Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log


  • This topic is locked This topic is locked
1 reply to this topic

#1 jleste71

jleste71

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:34 AM

Posted 25 July 2008 - 09:02 AM

ComboFix 08-07-24.3 - administrator 2008-07-25 9:03:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.204 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\Documents and Settings\LocalService\Application Data\wsnpoem
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll
C:\WINDOWS\g32.txt
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\system32\DelSelf.bat
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
C:\WINDOWS\ws386.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASPIMGR
-------\Service_aspimgr


((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-24 12:31 . 2008-04-23 00:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-24 12:31 . 2007-04-17 05:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-24 12:31 . 2007-03-08 01:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-24 12:31 . 2008-04-23 00:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-24 12:31 . 2008-04-23 00:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-24 12:31 . 2008-04-23 00:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-24 12:31 . 2008-04-23 00:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-24 12:31 . 2008-04-23 00:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-24 12:31 . 2008-04-22 03:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-24 12:19 . 2008-07-24 12:19 0 --a------ C:\WINDOWS\system32\protrace.1664
2008-07-24 12:10 . 2008-07-24 12:12 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-24 11:10 . 2008-07-24 11:10 0 --a------ C:\WINDOWS\system32\protrace.1692
2008-07-24 11:08 . 2008-07-24 11:08 440 --a------ C:\WINDOWS\system32\protrace.1656
2008-07-24 11:02 . 2008-07-24 11:07 <DIR> d-------- C:\Program Files\McAfee
2008-07-23 11:27 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-23 11:27 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-23 11:21 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-07-23 11:20 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-23 10:48 . 2008-07-23 10:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-23 10:46 . 2008-07-24 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-23 10:38 . 2008-07-23 10:38 768 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-23 10:33 . 2008-07-23 10:33 <DIR> d-------- C:\WINDOWS\35C03C043F1F42C2A989A757EE691F65.TMP
2008-07-23 10:05 . 2008-07-23 10:05 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-23 10:05 . 2008-07-23 10:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-23 10:03 . 2008-07-23 10:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-23 09:28 . 2008-07-23 09:28 18,772 --a------ C:\Documents and Settings\golf\Application Data\qihijunuma.dll
2008-07-23 09:28 . 2008-07-23 09:28 17,166 --a------ C:\WINDOWS\dasi.lib
2008-07-23 09:28 . 2008-07-23 09:28 16,901 --a------ C:\Documents and Settings\All Users\Application Data\nagadav.com
2008-07-23 09:28 . 2008-07-23 09:28 16,857 --a------ C:\Documents and Settings\All Users\Application Data\dazik.vbs
2008-07-23 09:28 . 2008-07-23 09:28 16,636 --a------ C:\WINDOWS\system32\pidizav.exe
2008-07-23 09:28 . 2008-07-23 09:28 15,230 --a------ C:\WINDOWS\kijyxy.db
2008-07-23 09:28 . 2008-07-23 09:28 12,056 --a------ C:\WINDOWS\ydumada.bat
2008-07-23 09:28 . 2008-07-23 09:28 11,687 --a------ C:\WINDOWS\system32\rufor._dl
2008-07-23 09:28 . 2008-07-23 09:28 10,498 --a------ C:\Documents and Settings\golf\Application Data\ybaqy.dll
2008-07-23 09:28 . 2008-07-23 09:28 10,476 --a------ C:\WINDOWS\agysufon._sy
2008-07-23 06:47 . 2008-07-23 10:30 <DIR> d-------- C:\Program Files\XPSecurityCenter
2008-07-23 06:41 . 2008-07-23 06:41 304,332 --a------ C:\WINDOWS\system32\winivstr0ld.exe.old
2008-07-23 06:40 . 2008-07-24 14:56 9,728 --a------ C:\WINDOWS\system32\buritos0ld.exe.old
2008-07-23 06:40 . 2008-07-24 14:56 9,728 --a------ C:\WINDOWS\buritosold.exe.0ld
2008-07-23 06:40 . 2008-07-24 14:56 6,144 --a------ C:\WINDOWS\karina.dat
2008-07-23 06:39 . 2008-07-23 06:39 0 --a------ C:\WINDOWS\system32\protrace.1632
2008-07-13 07:23 . 2008-07-13 07:23 0 --a------ C:\WINDOWS\system32\protrace.1640
2008-07-02 07:31 . 2008-07-02 07:31 0 --a------ C:\WINDOWS\system32\protrace.1560

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-23 14:37 --------- d-----w C:\Program Files\Network Associates
2008-07-23 14:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2008-07-23 14:33 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-07-23 12:46 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-07-23 12:46 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-07-23 10:38 27,648 ----a-w C:\WINDOWS\system32\drivers\beep.sys.0ld
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2005-03-10 20:23 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-01 14:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 13:58 118784]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 17:33 563984]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 09:37 28672 C:\WINDOWS\system32\nwtray.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-02-07 09:34:09 67128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 15:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\TIREMOTE\\TIRemote.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 AdminService10.1B;AdminService for OpenEdge 10.1B;C:\vsi\dlc10\bin\AdmSrvc.exe [2006-12-08 00:03]
R2 Esdpdx01;Esdpdx01;C:\WINDOWS\system32\Drivers\ESDPDX01.SYS [2003-01-19 01:00]
S3 LVRS;Logitech RightSound Filter Driver;C:\WINDOWS\system32\DRIVERS\lvrs.sys [2007-10-11 22:00]
S4 TIRmtCtl;Track-It! Remote Control;C:\WINDOWS\TIREMOTE\wuser32.exe [2003-11-14 14:16]
.
Contents of the 'Scheduled Tasks' folder
"2005-03-10 19:46:56 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Launch Toolbox Application - C:\WINDOWS\system32\CRDTB_LAUNCH.EXE
HKU-Default-Run-Launch Toolbox Application - C:\WINDOWS\system32\CRDTB_LAUNCH.EXE


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.com
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-25 09:09:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\EpStsSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\vsi\dlc10\jre\bin\java.exe
C:\vsi\dlc10\jre\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-25 9:11:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-25 13:11:53

Pre-Run: 67,796,254,720 bytes free
Post-Run: 67,737,157,632 bytes free

167 --- E O F --- 2008-07-24 17:34:06

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:34 AM

Posted 25 July 2008 - 10:35 AM

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users