Possible virus?

C

chibicitiberiu

New Member
I inserted a memory stick in the computer, and AVG popped up with a virus in file C:\WINDOWS\System32\bvuunjhr.dll called Trojan Horse Dropper.Generic.AFNC. When I right clicked the memory stick's drive there was autoplay information on it. It had a folder icon.
It had a hidden and read-only attributes, so I deleted it forced with DEL autorun.inf /AF /F. I copied on the computer the important data I had on it, and now I'm formatting it.

Am I still infected, could this virus still exist in my computer?
 
casper0191

casper0191

New Member
Well to be sure Run a Antivirus scan on your system. Always remember once your antivirus detected a virus always run a full scan in the system so that you're sure that your computer is 100% clean. Don't also forget to update your Antivirus.
 
C

chibicitiberiu

New Member
This is what malware bytes found:
Code: 
Malwarebytes' Anti-Malware 1.37
Database version: 2186
Windows 5.1.2600 Service Pack 3

5/28/2009 10:01:44 AM
mbam-log-2009-05-28 (10-01-44).txt

Scan type: Quick Scan
Objects scanned: 77055
Time elapsed: 5 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
C

chibicitiberiu

New Member
Here it is
Code: 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:33 AM, on 5/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\Domino.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\uTorrent\uTorrent.exe
D:\WebDownloads\HiJackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Domino] C:\WINDOWS\Domino.EXE
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: RDS & RCS.lnk = ?
O4 - Startup: µTorrent.lnk = C:\Program Files\uTorrent\uTorrent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{75A4BEDF-BA53-4C18-8E9B-A66F2437F5CB}: NameServer = 213.154.124.1 193.231.252.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 4944 bytes
 
C

chibicitiberiu

New Member
here is the combofix log
Code: 
ComboFix 09-05-28.09 - Tiberiu 05/29/2009 21:34.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.912 [GMT 3:00]
Running from: d:\webdownloads\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\~INSX362.EXE

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XPROTECTOR
-------\Service_XPROTECTOR


(((((((((((((((((((((((((   Files Created from 2009-04-28 to 2009-05-29  )))))))))))))))))))))))))))))))
.

2009-05-28 06:54 . 2009-05-28 06:54	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Malwarebytes
2009-05-28 06:54 . 2009-05-26 10:20	40160	----a-w	c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-28 06:54 . 2009-05-28 06:54	--------	d-----w	c:\program files\Malwarebytes' Anti-Malware
2009-05-28 06:54 . 2009-05-28 06:54	--------	d-----w	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-28 06:54 . 2009-05-26 10:19	19096	----a-w	c:\windows\system32\drivers\mbam.sys
2009-05-28 06:37 . 2009-05-28 06:37	--------	d-----w	c:\program files\MSECache
2009-05-25 06:21 . 2009-05-25 07:57	--------	d-----w	C:\emu8086
2009-05-24 12:58 . 2009-05-24 12:58	555	----a-w	C:\GR1.EXE
2009-05-23 19:16 . 2009-05-23 19:16	--------	d-----w	c:\program files\CCleaner
2009-05-21 08:36 . 2009-05-21 08:37	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\vlc
2009-05-20 07:36 . 2009-05-20 07:36	--------	d-----w	c:\documents and settings\All Users\Application Data\InstallShield
2009-05-20 07:36 . 2009-05-20 07:36	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Corel
2009-05-20 07:36 . 2009-05-20 07:36	--------	d-----w	c:\program files\Common Files\Corel
2009-05-20 07:34 . 2009-05-20 07:36	--------	d-----w	c:\program files\Corel
2009-05-19 09:11 . 2009-05-19 09:11	--------	d-----w	c:\program files\Defraggler
2009-05-18 08:12 . 2009-05-18 08:12	--------	d-----w	c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-05-18 08:03 . 2009-05-18 08:03	--------	d-----w	c:\program files\Sun
2009-05-18 08:01 . 2009-05-18 08:45	--------	d-----w	c:\documents and settings\Tiberiu\.VirtualBox
2009-05-18 08:00 . 2009-04-27 17:39	100944	----a-w	c:\windows\system32\drivers\VBoxDrv.sys
2009-05-18 08:00 . 2009-04-27 17:39	79888	----a-w	c:\windows\system32\drivers\VBoxNetAdp.sys
2009-05-18 08:00 . 2009-04-27 17:39	41424	----a-w	c:\windows\system32\drivers\VBoxUSBMon.sys
2009-05-16 19:11 . 2009-05-16 19:11	--------	d-----w	c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-16 19:10 . 2009-05-16 19:17	--------	d-----w	c:\documents and settings\Tiberiu\Local Settings\Application Data\Google
2009-05-16 19:09 . 2009-05-24 09:50	--------	d-----w	c:\program files\Google
2009-05-12 05:48 . 2009-05-12 06:43	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\FMZilla
2009-05-11 19:30 . 2009-05-11 19:30	--------	d-----w	c:\program files\Media Player Classic
2009-05-11 19:25 . 2009-05-11 19:25	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Media Player Classic
2009-05-09 18:39 . 2009-05-09 18:39	22328	----a-w	c:\windows\system32\drivers\PnkBstrK.sys
2009-05-09 18:39 . 2009-05-09 18:39	22328	----a-w	c:\documents and settings\Tiberiu\Application Data\PnkBstrK.sys
2009-05-09 18:39 . 2009-05-09 18:39	103736	----a-w	c:\windows\system32\PnkBstrB.exe
2009-05-09 18:39 . 2009-05-09 18:39	669184	----a-w	c:\windows\system32\pbsvc.exe
2009-05-09 18:39 . 2009-05-09 18:39	66872	----a-w	c:\windows\system32\PnkBstrA.exe
2009-05-09 10:53 . 2009-05-09 10:53	604416	----a-w	c:\windows\system32\TUProgSt.exe
2009-05-09 10:53 . 2009-04-27 12:21	28928	----a-w	c:\windows\system32\uxtuneup.dll
2009-05-09 10:53 . 2009-05-09 10:53	361216	----a-w	c:\windows\system32\TuneUpDefragService.exe
2009-05-09 09:25 . 2009-05-09 09:25	--------	d-----w	c:\program files\PowerISO
2009-05-09 05:10 . 2009-05-09 05:32	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Download Manager
2009-05-04 05:38 . 2009-05-04 05:38	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Xilisoft Corporation
2009-05-04 05:37 . 2009-05-04 05:37	--------	d-----w	c:\program files\Xilisoft

