Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix V. Vista


  • This topic is locked This topic is locked
12 replies to this topic

#1 ATA Dave

ATA Dave

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 05 May 2008 - 02:34 PM

Hi,

My name is Dave and I am new to this forum. My HP Pavilion notebook (Vista OS) has become infected with an aggressive malware that will actually open IE on its own and display pop-ups. McAfee and PCSafe did not find it, but product support @ PCSafe recommended running a program called “ComboFix”. I downloaded a tutorial on this program from this site. The tutorial suggested booting in “Vista Recovery Environment”. I was not able to do this as my lap top did not come with a Windows disk, but I otherwise followed the instructions.

The program (ComboFix) appeared to be running as the tutorial said it would. It appeared to be about finished, but it rebooted my lap top. (This occurrence was not included in the tutorial) My desktop has not been restored and it’s been over an hour now. There is a blank, blue, DOS prompt screen which reads at the top: C:\Windows\system32\CF20902.exe

Anyone know what I should do next?

Thanks you,
Dave

BC AdBot (Login to Remove)

 


#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 05 May 2008 - 03:22 PM

welcom to this site :thumbsup:

sorry to hear about your problems with combofix; however , as this program states within the instructions , one presumes a trained malaware expert did not instruct you to run it ; and nor did you read fully the combofix disclaimer?

running the program unsupervised can lead to your computer rendered forever unbootable , it is that powerful a tool , which is why it MUST be run only under strictly supervised conditions


we may need to see if a member of the HJT Team can get you 'recovered' :flowers:
do we note you do NOT have your computer cd and licence key available ??

can you clarify

It appeared to be about finished, but it rebooted my lap top


My desktop has not been restored and it’s been over an hour now.


did you run combofix on BOTH machines ??

Edited by ruby1, 05 May 2008 - 03:27 PM.


#3 ATA Dave

ATA Dave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 05 May 2008 - 03:36 PM

No, my computer did not come with a windows CD.

No, I did not run the program on both machines - just the lap top.

My gut is that I have done minimal/repairable damage. I could probably just close the program, but I'm afraid to do anything else without seeking help.

Thanks,
Dave

#4 ATA Dave

ATA Dave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 05 May 2008 - 04:00 PM

What's an "HJT Team", and how do I contact them?

Thanks again,
Dave

#5 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 05 May 2008 - 04:17 PM

What's an "HJT Team", and how do I contact them?

Thanks again,
Dave

they are a specialist part OF this forum who undergo extensive intensive training before they can help with real messed up computers and use very powerful tools where appropriate to clean ; I have already notified the Team to see how you can hopefully be helped to recover

a Mod or other suitably 'qualified' Staff member on here will hopefully reply to this thread in due course :thumbsup:

#6 ATA Dave

ATA Dave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 05 May 2008 - 04:18 PM

Thnks a million!

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:08 PM

Posted 05 May 2008 - 04:32 PM

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

did you disable McAfee as specified in this guide?
Chewy

No. Try not. Do... or do not. There is no try.

#8 ATA Dave

ATA Dave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 05 May 2008 - 06:25 PM

Yes, I did disable McAfee. I was able to close comboFix and find the report. The program did not appear to work exactly as the tutorial said it would, but it looks as though it did its job and I have detected no damage.

The tutorial mentions that I am supposed to post the results on this forum. I will do that here unless there is another place on this site that would be more appropriate?

Thanks again,
Dave



ComboFix 08-05-01.3 - cadave 2008-05-05 13:51:39.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1214 [GMT -4:00]
Running from: C:\Users\cadave\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-05 to 2008-05-05 )))))))))))))))))))))))))))))))
.

