Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix log


  • This topic is locked This topic is locked
1 reply to this topic

#1 karimaster

karimaster

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 30 March 2009 - 10:33 AM

Hi guys, I have got a problem with my computer.
This is a log from combofix and I have no idea what to do.
Please help me.




ComboFix 09-03-29.04 - Administrator 2009-03-30 17:05:49.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.1015.642 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated)
FW: Kaspersky Internet Security *disabled*
FW: Outpost Firewall Pro *enabled*
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\meex.exe
c:\windows\system32\sexit.dat
E:\Autorun.inf

.
((((((((((((((((((((((((( Pliki utworzone od 2009-02-28 do 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-30 16:21 . 2009-03-30 16:21 104 --a------ C:\Internet.lnk
2009-03-23 15:31 . 2009-03-23 15:33 <DIR> d-------- C:\dziwne rzeczy na moim pulpicie
2009-03-18 17:10 . 2009-03-18 17:10 166 --a------ c:\windows\wcx_ftp.ini
2009-03-18 17:09 . 2009-03-18 17:09 <DIR> d-------- C:\totalcmd
2009-03-18 17:09 . 2005-02-02 07:51 545 --a------ c:\windows\UC.PIF
2009-03-18 17:09 . 2005-02-02 07:51 545 --a------ c:\windows\RAR.PIF
2009-03-18 17:09 . 2005-02-02 07:51 545 --a------ c:\windows\PKZIP.PIF
2009-03-18 17:09 . 2005-02-02 07:51 545 --a------ c:\windows\PKUNZIP.PIF
2009-03-18 17:09 . 2005-02-02 07:51 545 --a------ c:\windows\NOCLOSE.PIF
2009-03-18 17:09 . 2005-02-02 07:51 545 --a------ c:\windows\LHA.PIF
2009-03-18 17:09 . 2005-02-02 07:51 545 --a------ c:\windows\ARJ.PIF
2009-03-18 17:09 . 2009-03-18 21:37 502 --a------ c:\windows\wincmd.ini
2009-03-18 16:37 . 2001-08-17 23:36 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-03-18 16:37 . 2001-08-17 23:36 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-03-18 16:37 . 2001-08-17 23:36 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-03-18 16:37 . 2001-08-17 23:36 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2009-03-18 16:37 . 2008-04-14 06:39 6,144 --a------ c:\windows\system32\kbd106.dll
2009-03-18 16:37 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-03-18 16:37 . 2001-08-17 15:55 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-03-18 16:37 . 2008-04-14 06:39 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-03-18 16:37 . 2001-08-17 15:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2009-03-18 16:37 . 2001-08-17 15:55 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2009-03-18 16:37 . 2001-08-17 15:55 5,632 --a------ c:\windows\system32\kbd103.dll
2009-03-18 16:37 . 2001-08-17 15:55 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2009-03-05 12:39 . 2009-03-05 12:40 <DIR> d-------- C:\The.Labyrinth.Of.The.Faun.2006.2007.PL.DVDRip.AC3.XviD-BiNL

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 15:14 3,878,944 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-30 15:13 199,968 --sha-w c:\windows\system32\drivers\fidbox2.dat
2009-03-30 15:12 48,452 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-30 15:12 21,812 --sha-w c:\windows\system32\drivers\fidbox2.idx
2009-03-25 20:59 --------- d-----w c:\documents and settings\Administrator\Application Data\foobar2000
2009-03-24 22:27 --------- d-----w c:\documents and settings\Administrator\Application Data\Skype
2009-03-24 19:53 --------- d-----w c:\documents and settings\Administrator\Application Data\skypePM
2008-12-15 10:56 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-06 17:31 86 ----a-w c:\windows\system32\config\systemprofile\DelB1E.bat
2008-11-06 17:31 86 ----a-w c:\documents and settings\Default User\DelB1E.bat
2008-11-06 17:31 86 ----a-w c:\documents and settings\Administrator\DelB1E.bat
2008-11-06 18:10 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-11-06 18:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
2008-11-06 18:10 16,384 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-11-06 18:10 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-14 02:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\wininet.dll
2008-08-26 09:24 826368 ef8eba98145bfa44e80d17a3b3453300 c:\windows\SoftwareDistribution\Download\abcfbcf3d9d76a35839e0526ed748b7b\SP2GDR\wininet.dll
2008-08-26 11:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\SoftwareDistribution\Download\abcfbcf3d9d76a35839e0526ed748b7b\SP2QFE\wininet.dll
2008-06-23 16:01 1344000 8dda28598205360ade9cbf345876b075 c:\windows\system32\wininet.dll
2008-06-23 16:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\system32\dllcache\wininet.dll