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-29 18:39 . 2009-03-22 20:05	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\uTorrent
2009-05-29 18:20 . 2009-03-22 20:05	--------	d-----w	c:\program files\Mozilla Thunderbird
2009-05-29 15:11 . 2009-04-20 06:53	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\dvdcss
2009-05-28 06:34 . 2009-03-22 20:39	--------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-23 19:23 . 2009-04-28 07:27	--------	d-----w	c:\program files\Ultimate Stunts
2009-05-20 07:36 . 2009-03-22 19:30	--------	d-----w	c:\program files\Common Files\InstallShield
2009-05-11 05:49 . 2009-03-25 06:30	11952	----a-w	c:\windows\system32\avgrsstx.dll
2009-05-11 05:49 . 2009-03-25 06:30	325896	----a-w	c:\windows\system32\drivers\avgldx86.sys
2009-05-11 05:49 . 2009-03-25 06:30	27784	----a-w	c:\windows\system32\drivers\avgmfx86.sys
2009-05-11 05:49 . 2009-03-25 06:26	29208	----a-w	c:\windows\system32\drivers\avgfwdx.sys
2009-05-11 05:49 . 2009-03-25 06:30	12552	----a-w	c:\windows\system32\drivers\avgrkx86.sys
2009-05-11 05:49 . 2009-03-25 06:26	50968	-c--a-w	c:\windows\system32\avgfwdx.dll
2009-05-11 05:48 . 2009-03-25 06:30	108552	----a-w	c:\windows\system32\drivers\avgtdix.sys
2009-05-09 10:53 . 2009-03-22 20:32	--------	d-----w	c:\program files\TuneUp Utilities 2009
2009-05-04 05:24 . 2009-03-22 19:31	--------	d--h--w	c:\program files\InstallShield Installation Information
2009-04-29 09:39 . 2009-04-29 09:39	--------	d-----w	c:\program files\Common Files\NSV
2009-04-27 17:39 . 2009-04-27 17:39	133648	----a-w	c:\windows\system32\VBoxNetFltNotify.dll
2009-04-27 17:39 . 2009-04-27 17:39	87696	----a-w	c:\windows\system32\drivers\VBoxNetFlt.sys
2009-04-26 11:46 . 2009-04-26 11:46	86016	----a-w	c:\windows\system32\OpenAL32.dll
2009-04-26 11:46 . 2009-04-26 11:46	262144	----a-w	c:\windows\system32\wrap_oal.dll
2009-04-25 08:26 . 2009-04-25 07:48	--------	d-----w	c:\documents and settings\All Users\Application Data\Test Drive Unlimited
2009-04-24 08:34 . 2009-04-24 08:34	--------	d-----w	c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-04-24 08:34 . 2009-04-24 08:17	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Uniblue
2009-04-24 08:34 . 2009-04-24 08:17	--------	d-----w	c:\documents and settings\All Users\Application Data\DriverScanner
2009-04-23 17:25 . 2009-03-23 06:14	--------	d-----w	c:\program files\Winamp
2009-04-21 05:55 . 2009-04-21 05:55	7680	----a-w	c:\windows\~INSX462.EXE
2009-04-20 11:59 . 2009-03-22 20:08	45296	-c--a-w	c:\documents and settings\Tiberiu\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-20 08:41 . 2009-04-20 08:39	--------	d-----w	c:\program files\theo30
2009-04-18 18:23 . 2009-03-25 07:12	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\codeblocks
2009-04-18 04:45 . 2009-04-18 04:45	--------	d-----w	c:\program files\Windows Media Connect 2
2009-04-18 04:34 . 2009-04-18 04:34	1878984	----a-w	c:\documents and settings\Tiberiu\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-04-17 07:55 . 2009-04-17 07:55	0	----a-w	c:\windows\ativpsrm.bin
2009-04-10 09:03 . 2009-03-29 18:29	--------	d-----w	c:\program files\Common Files\Adobe
2009-04-10 08:20 . 2009-04-10 08:20	--------	d-----w	c:\program files\Bonjour
2009-04-10 08:17 . 2009-04-10 08:17	--------	d-----w	c:\program files\Common Files\Macrovision Shared
