BleepingComputer.com: Virus/Infection Help (ComboFix Log)

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Virus/Infection Help (ComboFix Log)

#1 User is offline   Tim91 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 1
  • Joined: 20-April 09

Posted 20 April 2009 - 07:06 AM

Hey, I have recently been suspicious of a virus on my computer. I have run speed tests at speedtest.net and am getting a connection speed of around 7MBps, however my browsers (both IE and FF) are running very slowly, these symtoms are also followed by my firewall turning itself off everytime I restart my computer and I am getting permission error messages from a strange programme.

Scanning my computer with AVG and AdAware has done nothing, however I have just scanned it with ComboFix and will include a copy of its results. Any help In reading it and telling me If anything is wrong would be greatly appreciated :thumbsup:

Thanks in advance, Tim.

ComboFix 09-04-20.09 - Tim 20/04/2009 11:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1618 [GMT 1:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\svchost.exe
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\Sysvxd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-15 10:35 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 10:35 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 10:35 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 10:35 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 10:35 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 10:35 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 10:35 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 10:35 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 10:35 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 10:34 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 10:34 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 10:34 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-13 12:05 . 2009-04-13 12:06 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-13 12:05 . 2009-04-13 12:05 -------- d-----w c:\program files\Lavasoft
2009-04-04 10:49 . 2009-04-04 10:49 -------- d-----w c:\documents and settings\Tim\Local Settings\Application Data\HP
2009-03-29 12:27 . 2009-03-29 12:27 -------- d-----w c:\documents and settings\Tim\Local Settings\Application Data\NCSoft
2009-03-21 14:06 . 2009-03-21 14:06 989696 -c----w c:\windows\system32\dllcache\kernel32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 23:31 . 2008-06-16 20:39 -------- d-----w c:\program files\Warcraft III
2009-04-19 21:48 . 2009-03-15 17:45 -------- d-----w c:\documents and settings\Tim\Application Data\LimeWire
2009-04-19 15:54 . 2009-01-11 23:13 -------- d-----w c:\program files\Steam
2009-04-18 05:52 . 2008-06-17 16:41 -------- d-----w c:\documents and settings\Tim\Application Data\uTorrent
2009-04-16 06:33 . 2008-11-07 18:13 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-04-15 11:43 . 2008-06-23 20:01 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-15 08:57 . 2008-11-07 18:13 -------- d-----w c:\program files\World of Warcraft
2009-04-13 12:04 . 2008-12-25 17:40 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-10 16:00 . 2008-06-16 20:42 83538 ----a-w c:\windows\War3Unin.dat
2009-03-29 23:57 . 2008-07-17 22:18 332016 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-03-15 17:45 . 2009-03-15 17:44 -------- d-----w c:\program files\LimeWire
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 22:15 . 2008-10-19 13:58 -------- d-----w c:\program files\Windows Live Safety Center
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-01 12:30 . 2008-09-02 11:58 139280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-01 12:30 . 2008-09-02 11:58 202000 ----a-w c:\windows\system32\PnkBstrB.exe
2009-03-01 11:54 . 2009-03-01 11:54 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_xusb21_01005.Wdf
2009-02-26 23:24 . 2009-02-26 23:21 -------- d-----w c:\documents and settings\Tim\Application Data\PC Suite
2009-02-26 23:23 . 2009-02-26 23:21 -------- d-----w c:\documents and settings\All Users\Application Data\PC Suite
2009-02-26 23:23 . 2009-02-26 23:23 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-02-26 23:23 . 2009-02-26 23:23 0 ---ha-w c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-02-26 23:22 . 2009-02-26 23:22 -------- d-----w c:\documents and settings\Tim\Application Data\Nseries
