Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With Combofix Logs Please


  • This topic is locked This topic is locked
2 replies to this topic

#1 satchriani

satchriani

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:21 AM

Posted 26 April 2008 - 05:22 PM

My PC was having VIRUS ISOLATOR Virus, drives were not opening starting CHOOSE PROGRAM when I double click on the drives.
I used ComboFix and wanted to share the logs with you guys if you can help me with some more information or actions that are needed.

Thanks

Satchriani
below are logs

ComboFix 08-04-24.1 - Salah 2008-04-27 2:55:06.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT 5:00]
Running from: C:\Documents and Settings\Salah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Salah\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Documents and Settings\Salah\Desktop\Error Cleaner.url
C:\Documents and Settings\Salah\Desktop\Privacy Protector.url
C:\Documents and Settings\Salah\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Salah\Favorites\Error Cleaner.url
C:\Documents and Settings\Salah\Favorites\Privacy Protector.url
C:\Documents and Settings\Salah\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\rs.txt
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-27 02:42 . 2008-04-27 02:42 <DIR> d-------- C:\Documents and Settings\Salah\Application Data\TmpRecentIcons
2008-04-26 13:01 . 2008-04-26 13:01 <DIR> d-------- C:\Program Files\VirusIsolator
2008-04-26 12:19 . 2008-04-26 05:22 233,472 --a------ C:\WINDOWS\qnmargolonw.dll
2008-04-26 12:19 . 2008-04-26 05:20 212,992 --a------ C:\WINDOWS\wdpoefan.dll
2008-04-26 12:19 . 2008-04-26 05:20 188,416 --a------ C:\WINDOWS\vadokmxt.dll
2008-04-26 12:19 . 2008-04-26 05:22 155,648 --a------ C:\WINDOWS\dpevflbg.dll
2008-04-26 12:19 . 2008-04-26 05:21 94,208 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-26 12:19 . 2008-04-26 05:23 81,920 --a------ C:\WINDOWS\wxvgsdbq.exe
2008-04-12 12:01 . 2008-04-12 12:01 <DIR> d-------- C:\converted
2008-04-12 11:56 . 2008-04-12 11:56 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2008-04-12 11:43 . 2008-04-12 11:43 <DIR> d-------- C:\SEQ-HQ VIDEOS
2008-04-12 11:31 . 2008-04-12 11:31 <DIR> d-------- C:\Documents and Settings\Salah\Application Data\Apple Computer
2008-04-12 11:29 . 2008-04-12 11:29 <DIR> d-------- C:\Program Files\QuickTime
2008-04-12 11:29 . 2008-04-12 11:29 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-12 11:29 . 2008-04-12 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-12 11:29 . 2008-04-12 11:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-10 15:28 --------- d-----w C:\Program Files\01-mp3search
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C57910E2-F661-4E22-8972-EEB5EBD8C43C}]
2008-04-26 05:22 233472 --a------ C:\WINDOWS\qnmargolonw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C71F6A92-8438-46A4-9237-15A1F1AF179D}"= "C:\WINDOWS\dpevflbg.dll" [2008-04-26 05:22 155648]

[HKEY_CLASSES_ROOT\clsid\{c71f6a92-8438-46a4-9237-15a1f1af179d}]
[HKEY_CLASSES_ROOT\dpevflbg.1]
[HKEY_CLASSES_ROOT\TypeLib\{9AE40323-6F89-4C2F-A346-00AEC2E99694}]
[HKEY_CLASSES_ROOT\dpevflbg]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"VirusIsolator.exe"="C:\Program Files\VirusIsolator\VirusIsolator.exe" [2008-04-26 13:01 976384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18 124128]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 02:22 3739648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-03-27 15:58 1744896]

C:\Documents and Settings\Salah\Start Menu\Programs\Startup\
TiViPhone.lnk - C:\Documents and Settings\Salah\Desktop\Nokia N73\Sillyant TiVi Phone v0.60 Windows XP by uncell@teamcrack.exe [2007-11-25 18:35:18 356352]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-04-07 01:42:52 217190]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-12-08 18:20:58 113664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"wdpoefan"= {6C7659B5-5CDB-4B32-B98D-2409DEAF7410} - C:\WINDOWS\wdpoefan.dll [2008-04-26 05:20 212992]
"vadokmxt"= {68DF308F-2B1B-4A5C-8C71-04D744A01F64} - C:\WINDOWS\vadokmxt.dll [2008-04-26 05:20 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\Communicator.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Documents and Settings\\Salah\\Desktop\\Nokia N73\\Sillyant TiVi Phone v0.60 Windows XP by uncell@teamcrack.exe"=
"C:\\Program Files\\DAP\\DAP.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60149:TCP"= 60149:TCP:emule
"38018:UDP"= 38018:UDP:emule

R2 CdpPacket;Cisco Discovery Protocol Packet Driver;C:\WINDOWS\system32\DRIVERS\CdpPacket.sys [2006-01-31 15:51]
R3 Cpmt;Cisco Media Termination;C:\WINDOWS\system32\Drivers\Cpmt.sys [2006-01-31 15:51]
S3 TOSHIBASoftModem;Toshiba Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSMT.sys [2001-08-17 13:28]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 02:58:59
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
VirusIsolator.exe = C:\Program Files\VirusIsolator\VirusIsolator.exe?????????????????????????????????????????????????????????????????????????????????????????????????\?????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


C:\sccfg.sys 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCAN.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
.
**************************************************************************
.
Completion time: 2008-04-27 3:00:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-26 22:00:18

Pre-Run: 11,875,549,184 bytes free
Post-Run: 12,657,868,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\="Microsoft Windows"
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

131

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 01 May 2008 - 07:08 PM

Welcoming to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

If you still need help, read the instructions posted above and pinned to the top of the forum, then follow my directions from this point.

I advise you to be careful running tools like combofix, even the creator of the tool advises it be used with supervision only.

Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply using Add Reply.

If you no longer need help, post to let me know and I will close your topic.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 AM

Posted 08 May 2008 - 07:12 AM

There has been no response to this topic in over a week
This topic is closed

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users