Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log - Malware Removal


  • This topic is locked This topic is locked
1 reply to this topic

#1 froglevel

froglevel

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 02 September 2008 - 10:50 AM

ComboFix 08-09-01.03 - Owner 2008-09-02 10:20:51.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.186 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 09:59 . 2008-09-02 09:59 81,920 --a------ C:\WINDOWS\system32\bunwbkfo.exe
2008-08-31 15:37 . 2008-08-31 16:46 <DIR> d-------- C:\Program Files\Crawler
2008-08-31 14:23 . 2008-08-31 14:23 94,208 --a------ C:\WINDOWS\system32\nulwdaba.exe
2008-08-30 09:52 . 2008-08-31 10:01 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-08-30 09:51 . 2008-08-30 09:51 <DIR> d-------- C:\WINDOWS\Sun
2008-08-30 09:17 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-30 09:12 . 2008-08-30 09:17 <DIR> d-------- C:\Program Files\Java
2008-08-30 09:11 . 2008-08-30 09:11 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-30 09:08 . 2008-08-30 09:08 86,016 --a------ C:\WINDOWS\system32\gzmrktor.exe
2008-08-29 17:06 . 2008-08-31 14:26 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-08-29 17:06 . 2008-08-31 14:26 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-08-29 17:06 . 2008-08-31 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-08-29 17:06 . 2008-08-29 17:06 141,312 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-08-29 16:45 . 2008-08-29 16:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\.clamwin
2008-08-29 16:44 . 2008-08-29 16:44 <DIR> d-------- C:\Program Files\ClamWin
2008-08-29 16:44 . 2008-08-29 16:44 <DIR> d-------- C:\Documents and Settings\All Users\.clamwin
2008-08-29 16:37 . 2008-08-29 16:37 <DIR> d-------- C:\Program Files\Windows Defender
2008-08-29 13:50 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-08-29 13:50 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-08-29 13:50 . 2008-08-26 20:19 88,576 --a------ C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-08-29 13:50 . 2008-08-27 15:17 87,040 --a------ C:\WINDOWS\system32\VACFix.exe
2008-08-29 13:50 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-08-29 13:50 . 2008-08-28 22:36 82,432 --a------ C:\WINDOWS\system32\IEDFix.C.exe
2008-08-29 13:50 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
2008-08-29 13:50 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-08-29 13:50 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-08-29 13:39 . 2002-07-26 23:24 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE\WINDOWS
2008-08-29 13:39 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE\Application Data\VERITAS
2008-08-29 13:39 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE\Application Data\Symantec
2008-08-29 13:39 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE\Application Data\Share-to-Web Upload Folder
2008-08-29 13:39 . 2002-07-26 23:23 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE\Application Data\InterTrust
2008-08-29 13:39 . 2007-10-22 20:53 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE\Application Data\Gtek
2008-08-29 13:39 . 2008-08-29 13:39 <DIR> d-------- C:\Documents and Settings\Administrator.OFFICE
2008-08-29 13:39 . 2006-02-16 18:42 497 --ah----- C:\Documents and Settings\Administrator.OFFICE\hpothb07.dat
2008-08-29 13:25 . 2008-08-29 13:25 90,112 --a------ C:\WINDOWS\system32\kfermvcp.exe
2008-08-29 12:11 . 2008-08-29 12:11 90,112 --a------ C:\WINDOWS\system32\jobonsxa.exe
2008-08-29 10:05 . 2008-08-29 13:41 1,610 --a------ C:\WINDOWS\system32\tmp.reg
2008-08-29 09:40 . 2008-08-29 09:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-28 19:32 . 2008-08-28 19:32 98,304 --a------ C:\WINDOWS\system32\ibgdevuf.exe
2008-08-28 18:32 . 2008-09-02 10:11 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-28 14:42 . 2008-08-28 14:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-08-28 14:30 . 2008-08-28 14:30 90,112 --a------ C:\WINDOWS\system32\lmfilkbg.exe
2008-08-28 12:54 . 2008-08-28 12:54 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-08-28 12:51 . 2008-08-28 12:51 <DIR> d-------- C:\WINDOWS\system32\GroupPolicy
2008-08-28 12:51 . 2008-08-29 13:07 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-08-28 12:48 . 2008-03-07 12:02 192,000 -----c--- C:\WINDOWS\system32\dllcache\offfilt.dll
2008-08-28 12:48 . 2008-03-07 12:02 98,304 -----c--- C:\WINDOWS\system32\dllcache\nlhtml.dll
2008-08-28 12:48 . 2008-03-07 12:02 29,696 -----c--- C:\WINDOWS\system32\dllcache\mimefilt.dll
2008-08-28 12:46 . 2008-07-22 09:45 1,214,526 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2008-08-28 12:46 . 2008-07-22 09:45 790,846 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2008-08-28 12:46 . 2008-07-22 09:45 9,696 -----c--- C:\WINDOWS\system32\dllcache\drvmain.sdb
2008-08-28 12:06 . 2008-08-28 12:06 90,112 --a------ C:\WINDOWS\system32\udwxyfaz.exe
2008-08-28 10:16 . 2008-09-02 08:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-28 10:16 . 2008-08-30 09:10 97,928 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-28 10:16 . 2008-08-28 10:16 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-28 10:16 . 2008-08-28 10:16 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-28 10:08 . 2008-08-28 16:03 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-28 10:06 . 2008-08-28 10:08 <DIR> d-------- C:\Program Files\WinASO
2008-08-28 10:05 . 2008-08-28 13:09 <DIR> d-------- C:\Program Files\a-squared Free
