Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sagipsul and friends malware


  • This topic is locked This topic is locked
1 reply to this topic

#1 step one

step one

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 12 January 2009 - 03:27 PM

so i would like to learn how to decypher this log so i can use it to fix issues in the future, without having to ask for help again. can anyone show me what i need to look for in terms of suspicious files that i should get rid of, that this tool may find. also anyone have any input on the re-runing steps as recommended by this site:
http://discussions.virtualdr.com/showthrea...6097&page=2

any input will help, thanks.

ComboFix 09-01-11.04 - Bryan Cho 2009-01-12 14:34:57.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.654 [GMT -5:00]
Running from: c:\download\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Bryan Cho\Application Data\SEMBLY~1
c:\windows\system32\bcsxjdlt.ini
c:\windows\system32\cxqqyl.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\eayrmprh.ini
c:\windows\system32\eyoldxey.dll
c:\windows\system32\ggiyvfmk.ini
c:\windows\system32\hrqaeh.dll
c:\windows\system32\idbiweej.dll
c:\windows\system32\uayikgqb.ini
c:\windows\system32\Ultra.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSASVC
-------\Legacy_NEW_DRV
-------\Legacy_NPF
-------\Service_MsaSvc
-------\Service_NPF
-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 23:18 . 2009-01-11 23:18 <DIR> d-------- c:\documents and settings\Bryan Cho\Application Data\Malwarebytes
2009-01-11 23:17 . 2009-01-11 23:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-11 23:17 . 2009-01-11 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-11 23:17 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-11 23:17 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-09 14:55 . 2009-01-09 14:55 <DIR> d-------- c:\program files\Alwil Software
2009-01-08 20:16 . 2009-01-08 20:16 306,432 --a------ c:\windows\system32\TuneUpDefragService.exe
2009-01-08 20:16 . 2007-12-20 10:41 29,440 --a------ c:\windows\system32\uxtuneup.dll
2009-01-07 12:28 . 2009-01-07 12:28 73,216 --a------ c:\windows\system32\ffkuz.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 20:00 --------- d-----w c:\documents and settings\All Users\Application Data\Idol data htm once
2009-01-09 01:24 --------- d-----w c:\program files\Easy Internet signup
2009-01-09 01:16 --------- d-----w c:\program files\TuneUp Utilities 2008
2009-01-07 03:10 --------- d-----w c:\documents and settings\Bryan Cho\Application Data\DNA
2008-12-30 16:52 --------- d-----w c:\program files\DNA
2008-12-30 16:52 --------- d-----w c:\documents and settings\Bryan Cho\Application Data\BitTorrent
2008-12-11 20:22 --------- d-----w c:\program files\Java
2008-11-16 20:12 --------- d-----w c:\program files\AIM6
2008-11-16 19:38 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-16 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-16 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-16 19:33 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-02-18 23:08 256 ----a-w c:\documents and settings\Bryan Cho\pool.bin
2006-12-27 19:23 866 ----a-w c:\documents and settings\Bryan Cho\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AWMON"="c:\progra~1\Lavasoft\AD-AWA~1\Ad-Watch.exe" [2005-05-25 517632]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-01 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-05-04 794624]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2006-04-18 405504]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-08-16 577597]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cxqqyl.dll hrqaeh.dll xwtypu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOLService"=2 (0x2)
"IDriverT"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2 Server\\bf2_w32ded.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7983:TCP"= 7983:TCP:BitComet 7983 TCP
"7983:UDP"= 7983:UDP:BitComet 7983 UDP
"14549:TCP"= 14549:TCP:BitComet 14549 TCP
"14549:UDP"= 14549:UDP:BitComet 14549 UDP

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-08-22 231424]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-16 24652]
S3 CV2K1;CommView Network Monitor;c:\windows\system32\DRIVERS\cv2k1.sys --> c:\windows\system32\DRIVERS\cv2k1.sys [?]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-01-02 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 13:31]

2009-01-12 c:\windows\Tasks\zbihyxhx.job
- c:\windows\system32\rundll32.exe [2004-08-10 07:00]
.
- - - - ORPHANS REMOVED - - - -

Notify-ssqQjIAQ - ssqQjIAQ.dll
MSConfigStartUp-Aim6 - c:\program files\Common Files\AOL\Launch\AOLLaunch.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1141267540\ee\AOLSoftware.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://gmail.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Bryan Cho\Application Data\Mozilla\Firefox\Profiles\fms9w5u1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - gmail.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: browser.blink_allowed - false
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 14:38:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?8?7?1??p???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Sprint\Mobile Broadband\SMBAUtilSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\dllhost.exe
c:\program files\HPQ\Shared\hpqwmi.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
.
**************************************************************************
.
Completion time: 2009-01-12 14:44:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 19:44:30

Pre-Run: 25,906,577,408 bytes free
Post-Run: 24,770,187,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /tutag=L2AKBA /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /noexecute=optin /fastdetect /tutag=L2AKBA-BAK /kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /noexecute=optin /fastdetect /tutag=7CL96E
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /noexecute=optin /fastdetect /tutag=7CL96E-BAK /kernel=tukernel.exe

232 --- E O F --- 2008-12-18 08:01:49

BC AdBot (Login to Remove)

 


#2 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:12:58 AM

Posted 12 January 2009 - 03:48 PM

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix It is an extremely powerful tool which should only be used when
instructed to do so by someone who has been properly trained in the use of the program.
ComboFix is intended by its creator to be "used under the guidance
and supervision of an expert
", NOT for private use.
Please read Combofix's Disclaimer.. Using this tool incorrectly could
lead to disastrous problems with your operating system such as preventing
it from ever starting again.


Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff

Combofix experts go through an extensive training program to learn how to interpret the logs. It isn't something you can learn in a day or from reading a post or two concerning the interpretation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users