Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix - What's my next step?


  • This topic is locked This topic is locked
1 reply to this topic

#1 LukeB

LukeB

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 09 February 2009 - 06:07 AM

Hello, I feel very fortunate to have found this site. I've got a packed.generic.200 problem and I have already run combofix on my machine. the log entry is as follows:

ComboFix 09-02-08.01 - Lamo 2009-02-09 3:42:05.1 - NTFSx86
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6000.0.1252.1.1033.18.3070.1968 [GMT -6:00]
Running from: c:\users\Lamo\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\drivers\gaopdxtuuhwwar.sys
c:\windows\system32\gaopdxlpbsonpv.dll
D:\Autorun.inf
E:\Autorun.inf
G:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

2009-02-09 03:22 . 2009-02-09 03:22 <DIR> d-------- c:\users\Lamo\AppData\Roaming\Malwarebytes
2009-02-09 03:22 . 2009-02-09 03:22 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-09 03:22 . 2009-02-09 03:22 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-09 03:22 . 2009-02-09 03:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-09 03:22 . 2009-01-14 16:11 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-09 03:22 . 2009-01-14 16:11 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-08 23:42 . 2009-02-08 23:42 <DIR> d-------- c:\users\Lamo\.housecall6.6
2009-02-08 23:28 . 2009-02-08 23:28 <DIR> d-------- c:\windows\Sun
2009-02-08 23:05 . 2009-02-08 23:05 <DIR> d-------- c:\program files\Trend Micro
2009-02-02 03:39 . 2009-02-08 13:31 <DIR> d-------- C:\BasWin08
2009-02-02 03:33 . 2009-02-02 03:33 <DIR> d-------- c:\program files\Common Files\supportsoft
2009-02-02 03:32 . 2007-07-30 14:44 3,518,464 --a------ c:\windows\System32\cdintf300.dll
2009-02-02 03:32 . 2007-06-28 14:09 1,843,200 --a------ c:\windows\System32\acXMLParser.dll
2009-02-02 03:28 . 2009-02-02 03:28 <DIR> d-------- c:\program files\Intuit
2009-02-02 02:36 . 2009-02-02 02:36 <DIR> d-------- c:\program files\Microsoft
2009-02-02 02:31 . 2008-06-19 19:18 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-02 02:31 . 2008-06-19 19:17 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-02 02:31 . 2008-06-19 19:18 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-02 02:31 . 2008-06-19 19:18 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-02 02:31 . 2008-06-19 19:17 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-02 02:31 . 2008-06-19 19:18 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-02 02:31 . 2008-06-19 19:17 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-02 02:31 . 2008-06-19 19:17 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-02 02:29 . 2009-02-02 02:31 46,530,560 --a------ c:\windows\ocsetup_install_NetFx3.etl
2009-02-02 02:29 . 2009-02-02 02:31 196,608 --a------ c:\windows\ocsetup_cbs_install_NetFx3.perf
2009-02-02 02:29 . 2009-02-02 02:31 65,536 --a------ c:\windows\ocsetup_cbs_install_NetFx3.dpx
2009-02-02 02:24 . 2008-07-27 12:00 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-02 02:24 . 2008-07-27 12:00 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-02 02:24 . 2008-07-27 12:00 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-02 02:24 . 2008-07-27 12:00 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-02 02:24 . 2008-07-27 12:00 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-01 23:52 . 2009-02-02 06:08 <DIR> d-------- c:\users\All Users\SQL Anywhere 10
2009-02-01 23:52 . 2009-02-01 23:52 <DIR> d-------- c:\users\All Users\COMMON FILES
2009-02-01 23:52 . 2009-02-02 06:08 <DIR> d-------- c:\programdata\SQL Anywhere 10
2009-02-01 23:52 . 2009-02-01 23:52 <DIR> d-------- c:\programdata\COMMON FILES
2009-02-01 23:52 . 2009-02-02 03:32 95 --a------ c:\windows\QBChanUtil_Trigger.ini
2009-01-28 02:20 . 2009-01-28 02:20 <DIR> d-------- c:\program files\SystemRequirementsLab
2009-01-13 17:32 . 2008-12-15 21:14 290,304 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 01:48 --------- d-----w c:\programdata\WinZip
2009-02-08 22:24 --------- d-----w c:\programdata\Google Updater
2009-02-08 05:22 --------- d-----w c:\programdata\Symantec
2009-02-05 10:21 --------- d-----w c:\programdata\Intuit
2009-02-02 09:43 --------- d-----w c:\program files\Common Files\AnswerWorks 4.0
2009-02-02 09:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-02 09:40 --------- d-----w c:\program files\Common Files\Intuit
2009-02-02 08:07 --------- d-----w c:\programdata\NVIDIA
2009-02-02 07:12 174 --sha-w c:\program files\desktop.ini
2009-02-02 07:04 --------- d-----w c:\program files\Windows Sidebar
2009-02-02 07:04 --------- d-----w c:\program files\Windows Photo Gallery
2009-02-02 07:04 --------- d-----w c:\program files\Windows Mail
2009-02-02 07:04 --------- d-----w c:\program files\Windows Journal
2009-02-02 07:04 --------- d-----w c:\program files\Windows Defender
2009-02-02 07:04 --------- d-----w c:\program files\Windows Collaboration
2009-02-02 07:04 --------- d-----w c:\program files\Windows Calendar
2009-01-28 22:07 79,872 ----a-w c:\windows\System32\axaltocm.dll
2009-01-28 22:07 101,376 ----a-w c:\windows\System32\ifxcardm.dll
2009-01-09 06:20 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-09 06:20 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-09 06:20 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-09 06:20 --------- d-----w c:\program files\Symantec
2009-01-06 02:26 --------- d-----w c:\programdata\WindowsSearch
2009-01-02 01:01 --------- d-----w c:\program files\Apple Software Update
2008-12-31 03:21 --------- d-----w c:\users\Lamo\AppData\Roaming\Hasbro
2008-12-31 03:21 --------- d-----w c:\program files\Trivial Pursuit Choice
2008-12-31 03:01 1,426 ----a-w c:\users\Lamo\AppData\Roaming\wklnhst.dat
2008-12-12 09:08 --------- d-----w c:\programdata\Microsoft Help
2007-08-24 13:52 300,400 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-24 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-11-26 1206600]
"ProTaskScheduler"="c:\prowin07\32bit\tasksch.exe" [2008-03-10 393216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2007-04-07 54936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-29 278528]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-02 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-08-22 13535776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-08-22 92704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 c:\windows\RtHDVCpl.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-09-11 984352]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-05-07 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1AF0C643-52C5-4AFD-9A0E-C372A869C9D3}"= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{52D9830E-4EA8-4923-A9DA-4FBFB957E73D}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{32309D6F-37A6-4894-9184-2A2BB65A1AC7}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{F15D811C-BBF5-4F1A-8406-BFFB34757AE2}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BB588A75-248E-4231-884E-ED327DB03632}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{E073820C-F42B-454F-880A-45EB992DE92B}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{6E8CE4C0-7EF4-4BE8-9263-D00418994111}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C25AF125-E662-45D6-A195-FB00F5A96241}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{849A85DE-AE7B-4627-90A8-4120C19EECEE}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{5288697B-9B8E-46F3-9880-FA6F02D787EC}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F93AB25A-6F9F-4589-B83C-16D7D512BD94}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{A4D1B040-BC72-41B1-9567-D4874D01C27C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{6A5511CB-1E2F-4C95-AB4F-F9AD4D8AD74C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20090129.001\IDSvix86.sys [2009-01-29 270384]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-03-24 149352]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [2008-04-01 598856]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\System32\drivers\symndisv.sys [2008-06-13 41008]
R3 xcbdaNtsc;ViXS Tuner Card (NTSC);c:\windows\System32\drivers\xcbda.sys [2007-01-01 156928]
S3 COH_Mon;COH_Mon;c:\windows\System32\drivers\COH_Mon.sys [2007-05-29 23888]
S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [2007-10-10 42112]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\shell\AutoRun\command - M:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3567406d-08dc-11dd-a86b-001e8c98aab4}]
\shell\AutoRun\command - M:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7717582e-fad4-11dc-a0de-806e6f6e6963}]
\shell\AutoRun\command - wd_windows_tools\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-03 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Lamo.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-26 05:19]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.andyroddick.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\users\Lamo\AppData\Roaming\Mozilla\Firefox\Profiles\dcxai3ng.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
1 file(s) moved.
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 03:50:35
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProTaskScheduler = c:\prowin07\32bit\tasksch.exe??t0????n+H0????????#?s????0???????5??s????????<????????n+H????0????}+H????k??????????????sl????????&?NL?????????C?????M?@??!?NL???L???8?????C??????kA??????!?N????L???,%?N?????%C?????3K@?(?C???+?.???!?????+?(?C??L+??????????L+?(?C

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
Completion time: 2009-02-09 3:52:22
ComboFix-quarantined-files.txt 2009-02-09 09:52:19

Pre-Run: 264,882,188,288 bytes free
Post-Run: 264,849,297,408 bytes free

218 --- E O F --- 2009-02-03 06:04:13

I would greatly appreciate any help offered in determining what I need to do next.
Thanks,

LukeB (I just realized I'm in the wrong operating system section, I'll find the Vista (32bit) section and repost there)

This post has been edited by LukeB: Today, 05:00 AM
Go to the top of the page

BC AdBot (Login to Remove)

 


#2 E-Mu

E-Mu

    Bleepin' Psychopomp


  • Members
  • 1,386 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:55 AM

Posted 09 February 2009 - 07:17 AM

ComboFix logs should not to be posted outside the HijackThis forums.

It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system leaving your computer as an expensive paper weight.

Please create a new topic explaining the nature of your problem in the Am I Infected? What Do I Do? forum. Explain what is happening with your computer. Also note any tools you have used and their respective results. From here you will be taken through the best course of action.


NB: I have requested that a Moderator close this topic.

Edited by Emu1616, 09 February 2009 - 07:20 AM.

~ E-Mu ~

"Emu, You Moo, We All Moo for Emu!" <-- Thanks to Animal

"If at first you don't succeed; call it version 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users