Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected? What do I do? Combo Fix Report


  • This topic is locked This topic is locked
3 replies to this topic

#1 azarober

azarober

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 21 April 2013 - 09:25 AM

Hi !

Going on with your "How to Use" article I post here the Combo Report asking for help to understand it 1

Thanks in advance !

Roberto Azar

 

 
ComboFix 13-04-20.02 - Roberto 04/21/2013   0:13.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1536.865 [GMT 3:00]
Running from: c:\documents and settings\Roberto\Desktop\ComboFix.exe
AV: ZoneAlarm Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\5BB923A2.TMP
c:\documents and settings\All Users\Application Data\TEMP\5C321E34.TMP
c:\documents and settings\All Users\Application Data\TEMP\A9662AE0.TMP
c:\documents and settings\All Users\Application Data\TEMP\D1B5B4F1.TMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Auturuns\7za.exe
c:\documents and settings\Auturuns\EULA.txt
c:\documents and settings\Auturuns\procenum.exe
c:\documents and settings\Descargas\ComboFix.exe
c:\documents and settings\Downloads\500.zip
c:\documents and settings\Downloads\c9853w.exe
c:\documents and settings\Downloads\GmailInstaller.exe
c:\documents and settings\Downloads\SUPERAntiSpyware.exe
c:\documents and settings\ICQ Lite\23507368
c:\documents and settings\ICQ Lite\23507368\MIBInstall.exe
c:\documents and settings\Mis archivos recibidos\Sobre la Eficiencia Despu_s de un Tiempo .eml
c:\documents and settings\user\g2mdlhlpx.exe
c:\documents and settings\user\WINDOWS
c:\documents and settings\WebEx\20090728-Uso eficaz de AdSense(571539339)
c:\documents and settings\WebEx\20090728-Uso eficaz de AdSense(571539339)\qna_deleted.txt
c:\documents and settings\WebEx\20091126-Analytics aplicado a AdSense(570859601)
c:\documents and settings\WebEx\20091126-Analytics aplicado a AdSense(570859601)\qna_deleted.txt
C:\Microsoft
c:\windows\system32\SETB07E.tmp
c:\windows\system32\SETB080.tmp
c:\windows\system32\SETB084.tmp
c:\windows\system32\SETB085.tmp
c:\windows\system32\SETB08C.tmp
c:\windows\wininit.ini
D:\AUTORUN.INF
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-20 to 2013-04-20  )))))))))))))))))))))))))))))))
.
.
2013-04-20 20:46 . 2013-04-20 21:04 -------- d-----w- C:\32788R22FWJFW
2013-04-20 20:30 . 2013-04-20 20:30 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\Max Secure Software
2013-04-20 20:29 . 2013-04-20 20:30 -------- d-----w- c:\documents and settings\Roberto\Application Data\GetRightToGo
2013-04-20 13:18 . 2013-04-20 13:18 -------- d-----w- c:\documents and settings\Roberto\Application Data\CheckPoint
2013-04-20 13:13 . 2013-04-20 13:13 -------- d-----w- c:\program files\Check Point Software Technologies LTD
2013-04-20 13:13 . 2013-04-20 13:13 -------- d-----w- c:\documents and settings\Roberto\Application Data\Check Point Software Technologies LTD
2013-04-20 13:13 . 2013-04-20 21:09 -------- d-----w- c:\program files\CheckPoint
2013-04-20 13:12 . 2013-04-20 13:12 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2013-04-20 10:10 . 2013-04-20 10:10 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\APN
2013-04-20 10:09 . 2013-04-20 10:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2013-04-20 09:24 . 2013-04-20 10:31 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\LogMeIn Rescue Applet
2013-04-19 03:07 . 2013-04-19 03:07 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Foxit Software
2013-04-18 21:56 . 2013-04-19 03:07 -------- d-----w- c:\documents and settings\Roberto\Application Data\Foxit Software
2013-04-18 19:29 . 2013-04-18 19:29 -------- d-----w- c:\windows\system32\wbem\Repository
