Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo fix


  • This topic is locked This topic is locked
1 reply to this topic

#1 thinkfire01

thinkfire01

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Michigan
  • Local time:01:37 PM

Posted 27 May 2009 - 04:23 PM

ComboFix 09-05-26.05 - Lisa Mateus 05/27/2009 17:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.288 [GMT -7:00]
Running from: c:\documents and settings\Lisa Mateus\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Applications\iebr.dll
c:\program files\Applications\iebt.dll
c:\program files\Applications\iebtu.exe
c:\program files\Applications\iebu.exe
c:\program files\Applications\myd.ico
c:\program files\Applications\mym.ico
c:\program files\Applications\myp.ico
c:\program files\Applications\myv.ico
c:\program files\Applications\ot.ico
c:\program files\Applications\ts.ico
c:\windows\IE4 Error Log.txt
c:\windows\system32\_000014_.tmp.dll
c:\windows\system32\_000015_.tmp.dll
c:\windows\system32\algg.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-27 23:18 . 2009-05-27 23:18 -------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-05-27 23:18 . 2009-05-27 23:18 -------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-05-27 23:14 . 2009-03-25 18:06 40552 ----a-w c:\windows\system32\drivers\mfesmfk.sys
2009-05-27 23:13 . 2009-03-25 18:06 79880 ----a-w c:\windows\system32\drivers\mfeavfk.sys
2009-05-27 23:13 . 2009-03-25 18:06 35272 ----a-w c:\windows\system32\drivers\mfebopk.sys
2009-05-27 23:13 . 2008-10-23 20:08 120136 ----a-w c:\windows\system32\drivers\Mpfp.sys
2009-05-27 23:12 . 2009-05-27 23:13 -------- d-----w c:\program files\Common Files\McAfee
2009-05-27 23:12 . 2009-05-27 23:17 -------- d-----w c:\program files\McAfee
2009-05-27 23:07 . 2009-03-25 18:05 34216 ----a-w c:\windows\system32\drivers\mferkdk.sys
2009-05-27 23:04 . 2009-05-27 23:23 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-05-27 10:07 . 2009-05-27 10:07 -------- d-----w c:\program files\MSXML 6.0
2009-05-27 10:02 . 2009-05-27 10:02 -------- d-----w c:\program files\MSXML 4.0
2009-05-26 22:55 . 2009-05-26 23:13 -------- d-----w c:\windows\system32\CatRoot_bak
2009-05-26 22:52 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-05-26 22:52 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-05-26 22:52 . 2009-02-06 16:54 35328 -c----w c:\windows\system32\dllcache\sc.exe
2009-05-26 22:52 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-05-26 22:52 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-05-26 22:52 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-05-26 22:52 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-05-26 22:52 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-26 22:52 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-05-26 22:52 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-26 22:50 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-05-26 22:38 . 2008-11-08 00:58 223232 ----a-w c:\windows\system32\sqlite3.dll
2009-05-26 22:38 . 2008-11-06 23:04 36864 ----a-w c:\windows\system32\ascbalon.dll
2009-05-26 22:38 . 2009-04-02 22:55 217088 ----a-w c:\windows\system32\ConTest.dll
2009-05-26 22:38 . 2008-11-08 00:58 86016 ----a-w c:\windows\system32\SQLiteWrapper.dll
2009-05-26 22:38 . 2008-11-06 23:04 20480 ----a-w c:\windows\system32\SysRestore.dll
2009-05-26 22:38 . 2009-05-26 22:38 -------- d-----w c:\program files\Ascentive
2009-05-26 22:38 . 2009-05-26 22:38 -------- d-----w c:\documents and settings\Lisa Mateus\Application Data\InstallShield
2009-05-26 21:44 . 2009-05-26 21:44 1756136 ----a-w C:\FW_WRT54Gv8_8.00.6.005_20080616,0.bin
2009-05-26 20:47 . 2002-04-12 03:21 13335 ----a-w c:\windows\system32\drivers\usbcm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-28 00:05 . 2008-12-13 05:04 -------- d-----w c:\program files\Applications
2009-05-26 22:38 . 2003-04-10 20:00 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-26 21:23 . 2007-08-15 23:59 -------- d-----w c:\documents and settings\Lisa Mateus\Application Data\MSN6
2009-05-26 00:29 . 2007-09-14 19:08 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-25 18:06 . 2009-03-25 18:06 214024 ----a-w c:\windows\system32\drivers\mfehidk.sys
2009-03-06 14:44 . 2003-04-10 01:38 283648 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Performance Center"="c:\program files\Ascentive\Performance Center\APCMain.exe" [2009-01-23 3231744]
"PC SpeedScan Pro"="c:\program files\Ascentive\PC SpeedScan Pro\PCSpeedScan.exe" [2009-04-08 2134016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-03-04 4595712]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-03-01 315392]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-07-14 11406]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2002-10-04 139264]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 28672]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-25 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-05-30 676520]
"EzPrint"="c:\program files\Lexmark 5600-6600 Series\ezprint.exe" [2008-05-30 131752]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-03-26 645328]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2003-03-04 323584]
"ATIModeChange"="Ati2mdxx.exe" - c:\windows\system32\Ati2mdxx.exe [2001-09-04 28672]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2003-02-14 88107]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinCinema Manager.lnk - c:\program files\Sandisk\Common\Bin\WinCinemaMgr.exe [2008-1-30 303104]
Billminder.lnk - c:\program files\Quicken\billmind.exe [2002-9-20 36864]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-9-19 282624]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [2002-9-20 36864]
Remocon Driver.lnk - c:\program files\Sony\USBSircs\usbsircs.exe [2007-8-15 163840]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxducoms.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/27/2009 4:17 PM 203280]
S2 0262751243466019mcinstcleanup;McAfee Application Installer Cleanup (0262751243466019);c:\docume~1\LISAMA~1\LOCALS~1\Temp\026275~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\LISAMA~1\LOCALS~1\Temp\026275~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 mrtRate;mrtRate; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0262751243466019MCINSTCLEANUP
*NewlyCreated* - MCMSCSVC
*NewlyCreated* - MCNASVC
*NewlyCreated* - MCPROXY
*NewlyCreated* - MFEAVFK
*NewlyCreated* - MFEBOPK
*NewlyCreated* - MFEHIDK
*NewlyCreated* - MPFSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-05-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2006-09-28 00:39]

2009-05-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-14 22:30]

2009-05-27 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 17:53]

2009-05-27 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-05-27 17:53]

2007-08-15 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-04-10 07:56]

2007-08-15 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-04-10 07:56]

2007-08-15 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2003-04-10 07:56]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ANTIVIRUS - c:\program files\AAV\aav.exe
HKLM-Explorer_Run-smile - c:\program files\Applications\wcs.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://windiwsfsearch.com/ie6.html
mSearchMigratedDefaultURL = hxxp://windiwsfsearch.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = 127.0.0.1
mSearchURL = hxxp://windiwsfsearch.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?64c19882c98349a79a0240685776fefd
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?64c19882c98349a79a0240685776fefd
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-27 17:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\XP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"er\\xp_inf\\cx_08174.inf\00"
.
Completion time: 2009-05-28 17:09
ComboFix-quarantined-files.txt 2009-05-28 00:09

Pre-Run: 60,469,067,776 bytes free
Post-Run: 61,723,865,088 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

208 --- E O F --- 2009-05-27 10:08

BC AdBot (Login to Remove)

 


#2 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 27 May 2009 - 04:41 PM

Hello thinkfire01,

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.

Regards,

The weatherman




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users