 15:17 . 2008-09-20 15:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-09-20 15:17 . 2008-09-10 00:04 38,528 --a------ C:\WINNT\system32\drivers\mbamswissarmy.sys
2008-09-20 15:17 . 2008-09-10 00:03 17,200 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-09-20 15:11 . 2008-09-20 15:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2008-09-20 15:10 . 2008-09-20 15:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-09-20 15:10 . 2008-09-20 15:10 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-16 17:00 . 2008-04-14 00:16 48,128 --a------ C:\WINNT\system32\drivers\61883.sys
2008-09-16 17:00 . 2008-04-14 00:16 48,128 --a--c--- C:\WINNT\system32\dllcache\61883.sys
2008-09-16 17:00 . 2008-04-14 00:16 38,912 --a------ C:\WINNT\system32\drivers\avc.sys
2008-09-16 17:00 . 2008-04-14 00:16 38,912 --a--c--- C:\WINNT\system32\dllcache\avc.sys
2008-09-16 16:55 . 2008-09-16 16:55 <DIR> d-------- C:\Program Files\Digital Photo Navigator 1.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 22:25 --------- d-----w C:\Program Files\PeerGuardian2
2008-09-27 17:16 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2008-09-26 00:26 --------- d-----w C:\Documents and Settings\User\Application Data\uTorrent
2008-09-23 23:38 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2008-09-21 16:55 --------- d-----w C:\Program Files\Setup Files
2008-09-20 06:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-20 05:48 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-09-19 19:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-18 03:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-16 20:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 21:39 --------- d-----w C:\Program Files\MySpace
2008-09-02 21:38 --------- d-----w C:\Program Files\BitComet
2008-09-02 05:53 --------- d-----w C:\Documents and Settings\User\Application Data\DNA
2008-09-02 05:24 --------- d-----w C:\Program Files\XP Codec Pack
2008-09-01 22:15 --------- d-----w C:\Program Files\ICE Book Reader Professional
2008-09-01 21:27 --------- d-----w C:\Program Files\DNA
2008-08-30 05:28 --------- d-----w C:\Program Files\Microsoft Reader
2008-08-30 04:50 --------- d-----w C:\Program Files\Java
2008-08-30 01:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rosetta Stone
2008-08-29 23:58 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-08-21 06:47 361,600 ----a-w C:\WINNT\system32\drivers\TCPIP.SYS.ORIGINAL
2008-08-21 06:47 361,600 ----a-w C:\WINNT\system32\drivers\TCPIP.SYS
2008-08-21 03:01 --------- d-----w C:\Program Files\PFConfig
2008-08-21 02:44 --------- d-----w C:\Program Files\uTorrent
2008-08-16 00:02 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-08-13 22:29 29,696 ----a-w C:\WINNT\mickey32.dll
2008-08-13 22:29 232,784 ----a-w C:\WINNT\Matrix Code.scr
2008-08-13 22:29 2,285,222 ----a-w C:\WINNT\Matrix Code.exe
2008-08-08 00:11 --------- d-----w C:\Documents and Settings\User\Application Data\Amazon
2008-08-08 00:09 --------- d-----w C:\Program Files\Amazon
2008-07-28 11:40 1,003,520 ----a-w C:\WINNT\system32\VSFilter.dll
2008-07-19 02:10 94,920 ----a-w C:\WINNT\system32\cdm.dll
2008-07-19 02:10 53,448 ----a-w C:\WINNT\system32\wuauclt.exe
2008-07-19 02:10 45,768 ----a-w C:\WINNT\system32\wups2.dll
2008-07-19 02:10 36,552 ----a-w C:\WINNT\system32\wups.dll
2008-07-19 02:09 563,912 ----a-w C:\WINNT\system32\wuapi.dll
2008-07-19 02:09 325,832 ----a-w C:\WINNT\system32\wucltui.dll
2008-07-19 02:09 205,000 ----a-w C:\WINNT\system32\wuweb.dll
2008-07-19 02:09 1,811,656 ----a-w C:\WINNT\system32\wuaueng.dll
2008-07-07 20:26 253,952 ----a-w C:\WINNT\system32\es.dll
2008-07-05 10:14 456,192 ----a-w C:\WINNT\system32\libmplayer.dll
2008-07-05 10:14 3,591,168 ----a-w C:\WINNT\system32\libavcodec.dll
2008-07-05 10:13 708,096 ----a-w C:\WINNT\system32\ff_x264.dll
2007-07-12 17:10 827,392 -c--a-w C:\WINNT\system32\config\systemprofile\NTUSER(2).DAT
2007-05-27 08:35 271 --sh--w C:\Program Files\desktop.ini
2007-05-27 08:35 21,952 -c-ha-w C:\Program Files\folder.htt
.

