Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log Review Please? Had Emotigt (and Maybe More)


  • Please log in to reply
3 replies to this topic

#1 saubunch

saubunch

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 22 February 2008 - 04:49 PM

First of all, I have windows XP Home Edition. I have everything from Combofix, Spyware doctor, Avast, SpyNoMore and Spyware Blaster downloaded and have used them multiple times in the last 48 hours since my VERY CURIOUS 13 year old boy decided to surf some XXX sites while I was at work. Yes he is VERY GROUNDED.
Anyway, I'm not having a toolbar problem anymore, but I'm still running a little slow. My Spyware Doctor is detecting the following as a threat:

HKEY_LOCAL_MACHINE\SOFTWARE\swearware, combofix_wow
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, Runs
HKEY_LOCAL_MACHINE\SOFTWARE\swearware, snapshot

Should I get rid of this or trust it? I'm not sure if ComboFix is compatible with Spyware Dr.

ALSO, the following is the log from my ComboFix....which was the only thing that fixed my hijacked browser's homepage settings. I have no idea what any of this means. Is there anything else I need to do, and PLEASE respond in layman's terms, I have only an intermediate knowledge of my computer. I was instructed to do this after trying everything else suggested at the Avast Forum.
THANK YOU!!


ComboFix 08-02-22 - Owner 2008-02-21 18:44:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.149 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com
.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-21 16:40 . 2008-02-21 16:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 16:40 . 2008-02-21 17:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-21 10:55 . 2008-02-21 10:55 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2008-02-21 10:55 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-21 10:55 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-21 10:55 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-21 10:55 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-02-21 10:45 . 2008-02-21 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-21 10:23 . 2008-02-21 13:03 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-21 07:53 . 2008-02-21 08:01 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-19 15:22 . 2008-02-19 11:48 81,920 --a------ C:\WINDOWS\fsxloqf.exe
2008-02-13 12:07 . 2008-02-13 12:07 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LearnSomething
2008-02-13 12:06 . 2008-02-13 12:06 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2008-02-07 21:06 . 2008-02-20 07:58 <DIR> d-------- C:\Program Files\LimeWire
2008-02-07 21:06 . 2008-02-20 08:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-28 10:46 . 2008-01-28 10:46 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-26 08:42 . 2008-01-26 08:42 <DIR> d-------- C:\Program Files\Disney
2008-01-23 08:14 . 2008-01-23 08:20 <DIR> d-------- C:\Program Files\Encore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 23:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-21 23:38 --------- d-----w C:\Program Files\SpyNoMore
2008-02-21 23:15 --------- d-----w C:\Program Files\eGames
2008-02-21 15:45 --------- d-----w C:\Program Files\Google
2008-02-21 13:03 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-14 00:03 --------- d-----w C:\Program Files\PCFriendly
2008-02-04 23:30 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-01-24 20:35 --------- d-----w C:\Program Files\Cheat Engine
2008-01-23 13:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 16:52 --------- d-----w C:\Program Files\Outspark
2008-01-09 16:51 --------- d-----w C:\Program Files\DarkSwords
2008-01-07 14:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Snapfish
2007-12-25 00:29 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-25 00:29 --------- d--h--r C:\Documents and Settings\Owner\Application Data\SecuROM
2007-12-25 00:21 --------- d-----w C:\Program Files\EA SPORTS
2007-12-19 01:12 1,022 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2007-12-07 00:44 666,112 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-07-08 17:27 67,088 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 19:03 1957888]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 03:40 218032]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-21 10:45 68856]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 18:04 135168]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 23:24 32768]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 18:07 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 11:32 7204864]
"nwiz"="nwiz.exe" [2005-09-18 11:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-18 11:32 86016]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-15 15:47 98304]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2008-02-19 02:00 1274320]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 20:34 5419008]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-21 10:45:05 125624]
ymetray.lnk - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-08-28 12:09:10 54512]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Owner\My Documents\My Pictures\china rainbow.jpg
FriendlyName=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Express Calendar Checker SE.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Photo Express Calendar Checker SE.lnk
backup=C:\WINDOWS\pss\Photo Express Calendar Checker SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
--a------ 2003-08-19 10:43 57344 C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 14:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PE2CKFNT SE]
--a------ 1998-07-03 12:51 25088 C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-12-15 15:47 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildGames\Game Console\GameConsoleService.exe" [2007-12-18 13:40]

*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE
.
Contents of the 'Scheduled Tasks' folder
"2008-02-18 18:09:46 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 18:47:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-22 18:52:14
ComboFix-quarantined-files.txt 2008-02-22 23:52:11
.
2008-02-13 08:04:05 --- E O F ---


Mod Edit: Topic moved to more appropriate forum~ TMacK

Edited by saubunch, 22 February 2008 - 05:45 PM.

Some people are like slinkies, not really good for anything, but it makes you smile if you push them down a flight of stairs!
XP H.E.Version 2002 S.P.2 - eMachines W3107, AMD Sempron, 1800 MHz (9 x 200) 3100+,1.81 GHz, 384 MB of RAM,FIC K8MC51G,nVIDIA GeForce 6100, AMD Hammer,Seagate 93GB IDE,Ffox & O.E.,Cable Modem,AVAST 4.7.1098 /McAfee AVERT Stinger,SpywareBlaster 3.5.0.1/SpyNoMore/Spyware Dr./Spybot S&D/Ad-Aware 2007,ProCon/Windows Firewall/HijackThis

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:15 AM

Posted 22 February 2008 - 11:49 PM

Hello saubunch and welcome to BC :flowers:

Combofix is a powerful tool intended by its creator to be used under the direction of an expert, NOT for private use. You should NOT use Combofix unless a Malware Removal Expert has told you to. Improper use of this tool can seriously damage your operating system and may even prevent it from starting again. Please read Combofix's Disclaimer.

Please follow the directions in this guide. If you cannot do a step, then skip it and go to the next. Then create an HJT log, you will find the directions in Step 9 of the guide.

Create a new topic in the HJT forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work. Paste in your HJT log being sure to include the Top Portion of the log which lists the version information.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

When you have created your new thread, please post the link to your HJT thread as a reply to this thread so we know you are receiving help from the HJT team.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 saubunch

saubunch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:11:15 PM

Posted 24 February 2008 - 09:31 PM

Here's my link to the HJT forum

http://www.bleepingcomputer.com/forums/t/133027/my-hijack-log-and-a-few-other-questions/
Some people are like slinkies, not really good for anything, but it makes you smile if you push them down a flight of stairs!
XP H.E.Version 2002 S.P.2 - eMachines W3107, AMD Sempron, 1800 MHz (9 x 200) 3100+,1.81 GHz, 384 MB of RAM,FIC K8MC51G,nVIDIA GeForce 6100, AMD Hammer,Seagate 93GB IDE,Ffox & O.E.,Cable Modem,AVAST 4.7.1098 /McAfee AVERT Stinger,SpywareBlaster 3.5.0.1/SpyNoMore/Spyware Dr./Spybot S&D/Ad-Aware 2007,ProCon/Windows Firewall/HijackThis

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:15 AM

Posted 26 February 2008 - 01:36 AM

Thank you for posting the link saubunch. Good luck with the disinfection process. Be sure to stick with them until they declare you clean. They will also provide you with lots of good information about protecting your system when it is clean.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users