Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log


  • This topic is locked This topic is locked
7 replies to this topic

#1 djpnj1

djpnj1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 March 2008 - 11:49 AM

ok here is the problem i am having. I have a pop up everytime i go to use my browser that says that my browser has been hijacked and i need to download an antispyware click ok or cancel of course i click cancel or the red x to get rid of it. Also when i search using google it brings up porn which is not good since my 8 yr old uses this computer. I have tried restore points to before this happened i also used vondofix,symantec antivirus,spybot,adaware,bitdefender,and Windows Malicious Software Removal Tool to no avail. I am using an emachinest3304, windows xp,symantec antivirus with autoprotect any help would be greatly appreciated



ComboFix 08-03-01.3 - Perrone 2008-03-02 11:26:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.506 [GMT -5:00]
Running from: C:\Documents and Settings\Perrone\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\AutoRun.inf
H:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2008-02-02 to 2008-03-02 )))))))))))))))))))))))))))))))
.

2008-03-02 10:57 . 2008-03-02 10:59 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-02 09:35 . 2008-03-02 09:40 2,390 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-02 09:34 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-02 09:34 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-02 09:34 . 2008-03-01 23:12 86,016 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-02 09:34 . 2008-02-29 23:48 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-02 09:34 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-02 09:34 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-02 09:34 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-02 09:17 . 2008-03-02 09:17 <DIR> d-------- C:\VundoFix Backups
2008-03-02 09:17 . 2008-03-02 09:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 22:02 . 2008-02-28 22:02 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-28 21:15 . 2008-02-28 21:15 0 --a------ C:\WINDOWS\vpc32.INI
2008-02-28 20:30 . 2008-02-28 20:30 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 20:30 . 2008-02-28 20:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 19:53 . 2008-03-02 09:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-28 19:53 . 2008-03-02 09:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 19:43 . 2008-02-28 19:43 211,456 --a------ C:\WINDOWS\msvidc32.dll
2008-02-28 19:43 . 2008-02-28 19:43 49 --a------ C:\amp.bat
2008-02-03 20:28 . 2008-02-03 20:28 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-02 16:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-26 04:39 --------- d-----w C:\Documents and Settings\Perrone\Application Data\LimeWire
2008-01-27 02:11 --------- d-----w C:\Program Files\Java
2008-01-24 19:06 --------- d-----w C:\Documents and Settings\Perrone\Application Data\DivX
2008-01-21 21:09 --------- d-----w C:\Program Files\DivX
2008-01-11 00:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 00:35 --------- d-----w C:\Program Files\Fisher-Price
2008-01-11 00:31 --------- d-----w C:\Documents and Settings\Perrone\Application Data\HP
2008-01-09 20:01 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2008-01-04 21:58 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-01-04 21:58 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-01-04 21:58 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-01-03 20:18 --------- d-----w C:\Program Files\RCA
2008-01-03 19:59 --------- d-----w C:\Documents and Settings\Perrone\Application Data\Creative
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{708F8B95-4012-4A3A-9494-5EEE5F8CC89E}]
2008-02-28 19:43 211456 --a------ C:\WINDOWS\msvidc32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40 124656]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 10:56 286720]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-29 08:55 185896]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-18 08:32 7204864]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-09 20:10:04 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
--------- 2006-09-28 20:09 700416 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eligmini]
--a------ 2007-08-29 19:00 487424 C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2005-09-18 08:32 7204864 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2005-09-18 08:32 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-09-18 08:32 1519616 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2007-04-16 15:28 577536 C:\WINDOWS\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-02 11:30:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2008-03-02 11:33:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-02 16:33:04
.
2008-02-14 08:03:21 --- E O F ---

Edited by boopme, 02 March 2008 - 04:31 PM.
{Moved to Am I Infected~~boopme}


BC AdBot (Login to Remove)

 


#2 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 AM

Posted 02 March 2008 - 02:14 PM

I do see atleast two malicious files one of them being VCCLSID.exe.

I see quite a few antiviruses, do you have more than one realtime shields on? If so don't use more than one. Run the scan again with all shields turned off.

This is no doubt malware of some kind. I suggest running a few more scans. It's most likely that your Iexplorer.exe (internet explorer) has an extension running under it that is the malware.

First use SFfix
http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/

Post the log here.

A MOD will probably move this to the security discussions forum.

Edited by Da.One, 02 March 2008 - 02:17 PM.


#3 djpnj1

djpnj1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 02 March 2008 - 02:42 PM

thank you so much the sdfix worked perfectly and beleive me i tried everything again thank you

#4 Da.One

Da.One

  • Banned
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 AM

Posted 02 March 2008 - 03:07 PM

You're welcome.

Please post the log here anyways.

If the problem no longer occurs, you need to set your system restore point to past today's date and clear all previous points that may have the virus still.

Right click on your My Computer icon>properties>system restore> check the box turn off system restore. That will delete previous restore points. Then set a new restore point.

I would run your scanners one more time just incase.

Edited by Da.One, 02 March 2008 - 03:08 PM.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,962 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:58 AM

Posted 02 March 2008 - 04:04 PM

Hello djpnj1 and welcome to BC :flowers:

Combofix is a powerful tool intended by its creator to be used under the direction of an expert. It is NOT for private use. You should NOT use Combofix unless a Malware Removal Expert has told you to. Improper use of this tool can seriously damage your operating system and may even prevent it from starting again. Please read Combofix's Disclaimer.

SDFix is also an advanced and specialized tool. Even though your computer is operating better now, there could still be malware present.

Please follow the directions in this guide. If you cannot do a step, then skip it and go to the next. Then create an HJT log, you will find the directions in Step 9 of the guide.

Create a new topic in the HJT forum, not here and give it a good descriptive title. Briefly summarize what the problems are, what you have done to try to solve it, and what worked and didn't work. Paste in your HJT log being sure to include the Top Portion of the log which lists the version information.

After you post your log, DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

When you have created your new thread, please post the link to your HJT thread as a reply to this thread so we know you are receiving help from the HJT team.

Please be patient as the HJT team is very busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response in five days, add a response to the five days no response topic and paste in the link to your thread.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:58 AM

Posted 04 March 2008 - 02:07 PM

I do see atleast two malicious files one of them being VCCLSID.exe.


This and the ones around it ARE legitimate files. They belong to the SmitFraudFix tool
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 tonygmalone

tonygmalone

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 12 March 2008 - 12:47 PM

i think i have something on my system and im not really so i got the details of what i have so can anybody help.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,482 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:58 AM

Posted 12 March 2008 - 01:01 PM

Welcome to BC tonygmalone

If you have an issue or problem you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more people in the same thread with different problems. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware.

Further, ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

In the new topic you create, please describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users