2008-05-05 12:32 . 2006-11-02 05:44 320,000 --a------ C:\Windows\System32\CF5724.exe
2008-05-05 12:26 . 2006-11-02 05:44 320,000 --a------ C:\Windows\System32\CF4408.exe
2008-04-30 18:49 . 2008-04-30 22:41 524,288 --ahs---- C:\Users\cadave\ntuser.dat{abf767e5-16ff-11dd-8e38-001a6b813aca}.TMContainer00000000000000000002.regtrans-ms
2008-04-30 18:49 . 2008-04-30 22:41 524,288 --ahs---- C:\Users\cadave\ntuser.dat{abf767e5-16ff-11dd-8e38-001a6b813aca}.TMContainer00000000000000000001.regtrans-ms
2008-04-30 18:49 . 2008-04-30 22:41 65,536 --ahs---- C:\Users\cadave\ntuser.dat{abf767e5-16ff-11dd-8e38-001a6b813aca}.TM.blf
2008-04-18 17:47 . 2008-04-18 17:47 <DIR> d-------- C:\Windows\System32\URTTEMP
2008-04-09 08:57 . 2008-02-14 19:19 944,184 --a------ C:\Windows\System32\winload.exe
2008-04-09 08:57 . 2008-02-19 01:10 620,088 --a------ C:\Windows\System32\ci.dll
2008-04-09 08:57 . 2008-02-29 02:39 371,712 --a------ C:\Windows\System32\srcore.dll
2008-04-09 08:57 . 2008-02-29 02:38 313,856 --a------ C:\Windows\System32\rstrui.exe
2008-04-09 08:57 . 2008-02-29 02:51 19,000 --a------ C:\Windows\System32\kd1394.dll
2008-04-09 08:56 . 2008-02-29 00:16 2,027,008 --a------ C:\Windows\System32\win32k.sys
2008-04-09 08:56 . 2008-02-21 00:43 296,448 --a------ C:\Windows\System32\gdi32.dll
2008-04-09 08:56 . 2008-02-29 02:39 40,960 --a------ C:\Windows\System32\srclient.dll
2008-04-09 08:56 . 2008-02-29 02:38 16,384 --a------ C:\Windows\System32\srdelayed.exe
2008-04-09 08:56 . 2008-02-29 02:34 7,168 --a------ C:\Windows\System32\f3ahvoas.dll
2008-04-09 08:56 . 2008-02-29 02:35 6,656 --a------ C:\Windows\System32\kbd106n.dll
2008-04-08 20:14 . 2008-04-18 21:42 <DIR> d-------- C:\Program Files\Route Browser
2008-04-08 20:14 . 2008-04-20 10:19 252 --a------ C:\Windows\ODBC.INI
2008-04-08 20:03 . 2008-04-20 10:21 <DIR> d-------- C:\Program Files\Logbook Pro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-05 21:21 --------- d-----w C:\Users\cadave\AppData\Roaming\skypePM
2008-05-05 13:00 --------- d-----w C:\Program Files\AdwareFilter
2008-05-03 02:21 --------- d-----w C:\Users\cadave\AppData\Roaming\Skype
2008-04-30 22:48 --------- d-----w C:\Users\cadave\AppData\Roaming\MSN6
2008-04-30 22:48 --------- d-----w C:\ProgramData\Microsoft Help
2008-04-30 22:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-20 14:38 13,072 ----a-w C:\Users\cadave\AppData\Roaming\nvModes.dat
2008-04-20 14:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-20 13:01 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-17 12:31 --------- d-----w C:\Program Files\SkyGuide PocketFly Timetable
2008-04-09 13:05 --------- d-----w C:\Program Files\Windows Mail
2008-03-26 14:01 --------- d-----w C:\Program Files\Java
2008-03-21 23:07 --------- d-----w C:\Program Files\Google
2008-03-21 20:23 32 ----a-w C:\Users\All Users\ezsid.dat
2008-03-21 20:23 32 ----a-w C:\ProgramData\ezsid.dat
2008-03-21 20:19 --------- d-----w C:\ProgramData\Skype
2008-03-21 20:19 --------- d-----w C:\Program Files\Skype
2008-03-21 20:19 --------- d-----w C:\Program Files\Common Files\Skype
2008-03-21 13:22 --------- d-----w C:\Program Files\Synaptics
2008-03-21 09:21 --------- d#----- C:\Program Files\AOL 9.0
2008-03-21 09:21 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-03-21 09:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-21 09:21 --------- d-----w C:\Program Files\MP4 Player
2008-03-21 09:21 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-03-21 09:21 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-19 13:56 --------- d-----w C:\Program Files\McAfee
2008-03-03 16:23 691,545 ----a-w C:\Windows\unins000.exe
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-14 12:29 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-14 12:24 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-14 12:24 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-14 12:23 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-14 12:23 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-14 12:23 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-14 12:23 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-14 12:23 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-14 12:23 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-14 12:23 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-14 12:23 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-14 12:23 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-14 12:23 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-09-01 14:46 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-11 22:16 1232896]
"WindowsWelcomeCenter"="oobefldr.dll" [2006-11-02 08:34 2159104 C:\Windows\System32\oobefldr.dll]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2007-03-20 18:23 1773568]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-06-14 10:05 6856704]
"MP4 Player"="C:\Program Files\MP4 Player\mp4Player.exe" [2007-09-19 09:00 639488]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-16 18:46 1006264]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 00:43 729088]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-01 15:38 4390912 C:\Windows\RtHDVCpl.exe]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-03-28 20:45 176128]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-11-06 13:58 159744]
"HP Health Check Scheduler"="C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-06-05 09:12 71176]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 16:18 472776]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 19:12 317128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"CognizanceTS"="c:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 15:12 17920]