2008-08-28 08:58 . 2008-08-28 08:58 <DIR> d-------- C:\Program Files\CCleaner
2008-08-28 08:57 . 2008-08-28 08:57 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-28 08:56 . 2008-08-28 08:56 <DIR> d-------- C:\Program Files\Alwil Software
2008-08-25 12:12 . 2008-08-25 17:58 0 --ah----- C:\WINDOWS\.security
2008-08-25 12:12 . 2008-08-25 17:58 0 --ah----- C:\.security
2008-08-25 09:25 . 2008-08-25 09:25 <DIR> d-------- C:\Program Files\ezhghse
2008-08-25 09:25 . 2008-08-25 09:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\lmzgjefs
2008-08-25 09:25 . 2008-08-25 09:25 106,496 --a------ C:\WINDOWS\system32\lohyzmvi.exe
2008-08-19 15:19 . 2008-08-19 15:19 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-19 15:19 . 2008-08-19 15:19 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-19 15:19 . 2008-08-19 15:19 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-19 07:30 . 2008-04-13 19:12 712,704 --------- C:\WINDOWS\system32\windowscodecs.dll
2008-08-19 07:30 . 2008-04-13 19:12 346,112 --------- C:\WINDOWS\system32\windowscodecsext.dll
2008-08-19 07:30 . 2008-04-13 19:12 276,992 --------- C:\WINDOWS\system32\wmphoto.dll
2008-08-19 07:30 . 2008-04-13 19:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-08-19 07:30 . 2008-04-13 19:12 53,248 --------- C:\WINDOWS\system32\tsgqec.dll
2008-08-19 07:30 . 2008-04-13 19:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-08-19 07:30 . 2008-04-13 19:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-08-19 07:30 . 2008-04-13 13:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-08-19 07:28 . 2008-04-13 19:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-08-19 07:27 . 2008-04-13 19:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-08-14 06:03 . 2008-05-01 09:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 23:48 . 2008-04-11 14:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 14:58 --------- d-----w C:\Program Files\PestPatrol
2008-08-31 16:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-29 17:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-28 17:08 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-28 15:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-08-28 15:11 --------- d-----w C:\Program Files\AWS
2008-08-28 00:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-08-05 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 17:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2006-02-16 23:42 497 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
2006-02-16 23:42 497 ---ha-w C:\Documents and Settings\Administrator\hpothb07.dat
2006-02-16 23:42 169 ---ha-w C:\Documents and Settings\NetworkService\hpothb07.dat
2006-02-16 23:42 167 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
2006-02-16 23:42 164 ---ha-w C:\Documents and Settings\All Users\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProcDb"="C:\WINDOWS\system32\udwxyfaz.exe" [2008-08-28 90112]
"appshcfg"="C:\WINDOWS\system32\lmfilkbg.exe" [2008-08-28 90112]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"sysstrdsc"="C:\WINDOWS\system32\ibgdevuf.exe" [2008-08-28 98304]
"SmartMntCom"="C:\WINDOWS\system32\jobonsxa.exe" [2008-08-29 90112]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"InfoStrGen"="C:\WINDOWS\system32\gzmrktor.exe" [2008-08-30 86016]
"StrCfgSrv"="C:\WINDOWS\system32\nulwdaba.exe" [2008-08-31 94208]
"CmdSmart"="C:\WINDOWS\system32\bunwbkfo.exe" [2008-09-02 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]
"PPMemCheck"="c:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [2004-04-02 148480]
"PestPatrol Control Center"="c:\PROGRA~1\PESTPA~1\PPControl.exe" [2004-11-15 98304]
"CookiePatrol"="c:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [2005-01-10 73728]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-06-14 77824]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"zcCfdNRtTR"="C:\Documents and Settings\All Users\Application Data\lmzgjefs\pcrazsjm.exe" [2008-08-25 65536]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
.security [2008-08-25 0]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
.security [2008-08-25 0]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-02-27 972064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ComUtilSet"= {61D94C22-ABF2-4A48-6AAF-0274E12B8CB8} - C:\Program Files\ezhghse\ComUtilSet.dll [2008-08-25 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= C:\WINDOWS\System32\ir32_32.dll
"vidc.iv32"= C:\WINDOWS\System32\ir32_32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"C:\\Program Files\\Intuit\\QuickBooks Pro\\QBDBMgrN.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-30 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-28 76040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Go.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ewe@froglevel.net\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.att.yahoo.com/
FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 10:23:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-02 10:26:09
ComboFix-quarantined-files.txt 2008-09-02 15:25:56
ComboFix2.txt 2008-09-02 14:15:47

Pre-Run: 59,629,228,032 bytes free
Post-Run: 59,598,110,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

204 --- E O F --- 2008-08-20 11:03:06

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:02:26 AM

Posted 02 September 2008 - 11:30 AM

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users