2009-04-09 10:12 . 2009-04-09 10:12	2285056	----a-w	c:\windows\system32\TUKernel.exe
2009-04-09 08:30 . 2009-04-09 08:30	--------	d-----w	c:\program files\Reference Assemblies
2009-04-09 08:25 . 2009-04-09 08:25	--------	d-----w	c:\program files\MSXML 4.0
2009-04-09 08:21 . 2009-04-09 08:21	--------	d-----w	c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-09 04:53 . 2009-04-09 04:53	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Broad Intelligence
2009-04-09 04:52 . 2009-04-09 04:52	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\OpenCandy
2009-04-09 04:52 . 2009-04-09 04:52	0	----a-w	c:\documents and settings\Tiberiu\Application Data\OpenCandy\audacity-win-1.2.6.exe
2009-04-09 04:52 . 2009-04-09 04:52	--------	d-----w	c:\program files\MediaCoder
2009-04-08 11:21 . 2009-04-08 11:21	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\Apple Computer
2009-04-08 10:23 . 2009-04-08 10:23	98304	----a-w	c:\windows\system32\CmdLineExt.dll
2009-04-08 09:39 . 2009-04-08 09:39	--------	d-----w	c:\documents and settings\All Users\Application Data\FLEXnet
2009-04-07 15:47 . 2009-04-07 15:47	60416	----a-w	c:\windows\ALCFDRTM.EXE
2009-04-07 05:05 . 2009-04-06 19:26	--------	d-----w	c:\documents and settings\All Users\Application Data\Skype
2009-04-04 13:03 . 2009-04-04 13:03	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\PlayFirst
2009-04-04 13:01 . 2009-04-04 12:38	--------	d---a-w	c:\documents and settings\All Users\Application Data\TEMP
2009-04-04 12:14 . 2009-04-04 12:14	--------	d-----w	c:\program files\MSBuild
2009-04-04 05:42 . 2009-03-30 07:32	--------	d-----w	c:\program files\DOSBox-0.72
2009-04-04 05:41 . 2009-04-03 19:16	--------	d-----w	c:\documents and settings\Tiberiu\Application Data\CyberCIEGE
2009-04-02 16:17 . 2009-04-02 16:17	410984	----a-w	c:\windows\system32\deploytk.dll
2009-04-02 16:17 . 2009-04-02 16:17	--------	d-----w	c:\program files\Java
2009-04-02 16:16 . 2009-04-02 16:16	152576	----a-w	c:\documents and settings\Tiberiu\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-26 06:30 . 2009-03-26 06:30	41888	----a-w	c:\windows\system32\drivers\Oreans.sys
2009-03-23 07:35 . 2009-03-23 07:21	110058	-c--a-w	c:\windows\hpoins08.dat
2009-03-23 06:40 . 2009-03-23 06:40	717296	----a-w	c:\windows\system32\drivers\sptd.sys
2009-03-22 20:05 . 2009-03-22 20:05	0	-c--a-w	c:\windows\nsreg.dat
2009-03-22 19:38 . 2009-03-22 19:04	76487	-c--a-w	c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-22 19:02 . 2009-03-22 19:02	21640	-c--a-w	c:\windows\system32\emptyregdb.dat
2009-03-16 11:18 . 2009-04-17 07:47	69448	----a-w	c:\windows\system32\XAPOFX1_3.dll
2009-03-16 11:18 . 2009-04-17 07:47	517448	----a-w	c:\windows\system32\XAudio2_4.dll
2009-03-16 11:18 . 2009-04-17 07:47	235352	----a-w	c:\windows\system32\xactengine3_4.dll
2009-03-16 11:18 . 2009-04-17 07:47	22360	----a-w	c:\windows\system32\X3DAudio1_6.dll
2009-03-09 12:27 . 2009-04-17 07:47	453456	----a-w	c:\windows\system32\d3dx10_41.dll
2009-03-09 12:27 . 2009-04-17 07:47	1846632	----a-w	c:\windows\system32\D3DCompiler_41.dll
2009-03-09 12:27 . 2009-04-17 07:47	4178264	----a-w	c:\windows\system32\D3DX9_41.dll
2009-03-09 02:03 . 2009-03-09 02:03	121984	-c--a-w	c:\windows\system32\drivers\Rtnicxp.sys
2009-03-06 14:22 . 2004-08-04 12:00	284160	----a-w	c:\windows\system32\pdh.dll