"HostManager"="C:\Program Files\Common Files\AOL\1187319687\ee\AOLSoftware.exe" [2006-09-25 20:52 50736]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-10-18 12:08 33280]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-01-13 09:40 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-01-13 09:40 7766016]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-01-13 09:40 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 19:29 102400]
"combofix"="C:\Windows\system32\CF20902.exe" [2006-11-02 05:44 320000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="%WINDIR%\SMINST\launcher.exe" [ ]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
AdwareFilter Background Protection.lnk - C:\Program Files\AdwareFilter\adwarefilter.exe [2008-04-03 15:19:36 4564280]
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 12:27:40 719664]
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-01-02 21:40:10 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=APSHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{250BB2DB-608B-4C35-BBAF-B35A44314358}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3A5BBDC5-80B5-4461-B61F-C303D435C714}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{14964889-220B-4E71-AF6B-8A0D0F40D4DB}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{A1CBAB0B-30A1-4A5D-9857-60EA26E5BD65}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{9ED93697-65E7-4EE2-8CE7-0B90D63529D4}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A0684517-0A59-42E2-9B37-0FCA0D8B8D3F}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{44D2EFCF-190B-42A7-ACC7-A86181E6B04E}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{599EF52C-B1B5-4C5C-8CF6-CDE137995A36}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{FAC4C87F-83DA-40E8-A8CF-FCFED1CD6C22}"= UDP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{14CD316C-8C8E-4C85-9BF7-B6549DAD7096}"= TCP:C:\Program Files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{74572D20-8C45-47F1-AA38-171A2A434DB3}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{F6EEBE13-2CD9-4539-95BA-C8E941865389}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{62C5F42D-C687-454F-AF88-03BE2B8601A5}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{7C8A8C78-FDF5-40FF-86FB-DD7087AB4E3F}"= UDP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{5C901176-ACE1-4C15-80F8-0D7EF04BEAFF}"= TCP:C:\Program Files\Common Files\aol\acs\AOLDial.exe:AOL Connectivity Service Dialer
"{B89FDA39-AD15-4802-942E-2681800FB98A}"= UDP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{A2AA0C1D-7424-4D11-B300-6EDE39497F84}"= TCP:C:\Program Files\Common Files\aol\acs\AOLacsd.exe:AOL Connectivity Service
"{3AE8BF1C-7117-46BE-B27B-FBA10271ED6C}"= UDP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{EAC55FEE-419C-4E30-A396-58872A5A9504}"= TCP:C:\Program Files\AOL 9.0\waol.exe:AOL
"{596138E1-480C-4B50-A4AC-A4D54F005C92}"= UDP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{A5C796F9-8056-49DB-B576-8D5FA92A989C}"= TCP:C:\Program Files\Common Files\aol\TopSpeed\3.0\aoltpsd3.exe:AOL TopSpeed
"{75A89F5C-0B2B-468C-A246-9B684FB240E2}"= UDP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{18B83E7B-DD56-472F-B294-047702F30FD9}"= TCP:C:\Program Files\Common Files\aol\Loader\aolload.exe:AOL Loader
"{080194D3-4667-45BB-9934-E3027D943EB4}"= UDP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{C94C19E8-90DA-4A2B-A143-835BA26F1E6B}"= TCP:C:\Program Files\Common Files\aol\System Information\sinf.exe:AOL System Information
"{38581D0D-6C08-415E-8719-AA4D3127D73C}"= Profile=Private|Profile=Public|C:\Program Files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{188E7332-5640-4EB2-A54B-0FBF093F18F0}"= UDP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{478333B5-14CA-4720-B57B-F4700B7CA2F4}"= TCP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{4659CB31-9D28-4DCF-B07E-80D7BB660D09}"= UDP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{7879B34D-8EDB-4696-B23B-2780784FB9E1}"= TCP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{8F67C23F-6DF7-4AE4-BD90-B76849ED2DCD}"= UDP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{E5248C86-ECA4-4803-A3C7-C01966FD828E}"= TCP:C:\Program Files\MSN Messenger\msnmsgr.exe:MSN Messenger 7.0
"{B9603CF5-4795-48B2-A713-67256FAE97E3}"= Disabled:UDP:C:\Users\cadave\AppData\Local\Temp\7zS6A42.tmp\setup\HPZnui01.exe:hpznui01.exe
"{564C3D4A-BFF9-4559-9E1C-36CAD2AED937}"= Disabled:TCP:C:\Users\cadave\AppData\Local\Temp\7zS6A42.tmp\setup\HPZnui01.exe:hpznui01.exe
"TCP Query User{D0A14180-D8C6-4AC3-8745-800C3FB3A6FA}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{CEEF74A9-8371-4455-AD79-A9294764438A}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{8D073CB7-754A-4231-B9DF-79A8A2C86B1B}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{CD9ABAEB-6DD0-4ECB-B3D6-CF01F71FE7AB}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{72C3B187-6BD0-4462-9E94-4F62FD109FBC}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{02F90B8B-00A2-4E35-A95C-5BB6639CDAA0}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{C950D1EC-66F8-4BA5-9443-CA61080FE149}C:\\program files\\hp\\hp software update\\hpwucli.exe"= UDP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client
"UDP Query User{D6AAE733-D3CC-4DE6-86B5-D153B0FA0083}C:\\program files\\hp\\hp software update\\hpwucli.exe"= TCP:C:\program files\hp\hp software update\hpwucli.exe:HP Software Update Client

