PDA

View Full Version : Had a few trojans...



ashinaa
2009-09-30, 09:02
ComboFix 09-09-29.02 - Rohan 09/30/2009 15:39.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1390 [GMT 10:00]
Running from: c:\documents and settings\Rohan\My Documents\Downloads\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\desktop.ini
H:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-28 to 2009-09-30 )))))))))))))))))))))))))))))))
.

2009-09-30 05:02 . 2009-09-30 05:27 -------- d-----w- c:\windows\LMI86.tmp
2009-09-30 04:54 . 2009-09-30 04:54 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-09-30 04:54 . 2009-09-30 05:02 -------- d-----w- c:\windows\LMI85.tmp
2009-09-30 04:20 . 2009-09-30 04:20 -------- d-----w- c:\documents and settings\Rohan\Local Settings\Application Data\Blizzard Entertainment
2009-09-30 02:10 . 2009-09-30 02:19 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-09-29 20:31 . 2004-08-04 00:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-09-29 20:31 . 2001-08-17 13:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2009-09-29 20:30 . 2004-08-03 22:59 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-09-29 20:30 . 2001-08-17 13:46 6400 ----a-w- c:\windows\system32\drivers\enum1394.sys
2009-09-29 20:30 . 2004-08-04 00:56 74240 ----a-w- c:\windows\system32\usbui.dll
2009-09-29 20:28 . 2004-08-04 12:00 10096640 -c--a-w- c:\windows\system32\dllcache\hwxcht.dll
2009-09-29 20:26 . 2009-09-30 05:38 -------- d-----w- c:\windows\system32\CatRoot2
2009-09-29 20:26 . 2009-09-30 02:21 -------- d-----w- c:\windows\system32\CatRoot
2009-09-29 20:25 . 2009-09-30 05:37 -------- d--h--w- c:\documents and settings\Default User
2009-09-29 20:25 . 2009-09-29 10:55 -------- d-----w- C:\Documents and Settings
2009-09-29 20:25 . 2009-09-29 10:51 -------- d-----w- c:\documents and settings\All Users