2013-04-16 20:41 . 2013-04-16 20:41 -------- d-----w- c:\documents and settings\Roberto\Application Data\PC Turbo Boost
2013-04-16 20:40 . 2008-01-15 11:57 951104 ----a-w- c:\windows\system32\tssOfficeMenu1d.ocx
2013-04-16 20:40 . 2013-04-18 19:23 -------- d-----w- c:\program files\PC Turbo Boost
2013-04-16 20:40 . 2009-11-11 03:41 32768 ----a-w- c:\windows\system32\tssOfficeMenu1d.oca
2013-04-16 20:40 . 2009-11-11 03:41 22016 ----a-w- c:\windows\system32\MBSplit.oca
2013-04-16 20:40 . 2008-01-15 11:57 65536 ----a-w- c:\windows\system32\MBSplit.ocx
2013-04-16 20:39 . 2013-04-16 20:39 41 ----a-w- C:\user.js
2013-04-16 14:07 . 2013-04-16 14:16 -------- d-----w- c:\documents and settings\Roberto\Application Data\Glarysoft
2013-04-16 14:07 . 2013-04-16 14:07 -------- d-----w- c:\program files\Glary Utilities
2013-04-16 13:58 . 2013-04-16 13:58 -------- d-----w- c:\program files\Glary Utilities Portable
2013-04-15 10:53 . 2013-04-16 14:14 -------- d-----w- c:\program files\TuneUp Utilities 2013
2013-04-15 10:53 . 2013-04-15 10:54 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2013-04-15 10:52 . 2013-04-15 14:09 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{C4ABDBC8-1C81-42C9-BFFC-4A68511E9E4F}
2013-04-15 10:52 . 2013-04-15 10:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2013-04-12 13:47 . 2013-03-06 22:33 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-04-12 13:47 . 2013-03-06 22:33 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-04-12 13:47 . 2013-03-06 22:33 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-04-12 13:45 . 2013-04-12 13:45 -------- d-----w- c:\program files\AVAST Software
2013-04-09 21:31 . 2013-04-09 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\{CED89F1A-945F-46EC-B23C-5EAF6D2DB12A}
2013-04-08 12:05 . 2013-04-08 12:05 -------- d-----w- c:\documents and settings\Roberto\Local Settings\Application Data\Sun
2013-04-08 08:55 . 2013-04-08 08:55 -------- d-----w- c:\program files\Common Files\Java
2013-04-08 08:50 . 2013-04-08 08:49 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-04-08 08:50 . 2013-04-08 08:49 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-04-08 08:49 . 2013-04-08 08:49 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-04-07 19:08 . 2012-12-21 14:20 2468520 ----a-w- c:\windows\system32\BootMan.exe
2013-04-07 19:08 . 2011-07-29 10:54 19840 ----a-w- c:\windows\system32\EuEpmGdi.dll
2013-04-07 19:08 . 2012-12-21 10:54 13896 ----a-w- c:\windows\system32\epmntdrv.sys
2013-04-07 19:08 . 2012-12-21 10:53 9160 ----a-w- c:\windows\system32\EuGdiDrv.sys
2013-04-07 19:08 . 2012-12-21 10:53 87112 ----a-w- c:\windows\system32\setupempdrv03.exe
2013-04-07 07:48 . 2013-04-07 07:48 -------- d-----w- c:\documents and settings\Roberto\Application Data\RealNetworks
2013-04-07 07:46 . 2013-04-07 07:46 -------- d-----w- c:\program files\RealNetworks
2013-04-07 07:46 . 2013-04-07 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\RealNetworks
2013-04-07 07:45 . 2013-04-07 07:45 -------- d-----w- c:\program files\Common Files\xing shared
2013-04-06 12:36 . 2012-12-11 12:47 260096 ----a-w- c:\windows\system32\WPShellExt32.dll
2013-04-06 12:33 . 2013-04-06 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Wondershare AllMyTube
2013-04-06 12:33 . 2013-04-06 12:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Wondershare Application Common Data
2013-04-04 14:47 . 2013-04-04 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2013-03-29 21:43 . 2013-03-30 19:41 -------- d-----w- c:\documents and settings\Roberto\Application Data\IObit Apps
2013-03-29 21:19 . 2013-03-29 21:19 -------- d-----w- c:\program files\Common Files\Skype
2013-03-29 20:00 . 2013-04-19 06:44 -------- d-----w- c:\documents and settings\Roberto\dwhelper