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R2 ASBroker;Logon Session Broker;C:\Windows\System32\svchost.exe [2006-11-02 05:45]
R2 ASChannel;Local Communication Channel;C:\Windows\System32\svchost.exe [2006-11-02 05:45]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;"C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [2008-01-11 18:50]
R2 HPSLPSVC;HP Network Devices Support;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R2 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 05:45]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ []
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-15 12:50]
R3 swmsflt;swmsflt;C:\Windows\system32\drivers\swmsflt.sys [2007-10-18 12:08]
S3 ATTRcAppSvc;AT&T RcAppSvc;"C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe" /n "ATTRcAppSvc" []
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2007-10-12 23:50]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-01-02 06:45]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-01-02 06:45]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-01-02 06:45]
S3 CAATT;AT&T Con App Svc;"C:\Program Files\AT&T\Communication Manager\ConAppsSvc.exe" /n "CAATT" []
S3 n558;N558 Bluetooth USB Filter Driver;C:\Windows\system32\Drivers\n558.sys [2007-07-20 06:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
GPSvcGroup REG_MULTI_SZ GPSvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76cdd403-c9ba-11dc-b4cf-001a6b813aca}]
\shell\AutoRun\command - F:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-08-17 03:38:36 C:\Windows\Tasks\McDefragTask.job"




