Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Pro 2010 ComboFix Log


  • Please log in to reply
1 reply to this topic

#1 csingsaas

csingsaas

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 28 October 2009 - 08:58 PM

I followed advice offered up in a prior post and downloaded and ran ComboFix. Worked like a charm to remove multiple instances of malware - including Antivirus Pro 2010 and that pesky phony Security Center.

Here is my ComboFix log - wondering what I need to do next.

PS - I also attached it in a txt file.

Hopefully this is in the right form!





ComboFix 09-10-27.08 - madreg1 10/28/2009 20:27.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.66 [GMT -5:00]
Running from: c:\documents and settings\madreg1\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ecugu.pif
c:\documents and settings\All Users\Application Data\yvegaja.dll
c:\documents and settings\All Users\Documents\enumerut.dl
c:\documents and settings\All Users\Documents\ugyd.dl
c:\documents and settings\madreg1\Application Data\alyn.exe
c:\documents and settings\madreg1\Application Data\lizkavd.exe
c:\documents and settings\madreg1\Application Data\seres.exe
c:\documents and settings\madreg1\Application Data\svcst.exe
c:\documents and settings\madreg1\Application Data\umaj.bin
c:\documents and settings\madreg1\Cookies\axybofemah.reg
c:\documents and settings\madreg1\Cookies\tefowaboh.bin
c:\documents and settings\madreg1\Local Settings\Application Data\eluqo.scr
c:\documents and settings\madreg1\Local Settings\Application Data\odur.pif
c:\documents and settings\madreg1\Local Settings\Application Data\ovivakoga.ban
c:\documents and settings\madreg1\Local Settings\Temporary Internet Files\cynipur.scr
c:\documents and settings\madreg1\Local Settings\Temporary Internet Files\imecyz._dl
C:\dtacmawh.exe
c:\program files\Common Files\efyqyli.dll
c:\program files\Common Files\eluw.reg
c:\program files\Common Files\exycufaw.pif
c:\program files\Common Files\kojy.reg
c:\program files\Common Files\siqorah.bin
c:\program files\Common Files\wotoxisy.vbs
c:\windows\anyw.scr
c:\windows\avuxazypid.dl
c:\windows\edoty.reg
c:\windows\hikepehys.bat
c:\windows\hyzusun.reg
c:\windows\pizyz.vbs
c:\windows\rihicyc.exe
c:\windows\system32\~.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\bakef.scr
c:\windows\system32\certstore.dat
c:\windows\system32\comrepl.exe
c:\windows\system32\fagonifa.exe
c:\windows\system32\fitabyq.exe
c:\windows\system32\ikobuhipi.dll
c:\windows\system32\isapeep.sys
c:\windows\system32\lawariko.dll
c:\windows\system32\lowofoza.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\monelare.dll
c:\windows\system32\oes3cyv0f.dll
c:\windows\system32\quteb._dl
c:\windows\system32\tmp.reg
c:\windows\system32\wimavapa.dll
c:\windows\system32\xohojilaxe.dll
c:\windows\ugiryxinew.sys
E:\mbam23232-setup.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_R_SERVER
-------\Service_6to4
-------\Service_r_server
-------\Legacy_isapeep
-------\Service_isapeep


((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-29 )))))))))))))))))))))))))))))))
.

