My Anti Spyware

oopsj · Joined: 31 May 2008 Posts: 3

Hi,
recently I have detected by scanning my computer that I have deadly backdoor virus bifrose. I hope I have managed to delete it. Inbetween I detected some aoter potential virus applications and hack tools, which I also sucessfully deleted. I also ran Combofix, and here is it my log file from the scan:
Could anyone tell me maybe what should be the next step to do? Any help would be greatly appreaciated:
thank you
simon

ComboFix 08-05-21.2 - Admin 2008-05-22 13:58:28.1 - NTFSx86
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\setup.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-19 22:19 . 2008-05-22 14:09 <DIR> d-------- C:\Program Files\SpywareGuard
2008-05-18 21:48 . 2008-05-18 21:48 <DIR> d-------- C:\Documents and Settings\Admin\DoctorWeb
2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-18 21:40 . 2008-05-18 21:44 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-17 13:57 . 2008-05-17 13:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 13:55 . 2008-05-17 13:53 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-17 13:55 . 2008-05-17 13:55 2,541 --a------ C:\WINDOWS\unins000.dat
2008-05-11 15:25 . 2008-05-11 15:25 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Nokia Multimedia Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 12:15 --------- d-----w C:\Program Files\BlackICE
2008-05-19 18:47 --------- d-----w C:\Program Files\DAEMON Tools
2008-05-18 18:42 --------- d-----w C:\Program Files\eMule0.47c
2008-05-17 20:03 --------- d-----w C:\Documents and Settings\Admin\Application Data\Skype
2008-05-17 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-07-09 22:34 256 ----a-w C:\Documents and Settings\Admin\pool.bin
2005-09-12 14:05 457 ----a-w C:\Program Files\INSTALL.LOG
.

------- Sigcheck -------

2006-09-14 10:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll
2002-08-29 22:00 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 09:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 10:39 658944 621af3f6174a3f60677f5230e28bcc07 C:\WINDOWS\ie7\wininet.dll
2006-11-07 22:03 1334784 40bc230e247e4733c0711d408854c108 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
2006-11-07 22:03 1334784 40bc230e247e4733c0711d408854c108 C:\WINDOWS\system32\wininet.dll
2006-11-07 22:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\system32\dllcache\wininet.dll

2004-08-04 09:56 1880576 a060c835391f626bd37679d6fa701261 C:\WINDOWS\explorer.exe
2002-08-29 22:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 09:56 1880576 a060c835391f626bd37679d6fa701261 C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-02-04 23:00 2932736]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 15:35 4608 C:\WINDOWS\system32\carpserv.exe]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 06:26 45056]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-01-31 05:53 106496]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-03-14 19:56 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-03-14 19:56 634880]
"ATIModeChange"="Ati2mdxx.exe" [2002-06-12 05:14 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-02-26 16:25 180316]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 14:03 106544 C:\WINDOWS\system32\TWEAKUI.CPL]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-04-23 01:22 917504]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:56 15360]

C:\Documents and Settings\Admin\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlackICE PC Protection.lnk - C:\Program Files\BlackICE\blackice.exe [2006-11-21 16:28:47 778240]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2002-02-15 10:51 24638 C:\WINDOWS\system32\PCANotify.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=C:\WINDOWS\pss\Desktop Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2004-12-14 02:12 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-10-09 11:28 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
C:\Program Files\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 12:48 157592 C:\Program Files\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
--a------ 2005-03-31 09:30 1106944 C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2006-07-25 15:55 1043968 C:\Program Files\Ahead\Nero 7\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\javasched]
--a------ 2006-07-25 18:04 54272 C:\WINDOWS\system32\javav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-03-22 09:39 167936 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2005-04-20 09:57 847872 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
--a------ 2007-02-04 23:00 2932736 C:\Program Files\Rainlendar2\Rainlendar2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 19:42 32768 C:\Program Files\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 23:34 36864 C:\Cpqs\Scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-09-14 14:16 100056 C:\PROGRA~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_WinMain]
C:\WINDOWS\winexec.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\ICQ\\Icq.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\WINAW32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\AWHOST32.EXE"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\eMule0.47c\\emule.exe"=
"C:\\Program Files\\VoipDiscount\\VoipDiscount.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Skype.exe"=

R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys [2002-11-05 17:04]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2002-11-05 17:04]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2004-07-15 18:31]
R4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys [2005-03-30 10:40]
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\system32\DRIVERS\ElbyVCD.sys []
S3 Am772;IEEE 802.11b Wireless LAN Cardbus Card Driver;C:\WINDOWS\system32\DRIVERS\WLANNDS.sys [2003-08-21 18:27]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 14:12]
S3 GSNDIS5;GSNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\GSNDIS5.SYS [2003-04-18 10:05]
S3 MA8630C;MA8630C;C:\WINDOWS\system32\DRIVERS\MA8630C.sys [2004-09-14 18:12]
S3 MA8630M;MA8630M;C:\WINDOWS\system32\DRIVERS\MA8630M.sys [2005-01-25 15:31]
S3 MA8630U;MA8630U;C:\WINDOWS\system32\DRIVERS\MA8630U.sys [2006-06-14 19:02]
S3 RapDrv;RapDrv;C:\WINDOWS\system32\drivers\RapDrv.sys [2003-10-24 16:57]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 19:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 19:26]
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2253c0b9-fe54-11db-89d4-000bcd87fc7a}]
\Shell\AutoRun\command - setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9U71583C-L148-F971-HPT8-63VJ4DF90816}]
C:\WINDOWS\system32\jasched.exe s
.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 12:26:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 14:16:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????8?1?8?8??????? ??3B?????????????T?B? ??????

scanning hidden files ...

C:\Program Files\Icqmnm65
C:\WINDOWS\system32\drivers\s3g_cnxt.sys 12288 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\6to4]
"ServiceDll"="%SystemRoot%\System32\6to4svc.dll"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\AbiScan]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\s3g_cnxt.sys"
.
Completion time: 2008-05-22 14:30:29
ComboFix-quarantined-files.txt 2008-05-22 12:30:14

Pre-Run: 13,568,794,624 bytes free
Post-Run: 13,519,962,112 bytes free

184

patrik · Site Admin Joined: 08 Jan 2006 Posts: 1226

Hello Oopsj, welcome to the forum!

Open notepad, copy/paste the text in the quote box below into notepad:

oopsj · Joined: 31 May 2008 Posts: 3

log file from combofix and dss attached.
please for further coordinates... thank you

patrik · Site Admin Joined: 08 Jan 2006 Posts: 1226

All logs are ok.

Are you have any problems ?

oopsj · Joined: 31 May 2008 Posts: 3

at the moment none. But u never nows if smth is hidden in the background.

Can you please tell me how can I find out from the logs if smth is wrong?
regards

patrik · Site Admin Joined: 08 Jan 2006 Posts: 1226

For ending:

1. Uninstall combofix.

2. Make a new restore point.