Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Post....


  • This topic is locked This topic is locked
1 reply to this topic

#1 joe25

joe25

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 AM

Posted 22 September 2008 - 12:38 PM

Sorry if I am not doing this right but I need help ASAP. Seems the virus took all printers away and when I ran combofix and restored them. This is the output txt. Now it is asking me if I want to creat a new file because it can't find C:\Docume~1\Ellie\Locals~1\Temp\log.txt file
Please help.....




ComboFix 08-09-20.05 - Administrator 2008-09-22 12:51:10.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1216 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.TRAINING\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Install.txt
C:\WINDOWS\system32\adubes.dll
C:\WINDOWS\system32\afisicx.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\inf\svchoct.exe
C:\WINDOWS\system32\mabidwe.exe
C:\WINDOWS\system32\mywfhit.ini
C:\WINDOWS\system32\mywfhit.ini.tmp
C:\WINDOWS\system32\noytcyr.exe
C:\WINDOWS\system32\roytctm.exe
C:\WINDOWS\system32\rtl60.bpl
C:\WINDOWS\system32\tdydowkc.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\wsldoekd.exe
C:\WINDOWS\tawisys.ini
D:\Autorun.inf

C:\WINDOWS\system32\spoolsv.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SEIUCTOL
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_seiuctol
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-08-22 to 2008-09-22 )))))))))))))))))))))))))))))))
.

2008-09-22 11:13 . 2008-09-22 11:18 4,932 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-19 11:32 . 2008-09-19 11:32 <DIR> d-------- C:\spoolerlogs
2008-09-19 11:05 . 2008-09-19 11:05 <DIR> d-------- C:\Documents and Settings\Ellie\Application Data\Viewpoint
2008-09-19 10:57 . 2008-09-22 12:51 <DIR> d-------- C:\WINDOWS\system32\inf
2008-09-01 09:22 . 2008-09-14 19:19 8,628 --ah----- C:\WINDOWS\system32\CMMGR32.GID

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-22 16:07 --------- d-----w C:\Documents and Settings\Ellie\Application Data\U3
2008-09-19 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUIIMAGE
2008-09-10 12:14 --------- d-----w C:\Documents and Settings\Ellie\Application Data\WeatherBug
2008-08-18 17:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-18 17:01 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 16:59 --------- d-----w C:\Documents and Settings\Ellie\Application Data\Malwarebytes
2008-08-18 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 16:11 --------- d-----w C:\Program Files\Java
2008-08-17 19:01 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 19:01 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-08-08 14:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-08-08 14:25 --------- d-----w C:\Program Files\Common Files\scansoft shared
2008-08-01 16:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-01 16:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-08-01 14:57 --------- d-----w C:\Program Files\RealVNC
2008-07-31 22:48 --------- d-----w C:\Program Files\AWS
2008-07-31 22:47 --------- d-----w C:\Program Files\Kaseya
2008-07-31 22:45 253,116 ----a-w C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_9328.exe
2008-07-31 22:45 14,290 ----a-w C:\Program Files\settings.dat
2008-07-31 22:45 --------- d-----w C:\Program Files\PDFCreator Toolbar
2008-07-31 22:45 --------- d-----w C:\Program Files\PDFCreator
2008-07-31 18:34 --------- d-----w C:\Program Files\NetWaiting
2008-07-31 18:33 --------- d-----w C:\Program Files\DellSupport
2008-07-31 18:24 --------- d-----w C:\Documents and Settings\Ellie\Application Data\webex
2008-07-31 18:24 --------- d-----w C:\Documents and Settings\Ellie\Application Data\ManagerPlus
2008-07-31 18:24 --------- d-----w C:\Documents and Settings\Ellie\Application Data\Gtek
2008-07-31 18:24 --------- d-----w C:\Documents and Settings\Ellie\Application Data\Corel
2008-07-31 18:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-07-31 18:15 --------- d-----w C:\Program Files\WordPerfect Office 12
2008-07-31 18:15 --------- d-----w C:\Program Files\WiredRed
2008-07-31 18:14 --------- d-----w C:\Program Files\WebEx
2008-07-31 18:14 --------- d-----w C:\Program Files\Scansoft
2008-07-31 18:14 --------- d-----w C:\Program Files\Roxio
2008-07-31 18:14 --------- d-----w C:\Program Files\QuickTime
2008-07-31 18:14 --------- d-----w C:\Program Files\MyWebSearchWB
2008-07-31 18:14 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-31 18:14 --------- d-----w C:\Program Files\Microsoft SQL Server
2008-07-31 18:14 --------- d-----w C:\Program Files\Microsoft Plus! Photo Story 2 LE
2008-07-31 18:14 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-31 18:14 --------- d-----w C:\Program Files\ManagerPlus Pro
2008-07-31 18:13 --------- d-----w C:\Program Files\DellConnect
2008-07-31 18:13 --------- d-----w C:\Program Files\Dell Support Center
2008-07-31 18:13 --------- d-----w C:\Program Files\Dell
2008-07-31 18:13 --------- d-----w C:\Program Files\Common Files\supportsoft
2008-07-31 18:13 --------- d-----w C:\Program Files\Citrix
2008-07-31 18:13 --------- d-----w C:\Program Files\Canon
2008-07-31 18:12 --------- d-----w C:\Program Files\Brother
2008-07-31 18:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-07-31 18:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-31 01:49 --------- d-----w C:\Program Files\EPSON
2008-07-31 01:47 --------- d-----w C:\Documents and Settings\Ellie\Application Data\EPSON
2008-07-31 01:41 --------- d-----w C:\Documents and Settings\Ellie\Application Data\Leadertech
2008-07-31 01:33 --------- d-----w C:\Program Files\CCleaner
2008-07-31 01:28 --------- d-----w C:\Program Files\Napster
2008-07-31 01:28 --------- d-----w C:\Program Files\Multiple Choice Quiz Maker
2008-07-31 01:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2005-06-28 09:58 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys
.