2009-03-03 09:18 . 2009-03-03 09:18	73728	-c--a-w	c:\windows\system32\RtNicProp32.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-11 1947928]
"Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-11 05:49	11952	----a-w	c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"Domino"=c:\windows\Domino.EXE
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"VMSnap3"=c:\windows\VMSnap3.EXE
"PWRISOVM.EXE"=c:\program files\PowerISO\PWRISOVM.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [3/25/2009 9:30 AM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [3/25/2009 9:30 AM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [3/25/2009 9:30 AM 108552]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [5/18/2009 11:00 AM 100944]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [5/18/2009 11:00 AM 41424]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/11/2009 8:48 AM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [3/25/2009 2:32 PM 298776]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [5/11/2009 8:48 AM 1366904]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [5/9/2009 1:53 PM 604416]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [3/25/2009 9:26 AM 29208]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [5/18/2009 11:00 AM 79888]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [4/27/2009 8:39 PM 87696]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [3/22/2009 11:01 PM 428160]
S2 gfzysj;Update Windows;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 3:00 PM 14336]
S2 snorcnrt;Microsoft Image;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 3:00 PM 14336]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [3/25/2009 9:26 AM 29208]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [9/25/2007 5:59 PM 15152]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
UxTuneUp
gfzysj
snorcnrt
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 13:37]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {75A4BEDF-BA53-4C18-8E9B-A66F2437F5CB} = 213.154.124.1 193.231.252.1
FF - ProfilePath - c:\documents and settings\Tiberiu\Application Data\Mozilla\Firefox\Profiles\7rcpdey3.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-29 21:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gfzysj]
"ServiceDll"="c:\windows\system32\bvuunjhr.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\snorcnrt]
"ServiceDll"="c:\windows\system32\bvuunjhr.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\uTorrent\uTorrent.exe
.
**************************************************************************
.
Completion time: 2009-05-29 21:41 - machine was rebooted
ComboFix-quarantined-files.txt  2009-05-29 18:41

Pre-Run: 26,094,518,272 bytes free
Post-Run: 26,005,159,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=CTTAIX /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=CTTAIX-BAK

258	--- E O F ---	2009-05-27 18:40
 
alienationware

alienationware

New Member
That is definitely a virus. I had one like it around Jan. All my computers were eventually affected thru the use of a memory stick (flash drive).

Get you an antivirus that intercepts file I/O to/from the OS (like BitDefender), and make sure you turn off autoplay. Act quick, as you don't know what else the trojan will download from the net the more time you give it to live...
 
You must log in or register to reply here.
Top