Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error Using Combofix.exe


  • This topic is locked This topic is locked
3 replies to this topic

#1 lovely lisa

lovely lisa

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 July 2007 - 04:31 PM

Hi all, i am getting a error message using combofix.exe the error message reads ""0x7c9111e0 referenced memory at 0x006c0079 could not be read""
i have no clue what this means maybe someone can give me a hand. Before running the combo fix i ran ad-aware se, and super anti spyware then i ran a avg antivirus scan and then the combofix and then hijackthis, at the end (all was done in safe mode).i will post a logged file of the combofix to see if someone can help me out. Thanks.

"CraZy LoC" - 2007-07-15 19:57:40 - ComboFix 07-07-16 - Service Pack 2 NTFS [SAFE MODE]


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-15 16:00 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-15 16:00 <DIR> d-------- C:\DOCUME~1\CRAZYL~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-15 16:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-15 15:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-15 15:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-15 13:36 <DIR> d-------- C:\DOCUME~1\CRAZYL~1\APPLIC~1\Uniblue
2007-07-15 13:08 51,200 --a------ C:\WINDOWS\nircmd.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 21:51:13 -------- d-----w C:\Program Files\America Online 8.0
2007-07-06 03:32:33 -------- d-----w C:\Program Files\m.p3 Professional Edition
2007-07-06 02:43:43 -------- d-----w C:\Program Files\Corel
2007-07-06 02:41:54 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-06 02:24:39 -------- d-----w C:\DOCUME~1\CRAZYL~1\APPLIC~1\Corel
2007-06-29 15:39:27 -------- d-----w C:\Program Files\dl_Cats
2007-06-28 18:06:13 2,828 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-28 18:06:04 88 -csh--r C:\WINDOWS\system32\E01E9C7F70.sys
2007-05-24 19:01:38 -------- d-----w C:\Program Files\Dell
2007-05-24 18:31:32 -------- d-----w C:\DOCUME~1\CRAZYL~1\APPLIC~1\COMCASTTOOLBAR
2007-05-24 18:31:01 -------- d-----w C:\Program Files\ComcastToolbar
2007-05-24 18:06:15 -------- d-----w C:\Program Files\Common Files\Scanner
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 22:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2005-09-08 07:20 110652 --a------ C:\WINDOWS\System32\DLA\DLASHX_W.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2005-11-10 15:22 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-31 00:49 2403392 -ra------ c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
2006-11-17 13:46 98304 --a------ C:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 13:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-09-22 13:47]
"SigmatelSysTrayApp"="stsystra.exe" [2006-09-22 13:06 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 22:29]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 18:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-01-27 21:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-05 22:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 04:24]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 23:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-07-15 19:51]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL --a------ 2007-07-15 19:51 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

*Newly Created Service* - ASCTRM
*Newly Created Service* - MDMXSDK

**************************************************************************

catchme 0.3.1017 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 20:00:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe"
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE"
"DLCFCATS"="rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"ProfileLoadTimeLow"=dword:0549b364
"RefCount"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1782099764-3995341453-1585261633-1007]
"ProfileLoadTimeLow"=dword:0f563cba

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"CleanShutdown"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Start_ShowNetConn_ShouldShow"=dword:00000042

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices]
"Microsoft Office Document Image Writer"="winspool,Ne00:"
"Fax"="winspool,Ne01:"
"Dell Color Printer 725"="winspool,Ne02:"

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\PrinterPorts]
"Microsoft Office Document Image Writer"="winspool,Ne00:,15,45"
"Fax"="winspool,Ne01:,15,45"
"Dell Color Printer 725"="winspool,Ne02:,15,45"

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"Device"="Fax,winspool,Ne01:"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-15 20:02:04

--- E O F ---

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,503 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:44 PM

Posted 16 July 2007 - 04:43 PM

Post a Hijack This log in the Hijack This Forum by following the directions in the link below. DO NOT post the log in this forum.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 lovely lisa

lovely lisa
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:44 PM

Posted 16 July 2007 - 04:54 PM

sorry, can the mods please close this post thanks.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:44 PM

Posted 16 July 2007 - 07:52 PM

Hi lisa,

I just want you and everyone else to know that you should only use ComboFix under close supervision of a malware removal specialist. It is a highly specialized tool to be used only in certain situations, not a general scanner or something to run on a whim and is why you won't find it on download sites like download.com.

Also because of things like what you describe. This tool is under continuous developement, it changes a lot and occasionally there will be a bug to give errors like you get. People who work logs know how to get in touch with the developer to fix such problems, but we probably won't know about your problem if it is not posted in the HJT logs forum.

I know you started a thread in the logs forum here: http://www.bleepingcomputer.com/forums/t/100297/error-using-combofix/

So I'm not jumping on you, just want you to know that when you suspect an infection, start out by running your scanners like Ad-Aware, online scanners and general pre-cleaning steps such as what is in the prep guide that buddy215 linked you to. If still having a problem, post a HijackThis log first--then only tools recommended by your helper.

Trying figure out and to fix these things on your own is commendable, but some people aren't going to be smart enough to post about it when they use a tool like CombFix on their own and have a problem with it. Everyone should use these very powerful tools wisely--they can also trash your system if used incorrectly and it's why we restrict who can post to HijackThis logs as well--for your own protection.

Now, since you do have a topic posted in the logs forum, this topic will be closed.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users