------- Sigcheck -------

2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 15:00 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-13 20:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\spoolsv.exe
2008-04-13 20:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-06 68856]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 1343488]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-03-26 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-03-26 499712]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-07-10 114688]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Reminder"="C:\WINDOWS\Creator\Remind_XP.exe" [2005-03-14 966656]
"Kaseya Agent Service Helper"="C:\Program Files\Kaseya\Agent\KaUsrTsk.exe" [2008-03-07 229376]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-10 45056]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-05-21 98304]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 45108]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 36864]
"PP8 SE Reminder"="C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" [2002-10-28 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 1568768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2005-07-29 09:26 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll schannel.dll digest.dll msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
--a------ 2004-06-03 04:50 204800 C:\Program Files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 15:51 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKist]
--a------ 2004-05-26 20:57 139264 C:\Program Files\Digital Media Reader\shwicon2k.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a--c--- 2004-06-03 04:51 172032 C:\Program Files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SymWSC"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"C:\\Program Files\\Gateway\\Gateway Download Assistant\\Downloader.exe"=
"C:\\Program Files\\Gateway\\HPA\\gwmenu.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R2 KaseyaAgent;Kaseya Agent;C:\Program Files\Kaseya\Agent\AgentMon.exe [2008-03-07 598016]
R3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 2944]
R3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2003-03-14 61952]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys [2001-08-17 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys [2001-08-17 10368]
R3 KAPFA;KAPFA;C:\WINDOWS\system32\drivers\KAPFA.SYS [2008-03-07 20920]
S2 solewxte;solewxte Service;C:\WINDOWS\system32\solewxte.exe [2004-08-04 45056]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c710b0f1-5e99-11dd-aa19-00032512bef2}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - KAPFA
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Explorer_Run-minyust - C:\WINDOWS\system32\inf\svchoct.exe
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O15 -: Trusted Zone: *.encorefbo.com
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-22 12:58:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\PROGRA~1\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\BrmfRsmg.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzstc10.exe
.
**************************************************************************
.
Completion time: 2008-09-22 13:02:51 - machine was rebooted [Ellie]
ComboFix-quarantined-files.txt 2008-09-22 17:02:46

Pre-Run: 54,895,681,536 bytes free
Post-Run: 53,312,671,744 bytes free

253 --- E O F --- 2008-09-19 12:01:14

BC AdBot (Login to Remove)

 


m

#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 29,991 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:12 AM

Posted 22 September 2008 - 12:41 PM

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

I will have a moderator close this topic.

dc3

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users