« previous next »
Pages: [1]

Author Topic: Trojan-Dropper.Win32.Flystud.f  (Read 1107 times)

Offline szaku

  • Newbie
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Trojan-Dropper.Win32.Flystud.f
« on: July 12, 2007, 09:54:05 AM »
Trojan-Dropper.Win32.Flystud.f was scanned out by my Kaspersky AV but it can't delete the trojan at all . Help me please .

my HJT Log :

Logfile of HijackThis v1.99.1
Scan saved at 10:15:19 PM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\system32\cmd.exe
D:\WINDOWS\system32\conime.exe
D:\WINDOWS\svchost.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Samsung Common SM] "D:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: sploov.exe.lnk = D:\WINDOWS\system32\slpoov.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://craxr.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124520174296
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~2\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: GoogleDesktopManager - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - G:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Trojan-Dropper.Win32.Flystud.f
« Reply #1 on: July 12, 2007, 07:10:36 PM »
Can you do the following
Open Hijackthis>>Open Misc tools section>>Open "Delete File on Reboot"
Copy>>Paste the following in bold below to the File name field

D:\WINDOWS\system32\slpoov.exe

Then click the OPEN button
Hijackthis should prompt the file will be deleted
Do you want to reboot your computer
Select NO at this prompt

Click BACK under "Other stuff"
Then click SCAN
Put a tick next to this entry
O4 - Startup: sploov.exe.lnk = D:\WINDOWS\system32\slpoov.exe

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

back in Windows
Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log that opens please along with a fresh hijackthis log
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Offline szaku

  • Newbie
  • *
  • Posts: 40
  • Karma: +0/-0
    • View Profile
Trojan-Dropper.Win32.Flystud.f
« Reply #2 on: July 13, 2007, 04:39:32 AM »
My fresh HJT Log :

Logfile of HijackThis v1.99.1
Scan saved at 5:37:57 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\conime.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINDOWS\system32\Rundll32.exe
D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\WINDOWS\system32\rundll32.exe
E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Google Desktop Search] "D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINDOWS\System32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab30149.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://craxr.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124520174296
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} (shizmoo Class) - http://playroom.icq.com/odyssey_web11.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppD...ap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppD...ap/DigWXMSN.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\PROGRA~2\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: D:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: GoogleDesktopManager - Google - D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe
O23 - Service: kavsvc - Kaspersky Lab - D:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - G:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe





From ComboFix L:

"SawFamily" - 2007-07-13 17:21:14 - ComboFix 07-07-13.8 - Service Pack 2  [color=\"red\"]FAT32 [/color]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


D:\WINDOWS\autorun.inf
D:\WINDOWS\system32\drivers\sfsync02.sys


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


(((((((((((((((((((((((((   Files Created from 2007-06-13 to 2007-07-13  )))))))))))))))))))))))))))))))


2007-07-13 17:23   0   --a------   D:\WINDOWS\system32\sfsync02.dll
2007-07-13 17:20   51,200   --a------   D:\WINDOWS\nircmd.exe
2007-07-13 08:22   <DIR>   d--------   D:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-13 07:59   34   --a------   D:\WINDOWS\clear.bat
2007-07-01 12:52   32,592   --a------   D:\WINDOWS\system32\msonpmon.dll
2007-07-01 12:49   <DIR>   d--------   D:\Program Files\MSBuild
2007-07-01 12:49   <DIR>   d--------   D:\Program Files\Microsoft Works
2007-07-01 12:42   <DIR>   d--------   D:\WINDOWS\SHELLNEW
2007-07-01 12:41   <DIR>   d--------   D:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-06-21 14:04   <DIR>   d--hs----   D:\FOUND.029
2007-06-20 13:31   56,896   --ah-----   D:\WINDOWS\system32\mlfcache.dat


