Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

C:\ComboFix.txt


  • This topic is locked This topic is locked
1 reply to this topic

#1 marcelena80

marcelena80

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:11:48 AM

Posted 21 November 2008 - 10:57 PM

trying to complete the cleanup of my computer from Combofix to remove Internet Speed Monitor. Here is the log generated after ComboFix ran. What do I do next??? Please help and I appreciate any and all assistance!

ComboFix 08-11-21.03 - Window User 2008-11-21 19:54:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.238 [GMT -7:00]
Running from: c:\documents and settings\Window User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Window User\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Window User\Application Data\FunWebProducts
c:\documents and settings\Window User\Application Data\ShoppingReport
c:\documents and settings\Window User\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\Window User\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\Window User\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\Window User\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\Window User\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\Window User\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\Window User\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
c:\documents and settings\Window User\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\Window User\Start Menu\Programs\Startup\DW_Start.lnk
c:\program files\GetModule
c:\program files\GetModule\GetModule29.exe
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\VnrBlock
c:\program files\VnrBlock\VnrBlock21.exe
c:\program files\VnrBlock\xtarga.gz
c:\recycler\ADAPT_Installer.exe
c:\windows\cor704836.exe
c:\windows\ee3362.exe
c:\windows\eo4.exe
c:\windows\h288.exe
c:\windows\j414.exe
c:\windows\lik02.exe
c:\windows\mondrv411.exe
c:\windows\nc605007.exe
c:\windows\ndxq3074.exe
c:\windows\qggu58826.exe
c:\windows\service.exe
c:\windows\system32\dwwnw64r.exe
c:\windows\system32\gside.exe
c:\windows\system32\iexplorer.exe
c:\windows\system32\kcntltdm.exe
c:\windows\system32\mdm.exe
c:\windows\system32\msnav32.ax
c:\windows\system32\winpfz33.sys
c:\windows\system32\zxdnt3d.cfg
c:\windows\tj85.exe
c:\windows\tjyvb346054.exe
c:\windows\winup.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTLOAD
-------\Service_NTLOAD


((((((((((((((((((((((((( Files Created from 2008-10-22 to 2008-11-22 )))))))))))))))))))))))))))))))
.

2008-11-20 02:27 . 2008-11-20 02:27 1,632,768 --a------ c:\windows\winee.exe
2008-11-19 10:43 . 2008-11-19 10:43 1,232,896 --a------ c:\windows\winactv1.exe
2008-11-17 08:48 . 2008-11-17 13:44 1,232,896 --a------ c:\windows\winactivate.exe
2008-11-13 13:43 . 2008-11-15 08:07 39,936 --a------ c:\windows\wininii.exe
2008-11-12 21:33 . 2008-11-12 21:33 39,936 --a------ c:\windows\winip.exe
2008-11-09 08:58 . 2008-11-09 14:01 <DIR> d-------- c:\program files\coolpro2
2008-11-08 13:51 . 2008-11-08 13:51 <DIR> d-------- c:\documents and settings\Window User\Application Data\HighKey
2008-11-06 13:48 . 2008-11-06 13:48 <DIR> d-------- c:\documents and settings\Window User\Application Data\GetModule
2008-11-04 22:43 . 2008-11-05 04:48 273,932 --a------ C:\nzm.exe
2008-11-04 20:23 . 2008-11-21 19:06 <DIR> dr-hs---- c:\windows\system\DRIVER
2008-11-04 19:04 . 2008-11-04 19:04 9,662 --a------ c:\windows\system32\pinkip.ico
2008-11-04 14:38 . 2008-11-04 14:38 262,172 --a------ c:\windows\system32\rkwnw64l.exe
2008-11-04 13:33 . 2008-11-04 13:33 548,924 --a------ c:\windows\system32\kcntltdl.exe
2008-11-04 13:33 . 2008-11-04 13:33 153,417 --a------ c:\windows\system32\g73.exe
2008-10-22 18:57 . 2000-07-15 00:00 101,888 --a------ c:\windows\system32\VB6STKIT.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-19 19:55 --------- d-----w c:\documents and settings\Window User\Application Data\LimeWire
2008-11-17 07:55 --------- d-----w c:\documents and settings\Window User\Application Data\AVG7
2008-11-04 22:32 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-04 22:32 --------- d-----w c:\program files\Common Files\InstallShield
2008-11-04 18:58 --------- d-----w c:\program files\LimeWire
2008-10-24 00:27 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-22 00:39 --------- d-----w c:\documents and settings\Window User\Application Data\.wyzo
2008-10-22 00:31 --------- d-----w c:\program files\Common Files\Adobe
2008-10-21 20:35 --------- d-----w c:\program files\Serif
2008-10-07 18:57 --------- d-----w c:\documents and settings\Window User\Application Data\Syntrillium
2008-10-06 19:44 --------- d-----w c:\program files\Windows Media Connect 2
1998-12-09 02:53 99,840 ----a-w c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w c:\program files\Common Files\IRASRIAL.DLL
2007-06-13 10:23 273,932 --sh--r c:\windows\system32\nod64.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 579584]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-01 176128]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-23 233472]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-05 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"Windows Update Service"="nod64.exe" [2007-06-13 c:\windows\system32\nod64.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Update Service"="nod64.exe" [2007-06-13 c:\windows\system32\nod64.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-05 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-26 113664]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-10-02 1283608]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Microtek Scanner Finder.lnk - c:\windows\twain_32\ScanWiz5\SDII.exe [2007-11-05 315392]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"<NO NAME>"= :Windows Update Service

R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;c:\windows\system32\DRIVERS\AN983.sys [2007-11-04 36224]
S4 hpt3xx;hpt3xx; []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VnrBlock21 - c:\program files\VnrBlock\VnrBlock21.exe
HKCU-Run-GetModule29 - c:\program files\GetModule\GetModule29.exe
HKLM-Run-{08-8A-AC-C7-DW} - c:\windows\system32\dwwnw64r.exe
HKLM-Run-mondrv411 - c:\windows\mondrv411.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-21 19:59:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\dwwnw64r.exe.virin
.
**************************************************************************
.
Completion time: 2008-11-21 20:01:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-22 03:01:32

Pre-Run: 62,335,397,888 bytes free
Post-Run: 64,365,699,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

172

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:48 PM

Posted 21 November 2008 - 11:49 PM

Please note the message text in blue at the top of the Am I infected? What do I do? forum. Or at the top of this forum

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff

Edited by KoanYorel, 21 November 2008 - 11:51 PM.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users