Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CF Logs as per request by email by cust support


  • Please log in to reply
7 replies to this topic

#1 Isabelle501

Isabelle501

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:San Antonio, Texas
  • Local time:03:14 PM

Posted 22 March 2009 - 02:29 PM

I was requested via email, by customer support at Bleeping Computers.com to submit my CF log. There are two, because the first time, the Windwows Recovery Console would not install, but instructions said to let the log finish, so I did. The second log is different, obviously with the installation of the Windows Recovery Console, the results changed. Both completed, as expected; however, the first run actually 'rebooted' the system, and when that happened, Kaspersky automatically turned on, and I noticed several files or processes were blocked. (Files blocked by Kaspersky were pv.cfexe and fi.cfexe - have no idea what they are, but thought I'd let you know.)

The second log installed the Windows Recovery Console and did not 'reboot'; therefore, Kaspersky was turned off the entire time, which probably accounts for some of the discrepancy between the two logs, but since 'YOU GUYS' are the gurus, I thought it best to submit both, with a detailed exlanation as to why there are two logs and what happened.

Thanks,

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:14 PM

Posted 22 March 2009 - 08:55 PM

Thanks. I will review these.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:14 PM

Posted 23 March 2009 - 07:56 AM

Can you zip up this entire folder:

C:\Qoobox\Quarantine\c\documents and settings\Dakota\Cookies\

and submit it here:

http://www.bleepingcomputer.com/submit-malware.php?channel=3

#4 Isabelle501

Isabelle501
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:San Antonio, Texas
  • Local time:03:14 PM

Posted 23 March 2009 - 09:09 PM

I went to the link provided, but apparently that file you requested (cookie file only) is too large to upload. I got the error:

Error 2: The filesize of your file exceeds our allowed maximum of 3MB.

The file zipped is 6700 KB, and 9 MB upzipped. (I can send it in 3 zipped files, if you like...)


:thumbup2: What to do? (thanks...)

Edited by Isabelle501, 23 March 2009 - 09:10 PM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:14 PM

Posted 24 March 2009 - 07:36 AM

If you can do that, that would be fine. You really only need to split it in half. The max filesize if 5 mb

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:14 PM

Posted 27 March 2009 - 01:42 PM

Not really seeing anything else here. Do this:

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\SwSys2.bmp
c:\windows\SwSys1.bmp

Dirlook::
C:\83bfa41b431a277061554191


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#7 Isabelle501

Isabelle501
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:San Antonio, Texas
  • Local time:03:14 PM

Posted 13 May 2009 - 12:36 PM

ComboFix 09-05-12.06 - Dakota 05/13/2009 12:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.269 [GMT -5:00]
Running from: c:\documents and settings\Dakota\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dakota\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*

FILE ::
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp

.
((((((((((((((((((((((((( Files Created from 2009-04-13 to 2009-05-13 )))))))))))))))))))))))))))))))
.

2009-04-28 14:48 . 2009-04-28 14:48 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-28 14:17 . 2009-05-01 00:12 -------- d-----w c:\program files\NOS
2009-04-28 03:54 . 2009-04-30 03:20 -------- d-----w c:\documents and settings\All Users\Application Data\ThumbnailCache4R
2009-04-25 02:22 . 2009-05-01 15:40 -------- d-sh--w c:\windows\Installer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-09 05:33 . 2009-01-11 00:06 868384 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-05-09 05:33 . 2009-01-11 00:06 4048 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-05-09 05:33 . 2009-01-11 00:06 3472928 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-05-09 05:33 . 2009-01-11 00:06 28212 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-28 19:20 . 2009-04-28 19:20 11909972 ----a-w c:\documents and settings\All Users\SPL116.tmp
2009-04-28 18:03 . 2009-03-24 04:55 -------- d-----w c:\program files\Panda Security
2009-04-28 03:51 . 2009-02-19 18:40 -------- d-----w c:\program files\Abbyy FineReader 6.0 Sprint
2009-04-25 16:51 . 2009-04-25 16:51 1042012 ----a-w c:\documents and settings\All Users\SPL5.tmp
2009-04-25 16:45 . 2009-04-25 16:45 1042012 ----a-w c:\documents and settings\All Users\SPL61.tmp
2009-04-25 02:18 . 2009-04-25 02:18 30732 ----a-w c:\documents and settings\All Users\SPL4.tmp
2009-04-25 02:07 . 2009-04-25 02:07 30732 ----a-w c:\documents and settings\All Users\SPL3D.tmp
2009-04-24 22:53 . 2009-04-24 22:52 36690373 ----a-w c:\documents and settings\All Users\SPL4F.tmp
2009-04-24 22:52 . 2009-04-24 22:51 66752245 ----a-w c:\documents and settings\All Users\SPL4E.tmp
2009-04-23 15:33 . 2009-04-23 15:33 308462 ----a-w c:\documents and settings\All Users\SPL123.tmp
2009-04-21 18:13 . 2009-04-21 18:13 1329900 ----a-w c:\documents and settings\All Users\SPL203.tmp
2009-03-21 21:24 . 2009-03-04 01:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-21 21:24 . 2009-01-14 15:25 -------- d-----w c:\program files\Canon
2009-03-11 15:27 . 2009-01-17 02:57 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 01:06 . 2008-01-30 00:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys
2009-03-08 01:06 . 2009-01-11 00:06 89601 ----a-w c:\windows\system32\drivers\klick.dat
2009-03-08 01:06 . 2009-01-11 00:06 101287 ----a-w c:\windows\system32\drivers\klin.dat
2009-03-01 22:48 . 2009-01-11 01:46 64368 ----a-w c:\documents and settings\Dakota\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-25 04:07 . 2009-02-25 04:07 509468 ----a-w c:\documents and settings\All Users\SPL67.tmp
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\83bfa41b431a277061554191 ----

