Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Someone please analyze my Combofix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 Fr33

Fr33

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 19 December 2009 - 11:05 PM

Hello all first time poster here,

After getting a bout of 'Live Antivirus' I tried the Combofix solution as suggested on this website.

And thank you very much the problem appears to have been solved.

I am posting my log file here as suggested in the described method for final analysis (I hope :( )

So once again thank you for the solution and if some one would analize my log I would be gratefull

Kind regards,
Fr33

ComboFix 09-12-18.07 - Tim 20/12/2009 14:25:41.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.991.503 [GMT 11:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tim\Local Settings\Application Data\retulp
c:\documents and settings\Tim\Local Settings\Application Data\retulp\qutesysguard.exe
c:\documents and settings\Tim\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Tim\Start Menu\Programs\Startup\scandisk.lnk
C:\s
c:\windows\system32\41.exe
c:\windows\system32\AVR10.exe
c:\windows\system32\notepad.dll
c:\windows\system32\ntSVc.ocx
c:\windows\system32\plugin1.dat
c:\windows\system32\SysPr.prx
c:\windows\system32\winhelper86.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32


((((((((((((((((((((((((( Files Created from 2009-11-20 to 2009-12-20 )))))))))))))))))))))))))))))))
.

2009-12-19 20:44 . 2009-12-19 20:44 41472 ----a-w- C:\dcgwhpoh.exe
2009-12-08 03:25 . 2008-07-28 21:21 -------- d---a-w- C:\dvbfix
2009-12-08 02:49 . 2008-04-13 17:46 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys
2009-12-08 02:49 . 2008-04-13 17:46 15232 ----a-w- c:\windows\system32\drivers\MPE.sys
2009-12-08 02:49 . 2006-06-29 09:49 53248 ----a-r- c:\windows\system32\ModrcCoInstall.dll
2009-12-08 02:49 . 2006-05-09 05:02 13056 ----a-r- c:\windows\system32\drivers\modrc.sys
2009-12-08 02:48 . 2006-09-06 02:53 342784 ----a-r- c:\windows\system32\drivers\mod7700.sys
2009-12-08 02:48 . 2008-04-13 23:12 363520 -c--a-w- c:\windows\system32\dllcache\psisdecd.dll
2009-12-08 02:48 . 2008-04-13 23:12 363520 ----a-w- c:\windows\system32\PsisDecd.dll
2009-12-08 02:48 . 2008-04-13 17:46 11776 -c--a-w- c:\windows\system32\dllcache\bdasup.sys
2009-12-08 02:48 . 2008-04-13 17:46 11776 ----a-w- c:\windows\system32\drivers\BdaSup.sys
2009-12-08 02:17 . 2009-12-08 02:26 -------- d-----w- c:\program files\Microsoft SQL Server
2009-12-08 02:11 . 2009-12-08 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Team MediaPortal
2009-12-08 02:10 . 2009-12-08 02:27 -------- d-----w- c:\program files\Team MediaPortal
2009-12-08 02:08 . 2009-12-08 02:08 -------- d-----w- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-20 03:35 . 2008-11-11 09:26 -------- d-----w- c:\program files\PeerGuardian2
2009-12-20 03:33 . 2007-04-07 14:40 -------- d-----w- c:\documents and settings\Tim\Application Data\uTorrent
2009-12-19 20:59 . 2006-07-17 00:46 -------- d-----w- c:\program files\LogMeIn
2009-12-19 20:59 . 2007-03-09 15:46 -------- d-----w- c:\program files\RemotelyAnywhere
2009-12-19 20:58 . 2007-04-24 03:36 -------- d-----w- c:\documents and settings\Tim\Application Data\Free Download Manager
2009-12-19 13:35 . 2007-03-08 02:57 -------- d-----w- c:\program files\DynDNS Updater
2009-12-17 19:49 . 2007-08-26 03:53 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 02:21 . 2005-11-22 22:21 -------- d-----w- c:\program files\Microsoft.NET
2009-11-03 04:54 . 2008-08-08 23:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 03:55 . 2008-08-28 11:00 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-02 09:42 . 2009-10-03 08:28 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 07:45 . 2004-08-03 14:56 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-03 14:56 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-03 14:56 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 13:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-03 14:56 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-03 14:56 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-03 14:56 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-02 04:47 . 2007-06-08 04:40 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-02 04:47 . 2006-07-17 00:46 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-02 04:47 . 2006-07-17 00:46 87352 ----a-w- c:\windows\system32\LMIinit.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DynDNS Updater"="c:\program files\DynDNS Updater\DynDNS.exe" [2006-09-16 1352704]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-12-09 289584]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1421824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"NetServer"="c:\web\NetServer.exe" [2005-10-02 2575872]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"RemotelyAnywhere GUI"="c:\program files\RemotelyAnywhere\ragui.exe" [2004-03-30 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\Tim\Start Menu\Programs\Startup\
Malwarebytes' Anti-Malware.lnk - c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2008-8-9 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-02 04:47 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\server_windows.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Teamspeak2_RC2\\TeamSpeak.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\web\\bin\\stable\\apache\\Apache.exe"=
"c:\\Program Files\\Hand-Crafted Software\\FreeProxy\\FreeProxy.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"25:TCP"= 25:TCP:25
"110:TCP"= 110:TCP:110
"143:TCP"= 143:TCP:143
"443:TCP"= 443:TCP:443
"2000:TCP"= 2000:TCP:2000
"4712:TCP"= 4712:TCP:4712
"2103:TCP"= 2103:TCP:2103
"2103:UDP"= 2103:UDP:2103
"8080:TCP"= 8080:TCP:8080
"36923:TCP"= 36923:TCP:36923
"36923:UDP"= 36923:UDP:36923