2013-03-29 16:32 . 2013-03-29 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{D76294E6-03B8-4971-AF2E-3F846161A690}
2013-03-29 16:32 . 2013-03-29 16:32 -------- d-----w- c:\documents and settings\Roberto\AppData
2013-03-29 16:32 . 2013-03-29 16:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{5A85B23A-4B58-47D1-9B9C-DFBD7866099F}
2013-03-29 16:27 . 2013-03-29 16:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Application Updater
2013-03-29 16:27 . 2013-04-20 18:19 -------- d-----w- c:\program files\IObit Apps Toolbar
2013-03-29 16:01 . 2013-03-30 10:17 -------- d-----w- c:\documents and settings\Roberto\Application Data\KompoZer
2013-03-28 21:26 . 2013-03-28 21:26 -------- d-----w- C:\Signatures
2013-03-28 21:25 . 2013-03-28 21:25 -------- d-----r- C:\My Pictures
2013-03-28 21:25 . 2013-03-28 21:25 -------- d-----w- C:\recovered_mails
2013-03-28 18:40 . 2013-03-28 18:40 -------- d-----w- c:\program files\YourWare Solutions
2013-03-28 18:40 . 2012-08-11 18:43 8191438 ----a-w- c:\program files\EasyDriveDataRecovery-3.0-Setup-RegNow-trial-build3.exe
2013-03-28 17:47 . 2013-03-28 18:33 -------- d-----w- C:\ProgramData
2013-03-28 13:26 . 2013-03-28 13:26 -------- d-----w- C:\PerfLogs
2013-03-28 13:25 . 2013-03-28 13:25 -------- d-----w- C:\output
2013-03-28 13:10 . 2013-04-05 19:05 -------- d-----w- C:\My Documents
2013-03-28 12:54 . 2013-03-28 12:54 -------- d-----r- C:\MSOCache
2013-03-28 12:54 . 2013-03-28 12:54 -------- d-----w- C:\MGADiagToolOutput
2013-03-28 12:54 . 2013-03-28 12:54 -------- d-----w- C:\Log
2013-03-28 08:38 . 2013-03-28 08:38 -------- d-----w- C:\Conexant
2013-03-28 08:38 . 2013-03-28 08:38 -------- d-----w- C:\CallingID
2013-03-28 08:34 . 2013-03-28 08:36 -------- d-----w- C:\96b122dcdde458493800cce89b39df
2013-03-27 18:55 . 2011-01-28 12:45 82 ----a-w- c:\documents and settings\cc_20110128_144533.reg
2013-03-27 18:54 . 2005-05-12 13:49 307712 ----a-w- c:\documents and settings\AGENTCLN.exe
2013-03-27 18:54 . 2009-02-03 14:58 1228304 ----a-w- c:\documents and settings\ADBEDRWVCS4_LS4.exe
2013-03-27 18:47 . 2013-03-27 18:47 -------- d-----w-queda(579513962) c:\docume~1\WebEx\200907~2
2013-03-27 18:47 . 2013-04-20 21:33 -------- d-----w- c:\documents and settings\WebEx
2013-03-27 18:47 . 2013-03-27 18:47 -------- d-----w- 2(571910149) c:\docume~1\WebEx\200909~1
2013-03-27 18:45 . 2013-03-27 18:45 -------- d-----w- c:\documents and settings\Updater
2013-03-27 18:45 . 2013-03-27 18:45 -------- d-----w- c:\documents and settings\Themes
2013-03-27 18:45 . 2013-03-27 18:45 -------- d-----w- c:\documents and settings\RegistryExpert
2013-03-27 18:44 . 2013-03-27 18:45 -------- d-----w- c:\documents and settings\phplist-2.10.11
2013-03-27 18:44 . 2013-03-27 18:44 -------- d-s---w- c:\documents and settings\My Web Sites
2013-03-27 18:44 . 2013-03-27 18:44 -------- d-----w- c:\documents and settings\My Surfulater
2013-03-27 18:43 . 2013-03-27 18:43 -------- d-s---r- c:\documents and settings\My Stationery
2013-03-27 18:43 . 2013-03-27 18:43 -------- d-----w- c:\documents and settings\My Received Files
2013-03-27 18:43 . 2013-03-27 18:43 -------- d-----w- c:\documents and settings\My Google Gadgets
2013-03-27 18:43 . 2013-03-27 18:43 -------- d-----w- c:\documents and settings\My Downloads
2013-03-27 18:43 . 2013-03-27 18:43 -------- d-----w- c:\documents and settings\My Completed Downloads
2013-03-27 18:30 . 2013-04-20 21:32 -------- d-----w- c:\documents and settings\Mis archivos recibidos
2013-03-27 18:30 . 2013-04-20 21:33 -------- d-----w- c:\documents and settings\ICQ Lite
2013-03-27 18:29 . 2013-03-27 18:30 -------- d-----w- c:\documents and settings\ezvid
2013-03-27 18:21 . 2013-04-20 21:32 -------- d-----w- c:\documents and settings\Downloads