2009-02-28 05:59 . 2008-06-19 05:33 72 -c--a-w c:\83bfa41b431a277061554191\i386\msxpsinc.ppd
2009-02-28 05:59 . 2008-06-19 05:33 2204 -c--a-w c:\83bfa41b431a277061554191\i386\msxpsdrv.inf
2009-02-28 05:59 . 2008-06-19 17:03 73 -c--a-w c:\83bfa41b431a277061554191\i386\msxpsinc.gpd
2009-02-28 05:59 . 2008-06-19 05:33 72 -c--a-w c:\83bfa41b431a277061554191\amd64\msxpsinc.ppd
2009-02-28 05:59 . 2008-06-19 05:33 2204 -c--a-w c:\83bfa41b431a277061554191\amd64\msxpsdrv.inf
2009-02-28 05:59 . 2008-07-06 12:06 10929 -c--a-w c:\83bfa41b431a277061554191\amd64\msxpsdrv.cat
2009-02-28 05:59 . 2008-07-06 12:06 10929 -c--a-w c:\83bfa41b431a277061554191\i386\msxpsdrv.cat
2009-02-28 05:59 . 2008-07-06 12:06 147456 -c--a-w c:\83bfa41b431a277061554191\amd64\filterpipelineprintproc.dll
2009-02-28 05:59 . 2008-07-06 12:06 89088 -c--a-w c:\83bfa41b431a277061554191\i386\filterpipelineprintproc.dll
2009-02-28 05:59 . 2008-07-06 12:06 765440 -c--a-w c:\83bfa41b431a277061554191\i386\mxdwdrv.dll
2009-02-28 05:59 . 2008-07-06 12:06 1676288 -c--a-w c:\83bfa41b431a277061554191\i386\xpssvcs.dll
2009-02-28 05:59 . 2008-07-06 12:06 748032 -c--a-w c:\83bfa41b431a277061554191\amd64\mxdwdrv.dll
2008-07-06 23:36 . 2008-07-06 23:36 2936832 -c--a-w c:\83bfa41b431a277061554191\amd64\xpssvcs.dll
2008-06-19 17:03 . 2008-06-19 17:03 73 -c--a-w c:\83bfa41b431a277061554191\amd64\msxpsinc.gpd


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-03-08 206088]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"lxdkmon.exe"="c:\program files\Lexmark 5300 Series\lxdkmon.exe" [2007-06-22 455344]
"lxdkamon"="c:\program files\Lexmark 5300 Series\lxdkamon.exe" [2007-06-01 20480]
"Lexmark 5300 Series Fax Server"="c:\program files\Lexmark 5300 Series\fm3032.exe" [2007-06-22 307888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-11 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\scan\\scanman6.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxdkcoms.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkamon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\FRun.exe"=
"c:\\WINDOWS\\system32\\lxdkcfg.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\lxdkmon.exe"=
"c:\\Program Files\\Lexmark 5300 Series\\LXDKFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdktime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdkwbgw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 7:29 PM 33808]
R2 lxdk_device;lxdk_device;c:\windows\system32\lxdkcoms.exe -service --> c:\windows\system32\lxdkcoms.exe -service [?]
R2 lxdkCATSCustConnectService;lxdkCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdkserv.exe [2/19/2009 1:49 PM 99248]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 8:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 7:06 PM 24592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{982d58f1-f9d8-11dd-9e00-001143c29721}]
\Shell\AutoRun\command - D:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9948e4f2-f7b7-11dd-8d31-001143c29721}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Dakota\Application Data\Mozilla\Firefox\Profiles\g7mis7yu.default\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 12:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-05-13 12:21
ComboFix-quarantined-files.txt 2009-05-13 17:21

Pre-Run: 4,272,386,048 bytes free
Post-Run: 4,277,944,320 bytes free

141 --- E O F --- 2009-02-01 06:54

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,614 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:14 PM

Posted 15 May 2009 - 01:47 PM

Download GMER Rootkit Scanner from here.
  • Extract the contents of the zipped file to the desktop.
  • Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
  • If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
  • In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Now click on the Scan button and wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop.

Then,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\documents and settings\All Users\SPL116.tmp
c:\documents and settings\All Users\SPL5.tmp
c:\documents and settings\All Users\SPL61.tmp
c:\documents and settings\All Users\SPL4.tmp
c:\documents and settings\All Users\SPL3D.tmp
c:\documents and settings\All Users\SPL4F.tmp
c:\documents and settings\All Users\SPL4E.tmp
c:\documents and settings\All Users\SPL123.tmp
c:\documents and settings\All Users\SPL203.tmp
c:\documents and settings\All Users\SPL67.tmp


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt as well as the gmer ark.txt in your next reply[/b].




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users