pushd "C:\327882R2FWJFW\"

=============================================

ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\cadave\AppData\Roaming
cfldr=327882R2FWJFW
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DAVE-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\cadave
kmd=CF20902.exe
LOCALAPPDATA=C:\Users\cadave\AppData\Local
LOGONSERVER=\\DAVE-PC
NUMBER_OF_PROCESSORS=2
OnlineServices=Online Services
OS=Windows_NT
Path=C:\327882R2FWJFW;C:\Windows\system32;C:\Windows;C:\Windows\system32\wbem;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;c:\Program Files\Bioscrypt\VeriSoft\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\
PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PCBRAND=Pavilion
PLATFORM=MCD
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 72 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4802
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
PROMPT=$
PUBLIC=C:\Users\Public
RoxioCentral=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
sfxname=C:\Users\cadave\Desktop\ComboFix.exe
system=C:\Windows\system32
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\cadave\AppData\Local\Temp
TMP=C:\Users\cadave\AppData\Local\Temp
USERDOMAIN=Dave-PC
USERNAME=cadave
USERPART=E:
USERPROFILE=C:\Users\cadave
windir=C:\Windows

=============================================


if not defined sfxname goto END

Nircmd win close ititle "ComboFix"

If [] == [] Set "SfxCmd="

if /I "C:\327882R2FWJFW" NEQ "C:\327882R2FWJFW" goto Abort

if exist "C:\Users\cadave\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\Users\cadave\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log"
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
Ownerchange for "C:\Windows\system32\cmd.exe" to Administrators group was successful

copy /y "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF20902.exe"
1 file(s) copied.

if not exist "C:\Windows\system32\CF20902.exe" catchme -l nul -c "C:\Windows\system32\cmd.exe" "C:\Windows\system32\CF20902.exe"

For /F "tokens=*" %g in ("C:\Users\cadave\Desktop\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || (
nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" ""
goto END
)

DIR /AD/B C:\* | FindStr.exe -IVX ComboFix 1>dirname00

FindStr.exe -LIXC:"ComboFix" dirname00 1>nul && call :NameChk

If exist dirname0? del /Q dirname0?

If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && (
rd /s/q "\ComboFix"
If exist "\ComboFix" (
PV -kf findstr.exe *.cfexe
rd /s/q "\ComboFix"
)
If exist "\ComboFix" (
handle "C:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h
del /q temp00
rd /s/q "\ComboFix"
)
)

If exist "\ComboFix" rd /s/q "\ComboFix"

If exist "\ComboFix" goto :eof

VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) ||
Microsoft Windows [Version 6.0.6000]

type nul 1>Vista.mac

swxcacls "C:\Windows\system32\cmd.exe" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q

swxcacls "C:\Windows\system32\cmd.exe" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q

swreg query "hkcu\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>MUI00

swreg query "hku\.default\control panel\international" /v localename | SED "/.*\t/!d;s///" 1>>MUI00

SED -r "$!N; /^(.*)\n\1$/!P; D" MUI00 1>MUI01

For /F "tokens=*" %g in (MUI01) do @if exist "C:\Windows\system32\%~g\cmd.exe.mui" (
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /oa /q
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /p /ga:f /gs:f /gp:x /gu:x /q
Copy /y "C:\Windows\system32\%~g\cmd.exe.mui" "C:\Windows\system32\en-us\CF20902.exe.mui"
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /g SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464:f /ga:x /gs:x /gp:x /gu:x /q
swxcacls "C:\Windows\system32\%~g\cmd.exe.mui" /o SID#S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464 /q
)
SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©
Ownerchange for "C:\Windows\system32\en-US\cmd.exe.mui" to Administrators group was successful
1 file(s) copied.

GREP -sq . MUI01 && (
del /q MUI0? 2>nul
goto :eof
)

CD ..

Set "comspec=C:\Windows\system32\CF20902.exe"

(
echo.md "\ComboFix"
echo.Move /y "\327882R2FWJFW\*" "\ComboFix"
echo.RD /S/Q "\327882R2FWJFW"
echo.Start "." /d"C:\ComboFix" "C:\Windows\system32\CF20902.exe" /k c.bat
echo.pv -kf cmd.exe
) 1>Start_.cmd

NirCmd exec hide "C:\Windows\system32\CF20902.exe" /f:off /d /c call Start_.cmd

NirCmd execmd del "\327882R2FWJFW\prep.cmd"

EXIT

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:08 PM

Posted 05 May 2008 - 06:37 PM

I have been told that vista is easy to clean up

why don't you run a scan


http://www.bleepingcomputer.com/forums/ind...st&p=817091
Chewy

No. Try not. Do... or do not. There is no try.

#10 ATA Dave

ATA Dave
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 05 May 2008 - 06:53 PM

Well - that's what I did - I thought - perhaps - maybe...........

I ran ComboFix and posted the results above because that's what the tutorial said to do. I'm not sure this is where I'm supposed to post the results though.

I can't interpret the results, so I don’t know if the program found/repaired/removed/fixed anything.

Thanks,
Dave

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:08 PM

Posted 05 May 2008 - 07:08 PM

the people trained to interpret and supervise the use of combofix are the experts in the hijackthis forum

let's ignore your combofix log and run that other scan with MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#12 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 05 May 2008 - 07:14 PM

you should not attempt to interpet the results from the scan which is one reason why running the fix and posting the log is done under HJT supervision

these logs are only intended FOR the HJT section; as you have now posted a Combofix log this thread will doubtless be moved by the Mods to that section

#13 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,850 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:08 PM

Posted 05 May 2008 - 07:27 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users