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [29/08/2007 4:04 AM 116264]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/07/2009 12:04 AM 715248]
R1 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [30/03/2004 2:31 PM 7328]
R2 FreeProxy;Free Proxy Service;c:\program files\Hand-Crafted Software\FreeProxy\FreeProxy.exe -{BeginFreeProxyService} -C"c:\web\Proxy\Filter Info\fr33web2.cfg" --> c:\program files\Hand-Crafted Software\FreeProxy\FreeProxy.exe -{BeginFreeProxyService} -Cc:\web\Proxy\Filter Info\fr33web2.cfg [?]
R2 hMailServer;hMailServer;c:\web\bin\stable\hmailserver\bin\hMailServer.exe RunAsService --> c:\web\bin\stable\hmailserver\bin\hMailServer.exe RunAsService [?]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/06/2007 3:39 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [8/06/2007 3:40 PM 47640]
R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\rainfo.sys [30/03/2004 2:31 PM 10784]
R2 TVService;TVService;c:\program files\Team MediaPortal\MediaPortal TV Server\TvService.exe [9/05/2009 9:36 AM 192512]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2/08/2006 4:49 PM 6016]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [3/11/2006 6:19 PM 13592]
R3 MODRC;DiBcom Infrared Receiver;c:\windows\system32\drivers\modrc.sys [8/12/2009 1:49 PM 13056]
S2 PRTGService;PRTG Service;c:\program files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe --> c:\program files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe [?]
S2 prtgwatchservice;PRTG Watchdog;c:\program files\PRTG Traffic Grapher\watchdog\prtgwatchdog.exe --> c:\program files\PRTG Traffic Grapher\watchdog\prtgwatchdog.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [15/11/2007 6:40 AM 34448]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [16/06/2008 7:31 PM 7808]
S3 UfasoftSnifDriver4;Ufasoft Snif Driver v4;\??\c:\program files\Ufasoft\Sniffer\usft_sn4.sys --> c:\program files\Ufasoft\Sniffer\usft_sn4.sys [?]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFTVFM\WFIOCTL.SYS --> c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PGFILTER
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: >> Download This Youtube Video - UnlockForUs - g:\music\BackingTracks\YoutubeFile\lawrence.htm
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{F12F48EE-7575-4a05-8957-E207557670C8} - {639570A0-E929-4EF7-8D1E-365A9BB8674E} - c:\program files\Keep my Net Clean.org\kmnc.dll
TCP: {4743C90A-3F5A-43AF-B578-D82422B1FDB6} = 192.168.1.1
TCP: {A16276BF-1922-47FB-BD2A-A73CF1E9E25A} = 192.168.1.254
TCP: {F8B35950-3EDC-4C1D-9B9B-4A1419DAD519} = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-dppipysr - c:\documents and settings\Tim\Local Settings\Application Data\retulp\qutesysguard.exe
HKLM-Run-notepad - c:\windows\system32\notepad.dll
HKLM-Run-dppipysr - c:\documents and settings\Tim\Local Settings\Application Data\retulp\qutesysguard.exe
AddRemove-Alert Monitor - c:\program files\Hand-Crafted Software\Alert Monitor\Uninst.isu
AddRemove-GPe - d:\games\GRAND PRIX\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 14:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000002A659AE5F702A28D05 524288 bytes

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spbc.sys >>UNKNOWN [0x8678B944]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7524f28
\Driver\ACPI -> ACPI.sys @ 0xf7371cb8
\Driver\atapi -> atapi.sys @ 0xf7306b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: VIA Rhine II Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf7201bb0
PacketIndicateHandler -> NDIS.sys @ 0xf720ea21
SendHandler -> NDIS.sys @ 0xf71ec87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3044)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\web\bin\stable\apache\apache.exe
c:\web\bin\stable\filezilla\Filezilla Server.exe
c:\program files\Hand-Crafted Software\FreeProxy\FreeProxy.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Powerware\LanSafe\Bin\PowerMonitor.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\Powerware\LanSafe\Bin\LSTrayAgent.exe
c:\web\bin\stable\apache\apache.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\web\bin\stable\mysql\bin\mysqld.exe
c:\program files\RemotelyAnywhere\RaMaint.exe
c:\program files\RemotelyAnywhere\RemotelyAnywhere.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\web\bin\stable\hmailserver\bin\hMailServer.exe
c:\program files\Powerware\LanSafe\bin\xyntservice.exe
c:\program files\Powerware\LanSafe\bin\httpserver.exe
c:\program files\Powerware\LanSafe\bin\status_glance.exe
.
**************************************************************************
.
Completion time: 2009-12-20 14:38:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-20 03:38

Pre-Run: 16,783,237,120 bytes free
Post-Run: 17,022,103,552 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F46C3AF9C4B368812E101E848224205B

Attached Files


Edited by rigel, 19 December 2009 - 11:14 PM.
Moving log to a better suited forum


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 02 January 2010 - 07:55 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:45 AM

Posted 08 January 2010 - 09:53 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users