Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems After Running Combofix


  • This topic is locked This topic is locked
2 replies to this topic

#1 doruforum

doruforum

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 09 April 2008 - 02:17 AM

Hello guys,

I desperately need your help. I had a virus, Virtumundo I think, but I could not remove it with Vundofix. There were 2 dll files which caused troubles:
C:\WINDOWS\system32\pmnmkiHX.dll
C:\WINDOWS\system32\xxywt.dll

I ran Combifix (see the log below), the files were deleted, but now I have a lot of problems with my Windows (XP). Some simptoms:
- I can't connect to internet, in Task Manager-Networking it says that the Local Area Connection and Wireless Network Connection are Non Operational
- in Task Manager-Processes there is no User Name for any of the processes
- when I want to minimize a window it doesn't go into the taskbar
- in Control Panel-User Accounts I have nothing when I open the window
- in Control Panel-Administrative Tools-Services-Extended I have only a blue square
... and so on.

In the QooBox folder created by ComboFix, I have a folder BackEnv. Do I have to restore something or how to get it right again?

Please help me!
Thank you.



ComboFix 08-04-08.7 - Doru 2008-04-09 3:14:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.534 [GMT 2:00]
Running from: C:\Documents and Settings\Doru\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doru\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\pmnmkiHX.dll
C:\WINDOWS\system32\xxywt.dll
.
TimedOut: progfile.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM9ffd062e.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\pmnmkiHX.dll
C:\WINDOWS\system32\XHikmnmp.ini
C:\WINDOWS\system32\XHikmnmp.ini2
C:\WINDOWS\system32\xxywt.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\NPF


((((((((((((((((((((((((( Files Created from 2008-03-09 to 2008-04-09 )))))))))))))))))))))))))))))))
.

2008-04-09 00:00 . 2008-04-09 02:32 <DIR> d-------- C:\VundoFix Backups
2008-04-07 18:10 . 2008-04-09 03:14 <DIR> d-------- C:\quarantine
2008-04-03 19:58 . 2008-04-03 19:58 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-03 19:21 . 2008-04-03 19:21 92 --a------ C:\WINDOWS\wininit.ini
2008-04-03 18:31 . 2008-04-03 19:34 <DIR> d-------- C:\Program Files\FileMon
2008-04-03 17:47 . 2008-04-03 17:47 <DIR> d-------- C:\Program Files\uTorrent
2008-04-02 20:00 . 2008-04-02 20:00 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-04-02 19:49 . 2008-04-03 22:33 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-01 22:19 . 2008-04-01 22:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-01 22:19 . 2008-04-01 22:19 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-27 18:37 . 2008-04-08 23:41 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 21:23 --------- d-----w C:\Documents and Settings\Doru\Application Data\uTorrent
2008-04-06 09:04 --------- d-----w C:\Documents and Settings\Doru\Application Data\Skype
2008-04-01 21:40 --------- d-----w C:\Program Files\Mirc
2008-03-31 20:23 --------- d-----w C:\Program Files\Winamp
2008-03-31 20:10 --------- d-----w C:\Program Files\Totalcmd
2008-03-27 16:37 --------- d-----w C:\Program Files\SpywareBlaster
2008-03-13 18:21 --------- d-----w C:\Program Files\Audio Recorder
2008-03-12 17:39 --------- d-----w C:\Program Files\HT Ratings
2008-02-24 17:56 --------- d-----w C:\Documents and Settings\Doru\Application Data\Move Networks
2008-02-24 17:48 --------- d-----w C:\Program Files\TVUPlayer
2008-02-24 17:39 --------- d-----w C:\Program Files\tvants
2008-02-20 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 16:29 --------- d-----w C:\Program Files\Spybot
2008-02-20 06:32 691,545 ----a-w C:\WINDOWS\unins001.exe
2008-02-17 19:50 --------- d-----w C:\Program Files\WinEdit
2008-02-15 07:21 --------- d-----w C:\Documents and Settings\Doru\Application Data\StarNet
2008-02-10 09:17 --------- d-----w C:\Program Files\WSxM
2007-11-22 20:07 44,792 ----a-w C:\Documents and Settings\Doru\Application Data\GDIPFONTCACHEV1.DAT
2006-01-15 12:34 41,456 ----a-w C:\Documents and Settings\Cristina\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"BackupNotify"="C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 19:15 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 19:15 536576]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-06-17 22:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-06-17 22:43 118784]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 11:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 09:33 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"VF0060 STISvc"="V0060Pin.dll" [2004-11-01 03:00 36864 C:\WINDOWS\system32\V0060Pin.dll]
"RegistryMechanic"="" []
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0 Pro\Distillr\Acrotray.exe" [2006-01-12 20:52 483328]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06 40048]
"ShStatEXE"="C:\Program Files\VirusScan\SHSTAT.exe" [2004-09-22 08:00 98304]
"McAfeeUpdaterUI"="C:\Program Files\Common Framework\UpdaterUI.exe" [2004-08-06 03:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 13:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 13:03 94208]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 18:28 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"msacm.ac3acm"= ac3acm.acm
"msacm.lameacm"= lameACM.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DUSuperControler.lnk]
backup=C:\WINDOWS\pss\DUSuperControler.lnkCommon Startup
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DUSuperControler.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=C:\WINDOWS\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2004-03-04 16:46 172032 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Venturi Configurator]
--a------ 2003-05-16 18:46 1441792 C:\Program Files\Zapp Turbo\Configurator\ventcfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NSCService"=3 (0x3)
"NPFMntor"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Sop Cast\\SopCast.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:UDP"= 5353:UDP:Rendezvous
"4899:TCP"= 4899:TCP:Radmin

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 13:32]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2005-04-04 20:21]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 20:20]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2005-04-04 20:20]
S3 V0060VID;Creative WebCam Live! Ultra;C:\WINDOWS\system32\DRIVERS\V0060Vid.sys [2005-02-02 10:15]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 03:30:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????5?4?0?2??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\VirusScan\mcshield.exe
C:\Program Files\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
.
**************************************************************************
.
Completion time: 2008-04-09 3:36:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-09 01:36:15
Pre-Run: 8,474,333,184 bytes free
Post-Run: 8,398,655,488 bytes free

BC AdBot (Login to Remove)

 


#2 doruforum

doruforum
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 09 April 2008 - 09:09 AM

I think the problem is solved. I have repaired Windows from CD.
Anyway I don't understand exactly why all of these happened...

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:05:28 AM

Posted 09 April 2008 - 09:32 AM

Thanks for informing us of what you have done.

A caution for the future should you find other problems:

ComboFix should not be used unless requested.
It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained.
ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use.
Please read Combofix's Disclaimer.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Should you find other problems, please create a new topic explaining the nature of your problem. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.



This topic is now closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users