2009-10-29 01:20 . 2009-10-29 01:20 -------- d-----w- C:\AVGTemp
2009-10-29 00:41 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-29 00:41 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-29 00:41 . 2009-10-29 00:42 -------- d-----w- c:\program files\Malwarebytes22
2009-10-28 23:51 . 2009-10-28 23:52 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2009-10-28 21:59 . 2009-10-28 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-28 21:40 . 2009-10-28 21:40 -------- d-----w- C:\VundoFix Backups
2009-10-28 20:45 . 2009-10-28 20:45 -------- d-----w- c:\program files\Trend Micro
2009-10-28 20:40 . 2009-10-28 22:09 -------- d-----w- c:\windows\Internet Logs
2009-10-28 18:12 . 2009-10-28 18:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-28 16:41 . 2009-10-28 23:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 16:41 . 2009-10-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-28 15:52 . 2009-10-28 15:52 -------- d-----w- C:\d6458acc5ec75aa7a516bee311fa45
2009-10-20 17:40 . 2009-10-20 18:10 -------- d-----w- C:\$AVG8.VAULT$
2009-10-20 17:16 . 2009-10-20 17:16 19008 ----a-w- c:\windows\ogafyry.dat
2009-10-20 17:01 . 2009-10-20 17:01 113664 ----a-w- C:\qsdhs.exe
2009-10-20 17:01 . 2009-10-20 17:01 7680 ----a-w- C:\jyacth.exe
2009-10-20 17:01 . 2009-10-20 17:01 31232 ----a-w- C:\dsiqvib.exe
2009-10-20 17:01 . 2009-10-20 17:01 251904 ----a-w- C:\buxuhto.exe
2009-10-20 17:01 . 2009-10-20 17:01 19456 ----a-w- C:\vyiy.exe
2009-10-20 17:01 . 2009-10-20 17:01 53248 ----a-w- C:\ldvx.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 23:40 . 2004-12-25 19:42 -------- d-----w- c:\program files\The Weather Channel FW
2009-10-20 08:22 . 2007-07-06 15:35 42686867 ----a-w- C:\offdat.zip
2009-09-11 14:18 . 2004-03-19 22:40 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-03-30 01:48 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-03-19 22:43 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-07 00:24 . 2004-08-11 06:47 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 06:47 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 09:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 06:47 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-03-19 22:45 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-03-19 22:34 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 06:47 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-03-19 22:45 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:44 . 1980-01-01 05:00 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 1980-01-01 05:00 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-20 18:08 . 2009-07-20 18:08 27136 --sha-w- c:\windows\SYSTEM32\fimijole.exe
2009-07-28 16:50 . 2009-07-28 16:50 1052704 --sha-w- c:\windows\SYSTEM32\rutijeri.exe
2009-07-28 16:50 . 2009-07-28 16:50 54272 --sha-w- c:\windows\SYSTEM32\yojapuye.dll
2009-07-28 16:50 . 2009-07-28 16:50 39424 --sha-w- c:\windows\SYSTEM32\zesulalu.dll
2009-07-28 16:51 . 2009-07-28 16:51 54272 --sha-w- c:\windows\SYSTEM32\zuvifobi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7516ceaa-1d51-4cb8-a2a8-783da0ceaabb}]
2009-07-28 16:51 54272 --sha-w- c:\windows\SYSTEM32\zuvifobi.dll

c:\documents and settings\madreg1\Start Menu\Programs\Startup\
Pervasive.SQL Workgroup Engine.lnk - c:\pvsw\Bin\w3dbsmgr.exe [2004-7-22 106546]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\PVSW\\Bin\\w3dbsmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-20 c:\windows\Tasks\GETDATA1.job
- C:\GETDATA.bat [2005-08-18 13:52]

2009-10-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 03:18]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-mesisaraf - c:\windows\system32\lowofoza.dll
HKLM-Run-yokeyifeli - wimavapa.dll
SharedTaskScheduler-ThreadingModel - (no file)
SharedTaskScheduler-{5ca6b7a0-dba2-47d0-a8ee-def5edeaa9e6} - c:\windows\system32\lowofoza.dll
SSODL-heyisareh-{5ca6b7a0-dba2-47d0-a8ee-def5edeaa9e6} - c:\windows\system32\lowofoza.dll
Notify-avgrsstarter - avgrsstx.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 20:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CD33F05B-57D8-EB8D-1C637C8E18479BDE}\{4B66B287-DF55-8BF6-0C7A245C073DF874}\{2B094E66-D192-13E4-CB3BD0799FCAC2FC}*]
"Q3FBLH6RIF6MYMN6VD31LVQSMD1"=hex:01,00,00,00,00,00,00,00,5c,63,e8,cf,f7,e6,fd,
3a
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3236)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\combofix\CF4878.exe
c:\combofix\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-29 20:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-29 01:49

Pre-Run: 71,125,307,392 bytes free
Post-Run: 71,592,259,584 bytes free

- - End Of File - - 45E7D75D046007460E90B7FC6D62E39C

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:25 PM

Posted 03 November 2009 - 07:49 AM

Hello csingsaas

Welcome to BleepingComputer :(

Combofix is not to be used unless instructed.
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users