2009-02-26 23:21 . 2008-06-16 20:29 78536 ----a-w c:\documents and settings\Tim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-26 23:21 . 2009-02-26 23:21 -------- d-----w c:\documents and settings\Tim\Application Data\Nokia
2009-02-26 23:20 . 2009-02-26 23:17 -------- d-----w c:\program files\Common Files\Nokia
2009-02-26 23:20 . 2009-02-26 23:14 -------- d-----w c:\program files\Nokia
2009-02-26 23:18 . 2009-02-26 23:18 -------- d-----w c:\documents and settings\All Users\Application Data\NokiaMusic
2009-02-26 23:17 . 2009-02-26 23:17 -------- d-----w c:\program files\Common Files\muvee Technologies
2009-02-22 22:00 . 2009-02-22 22:00 244 ---ha-w C:\sqmnoopt07.sqm
2009-02-22 22:00 . 2009-02-22 22:00 232 ---ha-w C:\sqmdata07.sqm
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 15:39 . 2009-02-20 15:39 -------- d-----w c:\documents and settings\Tim\Application Data\Leadertech
2009-02-20 15:29 . 2009-02-20 15:28 -------- d-----w c:\documents and settings\Tim\Application Data\Teleca
2009-02-20 15:28 . 2009-02-20 15:28 -------- d-----w c:\documents and settings\Tim\Application Data\Sony Ericsson
2009-02-20 15:26 . 2009-02-20 15:26 -------- d-----w c:\documents and settings\Tim\Application Data\AdobeUM
2009-02-20 15:26 . 2009-02-20 15:26 -------- d-----w c:\documents and settings\Tim\Application Data\AdobeAUM
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
2009-01-30 19:35 . 2009-01-30 19:35 268 ---ha-w C:\sqmdata04.sqm
2009-01-30 19:35 . 2009-01-30 19:35 244 ---ha-w C:\sqmnoopt04.sqm
2009-01-30 08:09 . 2008-06-16 22:24 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-01-30 00:08 . 2009-01-30 00:08 244 ---ha-w C:\sqmnoopt03.sqm
2009-01-30 00:08 . 2009-01-30 00:08 232 ---ha-w C:\sqmdata03.sqm
2009-01-25 17:29 . 2009-01-25 17:29 244 ---ha-w C:\sqmnoopt06.sqm
2009-01-25 17:29 . 2009-01-25 17:29 232 ---ha-w C:\sqmdata06.sqm
2009-01-24 11:33 . 2009-01-24 11:33 244 ---ha-w C:\sqmnoopt05.sqm
2009-01-24 11:33 . 2009-01-24 11:33 232 ---ha-w C:\sqmdata05.sqm
2008-11-01 17:04 . 2008-11-01 17:04 126 ----a-w c:\documents and settings\Tim\Local Settings\Application Data\fusioncache.dat
2008-08-16 12:36 . 2008-08-16 12:25 24 ----a-w c:\documents and settings\Tim\jagex_runescape_preferences.dat
2008-11-02 15:11 . 2008-11-02 15:11 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008110220081103\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-21 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-30 1601304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 81920]
"WheelMouse"="c:\program files\OCZ Technology\Mouse\Amoumain.exe" [2006-12-28 196608]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-30 08:09 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tim^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Tim\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Steam\\steamapps\\blink54321\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\LucasArts\\Star Wars JK II Jedi Outcast\\GameData\\jk2mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\blink54321\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enGB-Win-Final-downloader.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft III Battle.net
"8080:TCP"= 8080:TCP:Hamachi
"8080:UDP"= 8080:UDP:Hamachi
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-01-30 325128]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-01-30 107272]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-30 903960]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-30 298264]

.
Contents of the 'Scheduled Tasks' folder

2009-04-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-DXDllRegExe - dxdllreg.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\uert66zi.default\
FF - prefs.js: browser.search.selectedEngine - MyStart Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar&search=
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 12:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2736)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-20 12:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 11:26

Pre-Run: 144,903,901,184 bytes free
Post-Run: 145,849,196,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

226 --- E O F --- 2009-04-15 11:46

#2 User is offline   garmanma 

  • Computer Masochist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Staff Emeritus
  • Posts: 27,809
  • Joined: 27-January 07
  • Location:Cleveland, Ohio

Posted 20 April 2009 - 10:27 AM

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users