2013-03-27 18:21 . 2013-03-27 18:21 -------- d-----w- c:\documents and settings\Discussions Docs
2013-03-27 18:21 . 2013-04-20 21:32 -------- d-----w- c:\documents and settings\Auturuns
2013-03-27 18:20 . 2013-04-20 21:32 -------- d-----w- c:\documents and settings\Descargas
2013-03-27 18:20 . 2013-03-27 18:20 -------- d-----w- c:\documents and settings\AdobeStockPhotos
2013-03-27 18:20 . 2013-03-27 18:20 -------- d-----w- c:\documents and settings\1Password
2013-03-27 18:19 . 2012-06-21 15:22 60304 ----a-w- C:\g2mdlhlpx.exe
2013-03-27 18:18 . 2013-03-27 18:18 -------- d-----w- C:\UserData
2013-03-27 18:18 . 2013-03-27 18:18 -------- d-----w- C:\Tracing
2013-03-27 18:18 . 2013-03-27 18:18 -------- d-----w- C:\SyncFolder
2013-03-27 18:18 . 2013-03-27 18:18 -------- d-----r- C:\Searches
2013-03-27 18:18 . 2013-03-27 18:18 -------- d-----r- C:\Saved Games
2013-03-27 18:15 . 2013-03-27 18:15 -------- d-----r- C:\Videos
2013-03-27 18:15 . 2013-03-27 18:15 -------- d-----r- C:\Pictures
2013-03-27 18:15 . 2013-03-27 18:15 -------- d-----r- C:\Music
2013-03-27 18:14 . 2013-03-27 18:14 -------- d-----r- C:\Links
2013-03-27 18:13 . 2013-03-27 18:14 -------- d-----r- C:\Favorites
2013-03-27 18:04 . 2013-03-27 18:05 -------- d-----w- C:\dwhelper
2013-03-27 17:41 . 2013-04-05 19:04 -------- d-----r- C:\Documents
2013-03-27 17:39 . 2013-04-19 01:48 -------- d-----r- C:\Desktop
2013-03-27 17:39 . 2013-03-27 17:39 -------- d-----r- C:\Contacts
2013-03-27 15:53 . 2013-03-27 16:31 -------- d-----w- C:\AppData
2013-03-26 20:04 . 1999-12-31 20:10 -------- d-----w- c:\program files\Mozilla Maintenance Service
2013-03-26 20:04 . 2013-04-03 08:35 -------- d-----w- c:\program files\Mozilla Thunderbird
2013-03-26 16:25 . 2013-03-26 16:25 0 ----a-w- c:\program files\GUM6F.tmp
2013-03-26 16:20 . 2013-03-29 22:32 -------- d-----r- C:\Users
2013-03-26 16:13 . 2013-02-05 20:05 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll
2013-03-26 16:13 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-26 16:07 . 2012-01-11 19:06 3072 -c----w- c:\windows\system32\dllcache\iacenc.dll
2013-03-26 16:07 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-13 09:39 . 2011-05-14 13:33 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-08 08:49 . 2011-01-20 09:06 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-07 07:43 . 2003-10-17 10:44 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-04-07 07:43 . 2003-10-17 10:44 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-03-08 08:36 . 2008-04-14 02:42 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:28 . 2008-04-13 21:57 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-02 01:25 . 2008-04-13 22:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-02-27 07:56 . 2010-07-28 17:16 2067456 ----a-w- c:\windows\system32\mstscax.dll
2013-02-21 19:06 . 2008-04-14 02:42 667136 ----a-w- c:\windows\system32\wininet.dll
2013-02-21 19:06 . 2008-04-14 02:41 61952 ----a-w- c:\windows\system32\tdc.ocx
2013-02-21 19:06 . 2011-06-13 19:13 81920 ----a-w- c:\windows\system32\ieencode.dll
2013-02-21 00:38 . 2008-04-13 21:07 369664 ----a-w- c:\windows\system32\html.iec
2013-02-12 00:32 . 2008-04-13 21:26 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-01-26 03:55 . 2008-04-14 02:42 552448 ----a-w- c:\windows\system32\oleaut32.dll
2005-10-24 06:01 . 2010-07-30 14:30 774144 ----a-w- c:\program files\RngInterstitial.dll
2005-07-06 17:01 . 2010-07-30 14:30 2039808 ----a-w- c:\program files\navstudio.msi
2005-06-05 06:14 . 2010-07-30 14:30 552096 ----a-w- c:\program files\GoogleToolbarInstaller.exe
2003-12-28 20:56 . 2010-07-30 14:30 5064526 ----a-w- c:\program files\WebPage.exe