------- Sigcheck -------

2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINNT\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINNT\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 07:59 361600 ad978a1b783b5719720cff204b666c8e C:\WINNT\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-02-27 00:36 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINNT\$NtServicePackUninstall$\tcpip.sys
2007-08-09 01:19 359040 80082776f5f39852ee40c521806e1135 C:\WINNT\$NtUninstallKB917953$\tcpip.sys
2007-08-25 02:19 359808 8d8949936913b041c6a0e184fbf1030b C:\WINNT\$NtUninstallKB941644$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINNT\$NtUninstallKB951748$\tcpip.sys
2003-06-19 15:05 332144 5f1be742b1f2196663255991ae7acc83 C:\WINNT\$NtUpdateRollupPackUninstall$\tcpip.sys
2008-04-14 00:50 361344 93ea8d04ec73a85db02eb8805988f733 C:\WINNT\ServicePackFiles\i386\TCPIP.SYS
2008-08-21 02:47 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINNT\system32\dllcache\TCPIP.SYS
2008-08-21 02:47 361600 cbeebeb899e31ef52b962cb31fc8ca5c C:\WINNT\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run"="8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run" [X]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 1382400]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-06 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-20 1576176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run"="8888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888888SOFTWARE\Microsoft\Windows\CurrentVersion\Run" [X]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CRBroadCasting"="C:\Program Files\CardReader2.0\CRBroadCasting.exe" [2004-02-26 24576]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 139264]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RemoteControl"="C:\WINNT\System32\rmctrl.exe" [2000-10-16 32768]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2007-01-17 496640]
"UVS10 Preload"="C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" [2006-03-07 36864]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"RemoteControl8"="C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"PDVD8LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"Monitor"="C:\WINNT\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Synchronization Manager"="mobsync.exe" [2008-04-14 C:\WINNT\system32\mobsync.exe]
"VTTimer"="VTTimer.exe" [2005-03-07 C:\WINNT\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-04-11 C:\WINNT\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-08-02 C:\WINNT\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2008-04-14 214528]
"tscuninstall"="C:\WINNT\system32\tscupgrd.exe" [2004-08-04 44544]

C:\Documents and Settings\User\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-08-26 557568]
YouTube Uploader.lnk - C:\Documents and Settings\User\Local Settings\Application Data\YouTube\Uploader\youtubeuploader.exe [2007-11-09 71152]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
PC Alert 4.lnk - C:\Program Files\MSI\PC Alert 4\PCAlert4.exe [2007-06-06 552960]
SecureDoc.lnk - C:\Program Files\MSI\SecureDoc\Logon.exe [2007-05-27 82944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-09-20 01:48 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"VIDC.FFDS"= ffdshow.ax
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Monitor"=C:\WINNT\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitPim\\bitpimw.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINNT\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Documents and Settings\\User\\desktop\\setup-vghd_1tJ3JLwEk1q4XXn.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6999:TCP"= 6999:TCP:BitTorrent
"49153:TCP"= 49153:TCP:BitComet 11718 TCP
"49153:UDP"= 49153:UDP:BitComet 11718 UDP

R0 videX32;videX32;C:\WINNT\system32\DRIVERS\videX32.sys [2006-02-22 9728]
R2 Basics Service;Basics Service;C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe [2007-10-09 124280]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 PCAlertDriver;PCAlertDriver;C:\Program Files\MSI\PC Alert 4\NTGLM7X.sys [2006-12-26 28160]
S0 DigiFilter;DigiFilter;C:\WINNT\system32\drivers\DigiFilt.sys [ ]
S2 AtiBt829;WDM Video Capture For AIW (AtiBt829);C:\WINNT\system32\DRIVERS\AtiBt829.sys [2001-08-17 46464]
S2 ATITVAUDIO;WDM TVAudio (ATITVSnd);C:\WINNT\system32\DRIVERS\atitvsnd.sys [2001-08-17 17152]
S2 ATIXBAR;WDM Video Audio Crossbar (ATIXBar);C:\WINNT\system32\DRIVERS\atixbar.sys [2001-08-17 23552]
S2 DigiNet;Digidesign Ethernet Support;C:\WINNT\system32\DRIVERS\diginet.sys [ ]
S2 USBHSB;GeneLink File Transfer Driver;C:\WINNT\system32\Drivers\usbhsb.sys [2001-12-17 18690]
S3 PAC207;PC Camer@;C:\WINNT\system32\DRIVERS\PFC027.SYS [2007-05-14 508288]
S3 sunkfilt62;USB 6/1 Driver;C:\WINNT\system32\DRIVERS\sunkfilt62.sys [2005-10-27 15460]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [2003-06-19 49776]
S4 WEBNTACCESS;WEBNTACCESS;C:\WINNT\system32\NTACCESS.SYS [2006-05-18 18359]

*Newly Created Service* - PCALERTDRIVER
*Newly Created Service* - WEBNTACCESS
.
Contents of the 'Scheduled Tasks' folder

2008-09-20 C:\WINNT\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-10-05 C:\WINNT\Tasks\GlaryInitialize.job
- C:\Program Files\Glary Utilities\initialize.exe [2008-07-18 11:08]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\7ts6m72u.default\
FF -: plugin - C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\1.2.121.7\npGoogleOneClick.dll
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-05 12:25:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\ginamsi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\CardReader2.0\OTiReader.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\ComboFix\pv.cfexe
.
**************************************************************************
.
Completion time: 2008-10-05 12:35:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-05 16:35:30
ComboFix2.txt 2008-09-20 23:55:35

Pre-Run: 16,472,657,920 bytes free
Post-Run: 16,400,617,472 bytes free

246 --- E O F --- 2008-09-16 13:03:52
Back to Top
 
New Topic Post reply to : Trojan horse from stupid p2p Printable version of : Trojan horse from stupid p2p
 
Forum Information
Currently it is Saturday, November 21, 2009 5:16 PM (GMT +1)
There are a total of 73.034 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 69 reply posts. View Active Threads
Who's Online
This forum has 30334 registered members. Please welcome our newest member, sushil.
53 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Constant scanning andskipped files? (3)21-11-2009 14:33:51 (Dickens)
Cannot install anti-virus softeware or do window updates... need help (17)21-11-2009 13:46:11 (superjesse)
Michael Vick jerseys (1)21-11-2009 09:42:37 (Dickens)
Arizona Cardinals Jerseys (1)21-11-2009 09:37:23 (Dickens)
How to remove this Malware/Virus (0)21-11-2009 06:54:16 (bozzack)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard