Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log File From Combofix


  • Please log in to reply
1 reply to this topic

#1 Noknoi

Noknoi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 14 November 2007 - 01:12 AM

ComboFix 07-11-08.3 - Passakorn.Pathumsut 2007-11-14 12:24:18.1 - NTFSx86
Running from: C:\Documents and Settings\Passakorn.Pathumsut\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Passakorn.Pathumsut\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Passakorn.Pathumsut\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Passakorn.Pathumsut\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\awtst.dll
C:\WINDOWS\system32\ptiwvemm.dllbox
C:\WINDOWS\system32\tstwa.bak1
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-14 12:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 11:02 85,056 --a------ C:\WINDOWS\system32\ejvqhpem.dll
2007-11-14 11:02 80,448 --a------ C:\WINDOWS\system32\epyvriyt.dll
2007-11-14 11:00 71,232 --a------ C:\WINDOWS\system32\mvnmfwua.exe
2007-11-14 09:09 80,448 --a------ C:\WINDOWS\system32\lcbetwpn.dll
2007-11-14 09:07 144,480 --a------ C:\WINDOWS\system32\ptiwvemm.dll
2007-11-14 09:06 144,480 --a------ C:\WINDOWS\system32\ocqqjuxo.dll
2007-11-14 09:01 71,232 --a------ C:\WINDOWS\system32\wrmoctai.exe
2007-11-12 09:14 79,936 --a------ C:\WINDOWS\system32\oonlyjhq.dll
2007-11-12 09:06 71,232 --a------ C:\WINDOWS\system32\mpoqyuxo.exe
2007-11-10 13:08 81,472 --a------ C:\WINDOWS\system32\xqnicdeb.dll
2007-11-10 12:59 71,232 --a------ C:\WINDOWS\system32\yntjutbt.exe
2007-11-09 15:03 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-11-09 15:03 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-11-09 12:59 77,888 --a------ C:\WINDOWS\system32\hxgfogkd.dll
2007-11-09 12:57 71,232 --a------ C:\WINDOWS\system32\tvqwftyi.exe
2007-10-31 13:59 <DIR> d-------- C:\Program Files\Arcade games
2007-10-26 12:38 <DIR> dr------- C:\Documents and Settings\Passakorn.Pathumsut\Application Data\FX
2007-10-25 22:33 <DIR> d-------- C:\Documents and Settings\Passakorn.Pathumsut\Application Data\AdobeUM
2007-10-24 09:30 34 --a------ C:\WINDOWS\system32\FD204A.DAT
2007-10-22 19:37 <DIR> d-------- C:\Documents and Settings\Passakorn.Pathumsut\Application Data\Skype
2007-10-22 19:36 <DIR> d-------- C:\Program Files\Skype
2007-10-22 19:36 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-22 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2007-10-22 12:13 <DIR> d---s---- C:\Documents and Settings\Passakorn.Pathumsut\UserData
2007-10-22 00:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-10-22 00:23 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-10-22 00:10 <DIR> d-------- C:\Documents and Settings\Passakorn.Pathumsut\Contacts
2007-10-22 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-10-22 00:08 <DIR> d-------- C:\Program Files\Windows Live
2007-10-22 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-10-21 19:54 100,488 -ra------ C:\WINDOWS\system32\drivers\s116mgmt.sys
2007-10-21 19:54 99,080 -ra------ C:\WINDOWS\system32\drivers\s116unic.sys
2007-10-21 19:54 98,696 -ra------ C:\WINDOWS\system32\drivers\s116obex.sys
2007-10-21 19:54 23,176 -ra------ C:\WINDOWS\system32\drivers\s116nd5.sys
2007-10-21 19:54 11,016 -ra------ C:\WINDOWS\system32\drivers\s116cr.sys
2007-10-21 19:53 108,680 -ra------ C:\WINDOWS\system32\drivers\s116mdm.sys
2007-10-21 19:53 83,336 -ra------ C:\WINDOWS\system32\drivers\s116bus.sys
2007-10-21 19:53 15,112 -ra------ C:\WINDOWS\system32\drivers\s116mdfl.sys
2007-10-21 19:53 12,424 -ra------ C:\WINDOWS\system32\drivers\s116whnt.sys
2007-10-21 19:53 12,424 -ra------ C:\WINDOWS\system32\drivers\s116wh.sys
2007-10-21 19:53 12,424 -ra------ C:\WINDOWS\system32\drivers\s116cmnt.sys
2007-10-21 19:53 12,424 -ra------ C:\WINDOWS\system32\drivers\s116cm.sys
2007-10-21 18:10 <DIR> d-------- C:\Documents and Settings\Passakorn.Pathumsut\Application Data\Ahead
2007-10-21 16:27 <DIR> d-------- C:\Documents and Settings\Passakorn.Pathumsut\Application Data\Teleca
2007-10-21 16:23 <DIR> d-------- C:\Program Files\Sony Ericsson
2007-10-21 16:23 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-10-21 16:23 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared
2007-10-21 16:23 <DIR> d-------- C:\Documents and Settings\Passakorn.Pathumsut\Application Data\Sony Ericsson
2007-10-21 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2007-10-21 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-10-20 07:23 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-19 13:51 <DIR> d-------- C:\Program Files\Common Files\NavisWorks 5
2007-10-19 13:51 <DIR> d-------- C:\Documents and Settings\Passakorn.Pathumsut\Application Data\NavisWorks 5
2007-10-18 15:19 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-18 13:39 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-18 13:33 <DIR> d-------- C:\Temp
2007-10-18 13:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-18 13:33 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 06:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\NavisWorks 5
2007-10-18 08:19 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-16 09:17 51,568 ----a-w C:\WINDOWS\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08047de8-1497-400d-a9d8-ee48d1dc25d5}]
2007-11-14 11:02 80448 --a------ C:\WINDOWS\system32\epyvriyt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-14 09:07 144480 --a------ C:\WINDOWS\system32\ptiwvemm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\ptiwvemm.dll [2007-11-14 09:07 144480]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-08 08:19]
"Cpqset"="C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-07-14 09:02]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 09:58]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-24 06:38]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 11:22]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-08-15 09:39]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-08-15 09:41]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-08-15 09:38]
"RemoteControl"="C:\WINDOWS\system32\rmctrl.exe" [2002-01-01 19:00]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-13 10:40]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-09-01 17:58]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-06-13 08:16]
"Logical Disk Awareness"="mdasvc.exe" []
"8eea5ec6"="C:\WINDOWS\system32\ejvqhpem.dll" [2007-11-14 11:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 13:31]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
"msnsc"=C:\WINDOWS\system32\msnsc.exe

C:\Documents and Settings\tol.pc\Start Menu\Programs\Startup\
SiteScript.bat [2006-10-20 10:26:09]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SiteScript.bat [2006-12-01 13:55:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ptiwvemm]
ptiwvemm.dll 2007-11-14 09:07 144480 C:\WINDOWS\system32\ptiwvemm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqnljj]
urqnljj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^DOCUME~1^ALLUSE~1^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\DOCUME~1\ALLUSE~1\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicLinker3]
C:\Program Files\ThaiSoftware Enterprise\ThaiSoftware Dictionary\Bin\MagicLnk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

R3 s116bus;Sony Ericsson Device 116 driver (WDM);C:\WINDOWS\system32\DRIVERS\s116bus.sys
R3 s116mdfl;Sony Ericsson Device 116 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s116mdfl.sys
R3 s116mdm;Sony Ericsson Device 116 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s116mdm.sys
R3 s116mgmt;Sony Ericsson Device 116 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s116mgmt.sys
R3 s116nd5;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (NDIS);C:\WINDOWS\system32\DRIVERS\s116nd5.sys
R3 s116obex;Sony Ericsson Device 116 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s116obex.sys
R3 s116unic;Sony Ericsson Device 116 USB Ethernet Emulation SEMC116 (WDM);C:\WINDOWS\system32\DRIVERS\s116unic.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WudfServiceGroup hex(7):57,00,55,00,44,00,46,00,53,00,76,00,63,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60a331fb-8116-11dc-acda-001a739b18b9}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 12:30:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ???hK??????g?@?????L?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WudfPf]
"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49,00,56,00,45,00,52,00,53,00,5c,00,57,00,75,00,64,00,66,00,50,00,66,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WudfRd]
"ImagePath"="hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,00,49,00,56,00,45,00,52,00,53,00,5c,00,77,00,75,00,64,00,66,00,72,00,64,00,2e,00,73,00,79,00,73,00,00,00"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\WudfSvc]
"ImagePath"="hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,6b,00,20,00,57,00,75,00,64,00,66,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,47,00,72,00,6f,00,75,00,70,00,00,00"
"ServiceDll"="hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,57,00,55,00,44,00,46,00,53,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,00"
.
Completion time: 2007-11-14 12:33:03 - machine was rebooted
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:32 AM

Posted 28 November 2007 - 06:29 AM

Hi Noknoi, :thumbsup:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Follow the instructions in Step 9 of the Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks for your patience! :blink:

P.S. Please copy/paste the log into this thread using the Add Reply button.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users