2003-04-27 10:28 . 2010-07-30 14:30 4989952 ----a-w- c:\program files\msxml.msi
2002-09-06 05:08 . 2010-07-30 14:30 464704 ----a-w- c:\program files\SobigVirusStopperSetup.exe
2001-07-07 16:23 . 2010-07-30 14:30 1040017 ----a-w- c:\program files\dap5.exe
2001-04-27 18:29 . 2010-07-30 14:30 117776 ----a-w- c:\program files\advpack.exe
2001-04-14 01:00 . 2010-07-30 14:30 1307140 ----a-w- c:\program files\surf031.exe
2001-04-05 02:07 . 2010-07-30 14:30 378966 ----a-w- c:\program files\upgradeb.exe
2001-04-04 00:58 . 2010-07-30 14:30 260700 ----a-w- c:\program files\ICQMessageArchive.exe
2001-02-19 01:51 . 2010-07-30 14:30 597872 ----a-w- c:\program files\ie5fonts.exe
2000-10-16 02:19 . 2010-07-30 14:30 241576 ----a-w- c:\program files\ICQVoiceMessage.exe
2013-04-12 11:16 . 2013-04-12 11:16 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-05-24 . 86E0F22A62212447ED3F886B5EC0689E . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{03EB0E9C-7A91-4381-A220-9B52B641CDB1}"= "c:\program files\IObit Apps Toolbar\IE\7.0\iobitappsToolbarIE.dll" [2013-02-23 1352512]
.
[HKEY_CLASSES_ROOT\clsid\{03eb0e9c-7a91-4381-a220-9b52b641cdb1}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}]
2013-02-23 16:17 1352512 ----a-w- c:\program files\IObit Apps Toolbar\IE\7.0\iobitappsToolbarIE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{03EB0E9C-7A91-4381-A220-9B52B641CDB1}"= "c:\program files\IObit Apps Toolbar\IE\7.0\iobitappsToolbarIE.dll" [2013-02-23 1352512]
.
[HKEY_CLASSES_ROOT\clsid\{03eb0e9c-7a91-4381-a220-9b52b641cdb1}]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Skype"="d:\program files\Skype\Phone\Skype.exe" [2013-02-28 18642024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MagciTune3.5.lnk]
backup=c:\windows\pss\MagciTune3.5.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roberto^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Roberto^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MultiScreen
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZSSnp211
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-06-12 21:23 1495040 -c--a-r- c:\windows\mixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Domino]
2006-08-18 13:58 49152 ----a-w- c:\windows\Domino.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-07-05 15:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-02-28 16:00 18642024 ----a-r- d:\program files\Skype\Phone\Skype.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\INSTALL\\CoreFTP\\coreftp.exe"=
"c:\\Documents and Settings\\Roberto\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [4/12/2013 4:47 PM 49248]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [4/12/2013 4:47 PM 66336]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [7/30/2010 5:44 PM 189736]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [5/14/2011 4:45 PM 10448]
R2 Monitis Smart Agent;Monitis Smart Agent;d:\program files\Monitis.com\Monitis\Monitis.exe [10/29/2012 10:56 AM 215040]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/6/2013 2:21 AM 39056]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\Drivers\SmartDefragDriver.sys --> c:\windows\system32\Drivers\SmartDefragDriver.sys [?]
S3 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [4/12/2013 4:47 PM 164736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [4/7/2013 10:08 PM 13896]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [4/7/2013 10:08 PM 9160]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - ISWKL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-10 21:44 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.64\Installer\chrmstp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2008-04-14 02:41 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-26 09:39]
.
