Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Understanding Combofix Log


  • This topic is locked This topic is locked
1 reply to this topic

#1 ttontis

ttontis

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 23 August 2008 - 10:58 PM

I just ran combo fix on my computer and would like to know if someone could help explain the log? I havent noticed any problems on my computer and run windows defender and spybot often and they have found nothing except the normal offending cookies. Just looking to learn something new.

Thanks,

TT

How do I know the diffrence between programs that could be causing problems and ones that are safe to run.

I also noticed that my desktop icon name for internet explorer changed after running Combofix doesnt seem right the new name is kloooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo.

What is the newly created services? Is that something combofix installes or recent progams added to the computer?

Is combofix going through and listing all the programs running off the system32 folder?

It also said that normal run time is 10 min and it may take longer for computers that have a lot of infected files, it took half hour and I had to do a hard reboot after looking over the log. The desktop didnt come back 20min after it posted the log and the hard drive light went out, turned it off 10min after the hard drive stopped being active.

Here is the log from combo fix

ComboFix 08-08-23.01 - Ted 2008-08-23 21:50:43.1 - NTFSx86
Running from: C:\Documents and Settings\Ted\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player\#SharedObjects\YCNF9KF3\interclick.com
C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player\#SharedObjects\YCNF9KF3\interclick.com\ud.sol
C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Adam\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Adam\Cookies\adam@2o7[1].txt
C:\Documents and Settings\Adam\Cookies\adam@a.hasbro[1].txt
C:\Documents and Settings\Adam\Cookies\adam@a.hasbro[3].txt
C:\Documents and Settings\Adam\Cookies\adam@ad.yieldmanager[2].txt
C:\Documents and Settings\Adam\Cookies\adam@ad.yieldmanager[5].txt
C:\Documents and Settings\Adam\Cookies\adam@insightexpressai[1].txt
C:\Documents and Settings\Adam\Cookies\adam@shopzilla[2].txt
C:\Documents and Settings\Adam\Cookies\adam@www.citycreator[1].txt
C:\Documents and Settings\Deane\Application Data\macromedia\Flash Player\#SharedObjects\JFJPT8ZB\interclick.com
C:\Documents and Settings\Deane\Application Data\macromedia\Flash Player\#SharedObjects\JFJPT8ZB\interclick.com\ud.sol
C:\Documents and Settings\Deane\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Deane\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Kris\Application Data\macromedia\Flash Player\#SharedObjects\JVD48ZW9\interclick.com
C:\Documents and Settings\Kris\Application Data\macromedia\Flash Player\#SharedObjects\JVD48ZW9\interclick.com\ud.sol
C:\Documents and Settings\Kris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Kris\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Kris\Cookies\kris@2o7[1].txt
C:\Documents and Settings\Kris\Cookies\kris@ad.yieldmanager[1].txt
C:\Documents and Settings\Kris\Cookies\kris@ehg-intuit.hitbox[2].txt
C:\Documents and Settings\Kris\Cookies\kris@ehg.fedex[1].txt
C:\Documents and Settings\Kris\Cookies\kris@insightexpressai[1].txt
C:\Documents and Settings\Kris\Cookies\kris@wm.intuit[1].txt
C:\Documents and Settings\Ted\Application Data\macromedia\Flash Player\#SharedObjects\SAFYGR4V\interclick.com
C:\Documents and Settings\Ted\Application Data\macromedia\Flash Player\#SharedObjects\SAFYGR4V\interclick.com\ud.sol
C:\Documents and Settings\Ted\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Ted\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Tony\Cookies\tony@2o7[2].txt
C:\Documents and Settings\Tony\Cookies\tony@ad.yieldmanager[2].txt
C:\Documents and Settings\Tony\Cookies\tony@advertising[1].txt
C:\Documents and Settings\Tony\Cookies\tony@insightexpressai[1].txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-24 to 2008-08-24 )))))))))))))))))))))))))))))))
.