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-13 02:07:50   664   ----a-w   D:\WINDOWS\system32\d3d9caps.dat
2007-07-12 14:15:20   8,856   ----a-w   D:\Program Files\hijackthis.log
2007-06-29 02:54:22   9,252   ----a-w   D:\WINDOWS\system32\drivers\fwdrv.err
2007-06-05 02:56:26   --------   d-----w   D:\Program Files\Samsung ML-2010 Series
2007-05-22 02:44:08   5,522   ----a-w   D:\WINDOWS\mozver.dat
2006-03-23 10:28:04   41,936   ----a-w   D:\DOCUME~1\SAWFAM~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2005-10-10 06:13:18   218,112   ----a-w   D:\Program Files\HijackThis.exe
2004-06-25 14:46:00   457   ----a-w   D:\Program Files\INSTALL.LOG
2007-03-28 06:26:08   11,532   --sha-w   D:\WINDOWS\system32\KGyGaAvL.sys
2004-02-23 20:42:40   1,386,496   --sh--r   D:\WINDOWS\system32\msvbvm60.dll
2006-04-09 01:59:12   10   --sh--r   D:\WINDOWS\system32\sistem.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02   37808   ---------   C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
2006-10-27 00:48   2210608   --a------   E:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43   501400   --a------   D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-06-01 17:22 D:\WINDOWS\system32\nwiz.exe]
"P17Helper"="P17.dll" [2005-05-02 20:38 D:\WINDOWS\system32\P17.dll]
"CTSysVol"="D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"Google Desktop Search"="D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-20 22:53]
"GrooveMonitor"="E:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"updateMgr"="D:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="E:\PROGRA~2\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=D:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=D:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{190be1b0-0741-11dc-b213-000d8817be50}]
AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL bsr.exe
打开\command- J:\bsr.exe


Contents of the 'Scheduled Tasks' folder
2007-07-13 09:15:02  D:\WINDOWS\tasks\1-Click Maintenance.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-13 17:28:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

D:\WINDOWS\SYSTEM32\CMD.EXE [3248] 0x868C0BA8


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-13 17:30:30 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-07-13 17:30

   --- E O F ---
Logged

Offline guestolo

  • Site Donator
  • Administrator
  • Hero Member
  • *****
  • Posts: 16034
  • Karma: +1/-0
    • View Profile
    • http://
Trojan-Dropper.Win32.Flystud.f
« Reply #3 on: July 14, 2007, 07:45:09 PM »
Sorry for the delay, if you do have a usb flash drive or similiar it may have infected files on it
Can you ensure it is plugged into the computer

Open notepad and copy/paste the text in the quotebox below into it:
Don't include the word 'quote' please

Quote
File::
D:\WINDOWS\system32\sistem.sys
D:\WINDOWS\system32\sfsync02.dll
J:\bsr.exe

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{190be1b0-0741-11dc-b213-000d8817be50}]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=-
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

Save this as ComboFix-Do.txt to your desktop

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot)
A log should open,
Can you post the contents of that log along with a fresh hijackthis log

With the 2 logs, can you also do the following
 Download and save too your desktop
[color=\"#FF0000\"]fsbl.exe[/color][/url]
(F-Secure Blacklight)

Double click to run fsbl.exe
    * Accept the user agreement.
    * Click Scan.
    * After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".
Post this log too

+Can you do the following
Navigate to this file
D:\WINDOWS\clear.bat
DO NOT Double click on clear.bat, instead Right click on it and choose EDIT
Can you copy>>Paste back here the contents please

So I need the following back here
1. The new log from combofix
2. A fresh hijackthis log
3. The log from fsbl.exe
4. The contents of clear.bat
« Last Edit: July 14, 2007, 07:45:37 PM by guestolo »
Logged

Do you want to post your own logs from FRST?

Follow the instructions posted http://www.thetechguide.com/forum/index.php/topic/22942-please-read-how-to-post-logs-from-frst/\'>Click Here

Pages: [1]
« previous next »