2013-04-20 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2013-04-16 18:09]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-08 16:40]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-04-08 16:40]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1035525444-842925246-1003Core.job
- c:\documents and settings\Roberto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-05 20:26]
.
2013-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-436374069-1035525444-842925246-1003UA.job
- c:\documents and settings\Roberto\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-10-05 20:26]
.
2013-04-20 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 12:07]
.
2013-04-20 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-436374069-1035525444-842925246-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 08:36]
.
2013-04-20 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-436374069-1035525444-842925246-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 08:36]
.
2013-04-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-436374069-1035525444-842925246-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 08:36]
.
2013-04-07 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-436374069-1035525444-842925246-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 08:36]
.
2013-04-20 c:\windows\Tasks\SmartDefrag_Startup.job
- c:\program files\IObit\Smart Defrag 2\SmartDefrag.exe [2013-04-20 11:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://tuvaro.com/ws/?source=4c3f95e5&tbp=homepage&toolbarid=base&u=d45e8731000000000000000acd1223cd
uInternet Settings,ProxyOverride = localhost; 127.0.0.1; <local>
uSearchAssistant =
TCP: DhcpNameServer = 10.0.0.138
FF - ProfilePath - c:\documents and settings\Roberto\Application Data\Mozilla\Firefox\Profiles\0h6q35lu.default-1366019980671\
FF - prefs.js: browser.startup.homepage - hxxp://www.3x3links.com/?set=0
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: keyword.URL -
FF - ExtSQL: 2013-04-07 10:46; {DAC3F861-B30D-40dd-9166-F4E75327FAC7}; c:\documents and settings\All Users\Application Data\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF - ExtSQL: 2013-04-15 22:32; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Roberto\Application Data\Mozilla\Firefox\Profiles\0h6q35lu.default-1366019980671\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
FF - ExtSQL: 2013-04-19 09:41; {b9db16a4-6edc-47ec-a1f4-b86292ed211d}; c:\documents and settings\Roberto\Application Data\Mozilla\Firefox\Profiles\0h6q35lu.default-1366019980671\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - ExtSQL: 2013-04-20 16:17; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\program files\CheckPoint\ZAForceField\TrustChecker
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: extensions.Softonic.hpOld0 -
FF - user.js: extensions.Softonic.kw_url - hxxp://search.softonic.com/INF00194/tb_v1?SearchSource=2&cc=&q=
FF - user.js: extensions.Softonic.dnsErr - true
FF - user.js: extensions.Softonic.newTab - true
FF - user.js: extensions.Softonic.tlbrSrchUrl - hxxp://search.softonic.com/INF00194/tb_v1?SearchSource=1&cc=&q=
FF - user.js: extensions.Softonic.id - d45e8731000000000000000acd1223cd
FF - user.js: extensions.Softonic.appId - {7ABBFE1C-E485-44AA-8F36-353751B4124D}
FF - user.js: extensions.Softonic.instlDay - 15811
FF - user.js: extensions.Softonic.vrsn - 1.8.16.10
FF - user.js: extensions.Softonic.vrsni - 1.8.16.10
FF - user.js: extensions.Softonic.vrsnTs - 1.8.16.1016:47
FF - user.js: extensions.Softonic.prtnrId - softonic
FF - user.js: extensions.Softonic.prdct - Softonic
FF - user.js: extensions.Softonic.aflt - SD
FF - user.js: extensions.Softonic.smplGrp - none
FF - user.js: extensions.Softonic.tlbrId - BASEirobinhoodActive
