Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

lepiBubili's Combofix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 lepiBubili

lepiBubili

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:40 PM

Posted 24 December 2009 - 03:43 PM

This is my log after running ComboFix. Is this a proper place to post it?
I don't want to be undecent.
ComboFix 09-12-24.02 - ljuba stojanovic 12/24/2009 21:06:48.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.434 [GMT 1:00]
Running from: c:\documents and settings\ljuba stojanovic\Desktop\ComboFix.exe
AV: AVG *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: ESET NOD32 antivirus system 2.70 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-561435748-2964645-2904320356-500

.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-24 19:02 . 2009-12-24 19:02 -------- d-----w- c:\documents and settings\ljuba stojanovic\Application Data\Malwarebytes
2009-12-24 19:02 . 2009-12-03 15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 19:02 . 2009-12-24 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-24 19:02 . 2009-12-03 15:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 19:02 . 2009-12-24 19:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-24 18:02 . 2009-12-24 18:02 52224 ----a-w- c:\documents and settings\ljuba stojanovic\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-24 18:02 . 2009-12-24 18:02 117760 ----a-w- c:\documents and settings\ljuba stojanovic\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-24 18:01 . 2009-12-24 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-24 18:01 . 2009-12-24 18:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-24 18:01 . 2009-12-24 18:01 -------- d-----w- c:\documents and settings\ljuba stojanovic\Application Data\SUPERAntiSpyware.com
2009-12-24 18:00 . 2009-12-24 18:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-24 17:24 . 2009-12-24 17:24 -------- d-----w- c:\program files\CCleaner
2009-12-23 17:39 . 2009-12-23 17:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-21 16:58 . 2009-12-24 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-21 16:58 . 2009-12-21 17:04 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-14 17:04 . 2009-12-24 20:09 704512 ----a-w- c:\windows\system32\drivers\dgyzk.sys
2009-12-08 18:54 . 2009-12-08 18:54 -------- d-----w- c:\windows\Sun
2009-11-24 20:20 . 2009-11-24 20:21 -------- d-----w- C:\xampp_folder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 19:42 . 2009-11-10 18:01 -------- d-----w- c:\documents and settings\ljuba stojanovic\Application Data\Skype
2009-12-24 19:41 . 2008-08-26 08:10 3216 ----a-w- c:\windows\system32\encobject.dat
2009-12-24 17:08 . 2007-09-19 06:41 -------- d-----w- c:\program files\Java
2009-12-24 16:51 . 2009-11-11 16:58 79488 ----a-w- c:\documents and settings\ljuba stojanovic\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-23 19:07 . 2009-11-10 18:02 -------- d-----w- c:\documents and settings\ljuba stojanovic\Application Data\skypePM
2009-12-21 16:49 . 2007-09-19 06:49 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2009-11-19 21:21 . 2007-09-19 06:48 -------- d-----w- c:\program files\Picasa2
2009-11-19 21:20 . 2009-11-19 21:20 -------- d-----w- c:\program files\Google
2009-11-10 21:51 . 2009-11-10 21:50 -------- d-----w- c:\program files\The KMPlayer
2009-11-10 21:51 . 2009-11-10 21:51 -------- d-----w- c:\program files\Ask.com
2009-11-10 21:11 . 2009-11-10 21:09 -------- d-----w- c:\program files\ICQ6.5
2009-11-10 21:11 . 2009-11-10 21:09 -------- d-----w- c:\documents and settings\ljuba stojanovic\Application Data\ICQ
2009-11-10 21:10 . 2009-11-10 21:10 -------- d-----w- c:\program files\ICQ6Toolbar
2009-11-10 21:10 . 2007-09-19 06:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-10 21:10 . 2009-11-10 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\ICQ
2009-11-10 19:44 . 2009-11-10 19:43 -------- d-----w- c:\program files\NetBeans 6.7.1
2009-11-10 18:04 . 2009-11-10 18:04 0 ----a-w- c:\windows\nsreg.dat
2009-11-10 18:02 . 2009-11-10 18:02 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-10 18:01 . 2009-11-10 18:01 -------- d-----r- c:\program files\Skype
2009-11-10 18:01 . 2009-11-10 18:01 -------- d-----w- c:\program files\Common Files\Skype
2009-11-10 18:01 . 2009-11-10 18:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-10 16:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-10 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
"ICQ"="c:\program files\ICQ6.5\ICQ.exe" [2009-03-01 172792]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2005-11-14 487424]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2006-07-04 110592]
"AwaySch"="c:\program files\Lenovo\AwayTask\AwaySch.EXE" [2006-06-18 69632]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2006-07-15 503808]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-05-18 196696]
"PDService.exe"="c:\program files\Lenovo\SafeGuard PrivateDisk\pdservice.exe" [2006-03-13 41472]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2006-07-15 2341632]
"nod32kui"="c:\program files\Eset\nod32kui.exe" [2009-04-24 949376]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-24 185896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-03 136600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BOOKcase 4.0.lnk - c:\program files\TEXTware\BOOKcase40\BC40CASE.exe [2008-6-16 426028]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 13:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-06-18 17:06 49152 ----a-w- c:\program files\Lenovo\AwayTask\AwayNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\ljuba stojanovic\\Desktop\\pdt-all-in-one-S20071213_M1-win32\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\xampp_folder\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp_folder\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\xampp_folder\\xampp\\FileZillaFTP\\FileZilla Server.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/1/2008 6:37 AM 96520]
R1 nod32drv;nod32drv;c:\windows\system32\drivers\nod32drv.sys [4/24/2009 4:32 AM 15424]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 Apache2.2;Apache2.2;c:\xampp_folder\xampp\apache\bin\httpd.exe [11/24/2009 9:21 PM 24640]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/1/2008 6:36 AM 282904]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/1/2008 6:37 AM 75272]
R2 ICQ Service;ICQ Service;c:\program files\ICQ6Toolbar\ICQ Service.exe [11/10/2009 10:10 PM 222968]
R2 PrivateDisk;PrivateDisk;c:\program files\Lenovo\SafeGuard PrivateDisk\privatediskm.sys [3/14/2006 12:05 AM 58368]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 11:55 PM 3968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - dgyzk
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.icq.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\documents and settings\ljuba stojanovic\Application Data\Mozilla\Firefox\Profiles\f73stfbn.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 21:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dgyzk]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(944)
c:\windows\system32\tvt_gina.dll
c:\program files\Lenovo\Client Security Solution\css_gina_plugin.dll
c:\program files\Lenovo\Client Security Solution\css_wait_bar.dll
c:\program files\Lenovo\Client Security Solution\cssuserdatadispatcher.dll
c:\program files\Lenovo\Client Security Solution\csswait.dll
c:\program files\Common Files\Lenovo\tvt_banner.dll
c:\program files\Lenovo\Client Security Solution\cssdlgpwentry.dll
c:\program files\Lenovo\Client Security Solution\dlganswerprompt.dll
c:\program files\Lenovo\Client Security Solution\tvttsp.dll
c:\program files\Lenovo\Client Security Solution\tcsrpc.dll
c:\program files\Common Files\Lenovo\tvt_res.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\imon.dll

- - - - - - - > 'explorer.exe'(5116)
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\msi.dll
.
Completion time: 2009-12-24 21:10:25
ComboFix-quarantined-files.txt 2009-12-24 20:10

Pre-Run: 44,132,012,032 bytes free
Post-Run: 44,117,635,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 1A9C9C18FE1B591CD4D0CA8464C85E27

BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:40 PM

Posted 05 January 2010 - 06:52 PM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:40 PM

Posted 10 January 2010 - 02:56 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users