Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can Somebody Help Me? Ran Combofix, Need Log Analyzed


  • Please log in to reply
1 reply to this topic

#1 xcfisher

xcfisher

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 18 August 2008 - 01:26 PM

I just ran combofix as instructed, and came up with this log file, can somebody make sense of it for me? I was getting a lot of pop-ups, but now they seemed to have ceased, I just want to make sure I don't need to do anything else. I really appreciate it guys!

:thumbsup:

__________________________________________________________________________________________________________________________________

ComboFix 08-08-17.05 - Noah 2008-08-18 10:59:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1354 [GMT -7:00]
Running from: C:\Documents and Settings\Noah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Noah\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Noah\Application Data\macromedia\Flash Player\#SharedObjects\5V7A5GX9\interclick.com
C:\Documents and Settings\Noah\Application Data\macromedia\Flash Player\#SharedObjects\5V7A5GX9\interclick.com\ud.sol
C:\Documents and Settings\Noah\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Noah\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Noah\Cookies\noah@ad.yieldmanager[2].txt
C:\Documents and Settings\Noah\Cookies\noah@adtrgt[2].txt
C:\Documents and Settings\Noah\Cookies\noah@cuc.naturalizer[1].txt
C:\Documents and Settings\Noah\Cookies\noah@ebay[1].txt
C:\Documents and Settings\Noah\Cookies\noah@edge.ru4[2].txt
C:\Documents and Settings\Noah\Cookies\noah@imiclk[1].txt
C:\Documents and Settings\Noah\Cookies\noah@main.ebayrtm[2].txt
C:\Documents and Settings\Noah\Cookies\noah@revsci[2].txt
C:\Documents and Settings\Noah\Cookies\noah@specificclick[1].txt
C:\Documents and Settings\Noah\UserData
C:\Documents and Settings\Noah\UserData\index.dat
C:\WINDOWS\system32\__c0017ED6.dat
C:\WINDOWS\system32\_000005_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\~.exe
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-07-18 to 2008-08-18 )))))))))))))))))))))))))))))))
.

2008-08-18 10:29 . 2007-07-09 06:16 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-08-18 09:08 . 2008-08-18 09:08 <DIR> d-------- C:\WINDOWS\$SQLUninstallSQL2000-KB948110-v8.00.2050-x86-ENU$
2008-08-18 09:05 . 2008-08-18 09:05 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-08-18 08:58 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-08-18 08:57 . 2008-06-23 09:57 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-08-12 21:42 . 2008-08-12 21:42 <DIR> d-------- C:\Documents and Settings\Noah\Application Data\acccore
2008-07-30 09:27 . 2008-07-30 09:27 103,208 --a------ C:\WINDOWS\system32\AOLDial.dll
2008-07-30 09:27 . 2008-07-30 09:27 33,328 --a------ C:\WINDOWS\system32\drivers\atwpkt264.sys
2008-07-30 09:27 . 2008-07-30 09:27 24,360 --a------ C:\WINDOWS\system32\drivers\atwpkt2.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-08-13 04:39 --------- d-----w C:\Program Files\Common Files\aol
2008-08-13 04:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-13 04:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-01-29 02:15 396 ----a-w C:\Documents and Settings\Noah\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2006-12-16 23:10 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2006-12-16 23:10 114688]
"HostManager"="C:\Program Files\Common Files\AOL\1166337053\ee\AOLSoftware.exe" [2008-06-24 11:34 41824]
"LXBSCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll" [2004-03-17 13:26 65536]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 19:58 856064]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-23 00:24 620152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 09:56 236016]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-11 01:26 406016]

C:\Documents and Settings\Noah\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 17:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2006-12-27 18:30:46 295606]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 01:01:50 734872]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.I420"= vdrcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\aol\\1166337053\\ee\\aolsoftware.exe"=
"C:\\Program Files\\AOL 9.0a\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AOL 9.1\\waol.exe"=
"C:\\Program Files\\Common Files\\aol\\1166337053\\ee\\AOLDesktop.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

R3 MDPPORTVDD;MDPPORTVDD;C:\WINDOWS\System32\Drivers\MDP_VDD.SYS [2002-02-08 03:24]
.
Contents of the 'Scheduled Tasks' folder

2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c0017ED6 - C:\WINDOWS\system32\__c0017ED6.dat


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Noah\Application Data\Mozilla\Firefox\Profiles\6e2r40a4.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.aol.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-18 11:05:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\aol\acs\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\aol\Loader\aolload.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-08-18 11:13:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-18 18:13:07

Pre-Run: 133,819,248,640 bytes free
Post-Run: 136,721,637,376 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=signature(cb0cd51a)disk(1)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
signature(cb0cd51a)disk(1)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

151 --- E O F --- 2008-08-18 17:34:19

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:21 AM

Posted 01 September 2008 - 03:06 PM

Hello xcfisher

Welcome to BleepingComputer :thumbsup:
========================
If you are still in need of assistance please do the following:

Posted ImageClick here to download HJTInstall.exe
  • Save HJTInstall.exe to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users