2008-04-13 21:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\tcpip.sys
2008-10-17 15:57 361600 e88631e21a9caca06104802f9e915115 c:\windows\system32\drivers\tcpip.sys

2008-07-03 11:38 1882112 d15389269169710d6aa1eb36ef270bdf c:\windows\explorer.exe
2008-04-14 02:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tinySpell"="c:\program files\tinySpell\tinyspell.exe" [2008-09-01 204800]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"H/PC Connection Agent"="c:\progra~1\MICROS~3\wcescomm.exe" [2006-11-13 1289000]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-07-24 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-15 136600]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-22 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-22 121368]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-22 100888]
"TotalRecorderScheduler"="c:\program files\TotalRecorder\TotRecSched.exe" [2006-05-12 86016]
"mhlclyg"="c:\program files\Common Files\System\yyjnldu.exe" [2003-03-02 32489]
"nhbivui"="c:\program files\Common Files\Microsoft Shared\xnxlufi.exe" [2003-03-02 32489]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-03 c:\windows\RTHDCPL.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\windows\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe [2005-02-21 1826885]
Y'z ToolBar.lnk - c:\windows\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe [2002-09-29 90112]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"SetVisualStyle"= c:\windows\Resources\Themes\Vista\Vista.msstyles

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.divxa32"= msaud32_divx.acm
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 TTFixerService;NST ToolTipFixer;c:\program files\NeoSmart Technologies\ToolTipFixer\ToolTipFixer.exe [2008-11-06 10240]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S4 rdummy;rdummy;c:\windows\system32\drivers\rdummy.sys [2008-11-06 4096]

--- Inne Usługi/Sterowniki w Pamięci ---

*Deregistered* - BootScreen

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{052fc1ba-fc32-11dd-9f27-0015afe3b2a6}]
\Shell\AutoRun\command - D:\nhbivui.exe
\Shell\explore\Command - D:\nhbivui.exe
\Shell\open\Command - D:\nhbivui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{86eef862-b3f1-11dd-ae8c-0015afe3b2a6}]
\Shell\AutoRun\command - D:\nhbivui.exe
\Shell\explore\Command - D:\nhbivui.exe
\Shell\open\Command - D:\nhbivui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97ab1373-b47b-11dd-ae8e-0015afe3b2a6}]
\Shell\AutoRun\command - D:\nhbivui.exe
\Shell\explore\Command - D:\nhbivui.exe
\Shell\open\Command - D:\nhbivui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d9973fc-ac31-11dd-ae74-0015afe3b2a6}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f1626120-fd2d-11dd-9f28-0015afe3b2a6}]
\Shell\AutoRun\command - G:\nhbivui.exe
\Shell\explore\Command - G:\nhbivui.exe
\Shell\open\Command - G:\nhbivui.exe
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.com
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
DPF: {299385F1-1977-426F-8CE3-07A2407E4498} - hxxp://ktrcam.homedns.org/IPCamPluginMJPEG.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ys3i0yki.default\
FF - prefs.js: browser.startup.homepage - www.google.pl
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ys3i0yki.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 17:14:07
Windows 5.1.2600 Service Pack 2 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\windows\system32\klogon.dll

- - - - - - - > 'lsass.exe'(904)
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\dnsq.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(3336)
c:\windows\system32\SHDOCVW.dll
c:\program files\tinySpell\tskh.dll
c:\windows\BricoPacks\Vista Inspirat\ObjectDock\DockShellHook.dll
c:\windows\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\miscr3.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\fssync.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.873_x-ww_6b9196c1\MSVCR80.dll
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\scrchpg.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Czas ukończenia: 2009-03-30 17:20:02 - komputer został uruchomiony ponownie [Administrator]
ComboFix-quarantined-files.txt 2009-03-30 15:19:47
ComboFix2.txt 2008-11-29 11:23:01

Przed: 33,467,404,288 bytes free
Po: 33,689,710,592 bytes free

192

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 30 March 2009 - 11:22 AM

Hello karimaster

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users