FF - user.js: extensions.Softonic.instlRef - INF00194
FF - user.js: extensions.Softonic.dfltLng - es
FF - user.js: extensions.Softonic.excTlbr - false
FF - user.js: extensions.Softonic.ffxUnstlRst - false
FF - user.js: extensions.Softonic.admin - false
FF - user.js: extensions.Softonic.autoRvrt - false
FF - user.js: extensions.Softonic.rvrt - false
FF - user.js: extensions.Softonic.hmpg - true
FF - user.js: extensions.Softonic.hmpgUrl - hxxp://search.softonic.com/INF00194/tb_v1?SearchSource=13&cc=
FF - user.js: extensions.Softonic.dfltSrch - true
FF - user.js: extensions.Softonic.srchPrvdr - Search the web (Softonic)
FF - user.js: extensions.Softonic.newTabUrl - hxxp://search.softonic.com/INF00194/tb_v1?SearchSource=15&cc=
FF - user.js: extensions.tuvaro.hpOld0 - hxxp://search.softonic.com/INF00194/tb_v1?SearchSource=13&cc=
FF - user.js: extensions.tuvaro.dfltSrch - true
FF - user.js: extensions.tuvaro.srchPrvdr - Tuvaro
FF - user.js: extensions.tuvaro.tlbrSrchUrl - hxxp://tuvaro.com/ws/?source=4c3f95e5&tbp=main&toolbarid=base&u=d45e8731000000000000000acd1223cd&q=
FF - user.js: extensions.tuvaro.id - d45e8731000000000000000acd1223cd
FF - user.js: extensions.tuvaro.appId - {2768469C-717B-401F-8532-C6D88BAE0339}
FF - user.js: extensions.tuvaro.instlDay - 15811
FF - user.js: extensions.tuvaro.vrsn - 1.8.17.3
FF - user.js: extensions.tuvaro.vrsni - 1.8.17.3
FF - user.js: extensions.tuvaro.vrsnTs - 1.8.17.323:39
FF - user.js: extensions.tuvaro.prtnrId - tuvaro
FF - user.js: extensions.tuvaro.prdct - tuvaro
FF - user.js: extensions.tuvaro.aflt - orgnl
FF - user.js: extensions.tuvaro.smplGrp - none
FF - user.js: extensions.tuvaro.tlbrId - base
FF - user.js: extensions.tuvaro.instlRef - 4c3f95e5
FF - user.js: extensions.tuvaro.dfltLng -
FF - user.js: extensions.tuvaro.excTlbr - false
FF - user.js: extensions.tuvaro.ffxUnstlRst - false
FF - user.js: extensions.tuvaro.admin - false
FF - user.js: extensions.tuvaro.cam -
FF - user.js: extensions.tuvaro.autoRvrt - false
FF - user.js: extensions.tuvaro.rvrt - false
FF - user.js: extensions.tuvaro.hmpg - true
FF - user.js: extensions.tuvaro.hmpgUrl - hxxp://tuvaro.com/ws/?source=4c3f95e5&tbp=homepage&toolbarid=base&u=d45e8731000000000000000acd1223cd
FF - user.js: extensions.tuvaro.kw_url - hxxp://tuvaro.com/ws/?source=4c3f95e5&tbp=url&toolbarid=base&u=d45e8731000000000000000acd1223cd&q=
FF - user.js: extensions.tuvaro.dnsErr - true
FF - user.js: extensions.tuvaro.newTab - true
FF - user.js: extensions.tuvaro.newTabUrl - chrome://tuvaro/content/new browser tab.html?source=4c3f95e5&tbp=tab&u=d45e8731000000000000000acd1223cd
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-21 00:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1312)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(1392)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2013-04-21  00:41:10
ComboFix-quarantined-files.txt  2013-04-20 21:41
ComboFix2.txt  2010-09-28 09:47
.
Pre-Run: 47,632,027,648 bytes free
Post-Run: 48,186,728,448 bytes free
.
- - End Of File - - BA4920DD56501535E5C4CB10FCF25935

 

 

Edit: Moved topic from Am I infected? What do I do? to the more appropriate forum. ~ Animal



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 19,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 PM

Posted 22 April 2013 - 08:41 AM

Duplicate, topic will be closed.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 19,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 PM

Posted 22 April 2013 - 08:41 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 19,886 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:43 PM

Posted 22 April 2013 - 08:41 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users