2008-08-23 10:49 . 2008-08-23 10:49 <DIR> d-------- C:\Program Files\QuickTime
2008-08-22 11:03 . 2008-08-22 11:03 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-19 08:40 . 2008-08-19 08:40 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-08-17 10:51 . 2008-08-17 10:51 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-16 19:20 . 2008-08-16 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QubeSoft
2008-08-16 19:02 . 2008-08-16 19:02 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-16 19:02 . 2008-08-16 19:02 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-16 19:02 . 2008-08-16 19:02 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-16 18:37 . 2008-08-16 18:37 <DIR> d-------- C:\Program Files\LEGO Software
2008-08-16 18:07 . 2008-08-16 18:07 <DIR> d-------- C:\Documents and Settings\Adam\Application Data\LEGO Company
2008-08-16 18:05 . 2008-08-16 18:33 <DIR> d-------- C:\Program Files\LEGO Company
2008-08-13 21:12 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-04 20:29 . 2008-04-13 19:12 1,306,624 --------- C:\WINDOWS\system32\msxml6.dll
2008-08-04 20:28 . 2008-04-13 19:12 695,808 -----c--- C:\WINDOWS\system32\dllcache\drmv2clt.dll
2008-08-04 20:27 . 2008-04-13 19:11 286,720 -----c--- C:\WINDOWS\system32\dllcache\blackbox.dll
2008-08-04 20:27 . 2008-04-13 19:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-08-04 20:27 . 2008-04-13 19:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-08-04 20:27 . 2008-04-13 12:23 8,192 -----c--- C:\WINDOWS\system32\dllcache\asferror.dll
2008-08-04 20:27 . 2008-04-13 19:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-08-04 20:27 . 2003-07-16 11:18 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-07-26 12:28 . 2008-08-16 15:00 3 --a------ C:\WINDOWS\dcf.lnf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-24 03:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-23 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-19 13:54 --------- d-----w C:\Program Files\Trillian
2008-08-19 13:41 --------- d-----w C:\Program Files\HP
2008-08-08 19:07 23 ----a-w C:\Documents and Settings\Tony\jagex_runescape_preferences.dat
2008-08-01 13:45 23 ----a-w C:\Documents and Settings\Adam\jagex_runescape_preferences.dat
2008-07-30 22:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-24 03:14 --------- d-----w C:\Documents and Settings\Ted\Application Data\InstallShield
2008-07-18 11:08 --------- d-----w C:\Program Files\Google
2008-07-17 02:55 --------- d-----w C:\Program Files\Java
2008-07-17 02:51 --------- d-----w C:\Program Files\Common Files\Java
2008-07-17 00:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-17 00:41 --------- d-----w C:\Program Files\Windows Defender
2008-07-17 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-17 00:39 --------- d-----w C:\Program Files\Lavasoft
2008-07-17 00:38 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-17 00:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-17 00:19 --------- d-----w C:\Program Files\Bird Hunter Wild Wings Edition
2008-07-16 23:43 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-09-24 21:08 722,176 -c----w C:\Documents and Settings\Kris\gotomypc_428.exe
2007-09-17 20:32 722,176 -c----w C:\Documents and Settings\Deane\gotomypc_428.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.EXE" [2008-04-13 19:12 1695232]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-15 14:11 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 23:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"eligmini"="C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe" [2008-04-03 08:56 487424]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-08-23 10:49 413696]
"CTHelper"="CTHELPER.EXE" [2003-02-20 17:45 28672 C:\WINDOWS\system32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 17:27 110592 C:\WINDOWS\system32\CTASIO.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 19:12 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 08:00:46 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Intuit\\QuickBooks_06\\QBDBMgrN.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 O1394B;OW 1394b Bus Filter Service;C:\WINDOWS\system32\DRIVERS\o1394b.sys [2004-10-15 10:58]
R2 altio;altio;C:\WINDOWS\system32\altio.sys [2004-05-26 21:56]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 16:38]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
S3 idmc1aud;Intel® Play™ USB Audio Filter (WDM);C:\WINDOWS\system32\drivers\idmc1aud.sys [2001-07-05 15:12]
S3 IDMC1Blk;Intel Play DMC Download Driver;C:\WINDOWS\system32\DRIVERS\IDMC1Blk.sys [2001-07-05 15:12]
S3 IDMC1Vxp;Intel® Play™ DMC Camera;C:\WINDOWS\system32\DRIVERS\idmc1vme.sys [2001-07-05 15:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\launcher.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]

2008-08-04 C:\WINDOWS\Tasks\dfrg.job
- C:\WINDOWS\system32\dfrg.msc [2003-07-16 11:20]

2008-08-17 C:\WINDOWS\Tasks\Disk Cleanup.job
- C:\WINDOWS\system32\cleanmgr.exe [2008-04-13 19:12]

2008-08-24 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-08-01 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Ted.job
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
C:\WINDOWS\Downloaded Program Files\PhxStudent15.INF
C:\WINDOWS\Downloaded Program Files\PhxStudent15.ocx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-23 22:04:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-23 22:09:08
ComboFix-quarantined-files.txt 2008-08-24 03:08:59

Pre-Run: 24,447,156,224 bytes free
Post-Run: 27,648,540,672 bytes free

199 --- E O F --- 2008-08-20 16:50:29

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:05:55 PM

Posted 23 August 2008 - 11:02 PM

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users