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-30 05:56 . 2009-09-29 12:02 4562464 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-09-30 04:20 . 2009-09-29 18:06 -------- d-----w- c:\documents and settings\Rohan\Application Data\vlc
2009-09-29 18:02 . 2009-09-29 18:02 -------- d-----w- c:\program files\VideoLAN
2009-09-29 16:34 . 2009-09-29 11:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-09-29 16:10 . 2009-09-29 12:02 14864 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-09-29 14:39 . 2009-09-29 14:39 -------- d-----w- c:\program files\Realtek
2009-09-29 14:39 . 2009-09-29 11:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 13:01 . 2009-09-29 13:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-09-29 13:01 . 2009-09-29 13:01 -------- d-----w- c:\program files\Logitech
2009-09-29 12:03 . 2009-09-29 12:03 -------- d-----w- c:\documents and settings\Rohan\Application Data\MailFrontier
2009-09-29 11:51 . 2009-09-29 11:51 -------- d-----w- c:\program files\Zone Labs
2009-09-29 11:50 . 2009-09-29 11:50 -------- d-----w- c:\documents and settings\Rohan\Application Data\Skinux
2009-09-29 11:46 . 2009-09-29 11:32 34816 ----a-w- c:\documents and settings\Rohan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 11:46 . 2009-09-29 11:43 -------- d-----w- c:\program files\Windows Live
2009-09-29 11:44 . 2009-09-29 11:44 -------- d-----w- c:\program files\Microsoft
2009-09-29 11:44 . 2009-09-29 11:44 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-29 11:33 . 2009-09-29 11:33 -------- d-----w- c:\program files\Common Files\Windows Live
2009-09-29 11:32 . 2009-09-29 11:32 -------- d-----w- c:\program files\The Skins Factory
2009-09-29 11:24 . 2009-09-29 11:06 -------- d-----w- c:\documents and settings\Rohan\Application Data\DAEMON Tools Lite
2009-09-29 11:23 . 2009-09-29 11:08 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-09-29 11:21 . 2009-09-29 11:21 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-29 11:21 . 2009-09-29 11:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-29 11:21 . 2009-09-29 11:21 -------- d-----w- c:\program files\NVIDIA Corporation
2009-09-29 11:21 . 2009-09-29 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2009-09-29 11:10 . 2009-09-29 11:10 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-29 11:08 . 2009-09-29 11:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-09-29 11:08 . 2009-09-29 11:08 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-09-29 11:06 . 2009-09-29 11:06 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-09-29 11:04 . 2009-09-29 11:04 0 ----a-w- c:\windows\nsreg.dat
2009-09-29 10:58 . 2009-09-29 10:58 -------- d-----w- c:\documents and settings\Rohan\Application Data\InstallShield
2009-09-29 10:52 . 2009-09-29 10:52 -------- d-----w- c:\program files\microsoft frontpage
2009-09-29 10:50 . 2009-09-29 10:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-16 17:04 . 2009-08-16 17:04 2173472 ----a-w- c:\windows\system32\nvcplui.exe
2009-08-16 17:04 . 2009-08-16 17:04 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-08-16 17:03 . 2009-08-16 17:03 3170304 ----a-w- c:\windows\system32\nvwss.dll
2009-08-16 17:03 . 2009-08-16 17:03 4026368 ----a-w- c:\windows\system32\nvvitvs.dll
2009-08-16 17:03 . 2009-08-16 17:03 188416 ----a-w- c:\windows\system32\nvmccss.dll
2009-08-16 17:03 . 2009-08-16 17:03 1286144 ----a-w- c:\windows\system32\nvmobls.dll
2009-08-16 17:03 . 2009-08-16 17:03 3547136 ----a-w- c:\windows\system32\nvgames.dll
2009-08-16 17:03 . 2009-08-16 17:03 4923392 ----a-w- c:\windows\system32\nvdisps.dll
2009-08-16 17:03 . 2009-08-16 17:03 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-08-16 17:03 . 2009-08-16 17:03 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-08-16 17:03 . 2009-08-16 17:03 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-08-16 17:03 . 2009-08-16 17:03 13877248 ----a-w- c:\windows\system32\nvcpl.dll
2009-08-16 17:02 . 2009-08-16 17:02 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-08-16 14:57 . 2009-09-29 11:21 485920 ----a-w- c:\windows\system32\nvudisp.exe
2009-08-16 14:57 . 2009-08-16 14:57 868352 ----a-w- c:\windows\system32\nvapi.dll
2009-08-16 14:57 . 2009-08-16 14:57 7729568 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-08-16 14:57 . 2009-08-16 14:57 5845760 ----a-w- c:\windows\system32\nv4_disp.dll
2009-08-16 14:57 . 2009-08-16 14:57 2189856 ----a-w- c:\windows\system32\nvcuvid.dll
2009-08-16 14:57 . 2009-08-16 14:57 2002944 ----a-w- c:\windows\system32\nvcuda.dll
2009-08-16 14:57 . 2009-08-16 14:57 1706528 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-08-16 14:57 . 2009-08-16 14:57 1597690 ----a-w- c:\windows\system32\nvdata.bin
2009-08-16 14:57 . 2009-08-16 14:57 155648 ----a-w- c:\windows\system32\nvcodins.dll
2009-08-16 14:57 . 2009-08-16 14:57 155648 ----a-w- c:\windows\system32\nvcod.dll
2009-08-16 14:57 . 2009-08-16 14:57 10457088 ----a-w- c:\windows\system32\nvoglnt.dll
2009-08-14 03:36 . 2009-08-14 03:36 70936 ----a-w- c:\windows\system32\PhysXLoader.dll
2009-08-11 02:35 . 2009-09-29 10:58 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-07-26 06:44 . 2009-07-26 06:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Steam"="f:\steam1\Steam.exe" [2009-09-20 1217784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"WinFoxV2"="c:\windows\system32\WF2K.EXE" [2007-08-03 1490944]
"WinFast2KLoadDefault"="c:\windows\system32\wf2kcpl.dll" [2005-09-16 616448]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-12 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-16 13877248]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-28 1005960]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-07-17 1687824]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-07-18 2094352]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-06-25 17887232]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"f:\\Steam1\\Steam.exe"=
"f:\\Steam1\\steamapps\\common\\rainbow six lockdown\\lockdown.exe"=

R2 HdThemeEnabler;Hyperdesk Theme Enabler;c:\windows\HDThemeEnabler.exe [7/1/2008 12:16 PM 102400]
R3 NTProcDrv;Process creation detector for NT.;\??\c:\windows\TEMP\drv1.tmp --> c:\windows\TEMP\drv1.tmp [?]
R4 WINFOXIO;WINFOXIO;c:\windows\system32\drivers\WINFOXIO.sys [9/29/2009 9:10 PM 9600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [9/30/2009 12:39 AM 1684736]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WINFOXIO
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
FF - ProfilePath - c:\documents and settings\Rohan\Application Data\Mozilla\Firefox\Profiles\asxqst53.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\documents and settings\Rohan\Application Data\Mozilla\Firefox\Profiles\asxqst53.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-30 15:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NTProcDrv]
"ImagePath"="\??\c:\windows\TEMP\drv1.tmp"
.
Completion time: 2009-09-30 15:56
ComboFix-quarantined-files.txt 2009-09-30 05:56

Pre-Run: 45,593,174,016 bytes free
Post-Run: 45,608,235,008 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

164 --- E O F --- 2009-09-29 11:12

sed combo fix, scanning with zone alarm now, trojan was called trojan-gamethief.win32.tibia, dont understand how it is still on my system since i hvave reformatted a few times..any help on this would be awesome.
=================================
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Do NOT run 'FIXES' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )

tashi
2009-09-30, 18:12
HJT log split off to: http://forums.spybot.info/showthread.php?t=52265