Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Antivirus Live, I used combofix application, I am now ready to post log to forum.


  • This topic is locked This topic is locked
3 replies to this topic

#1 sarge77

sarge77

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:25 PM

Posted 24 January 2010 - 05:47 PM

I ran the Combofix application to remove the “Antivirus Live” virus from my cousin’s desktop computer, I am at the point to post the log to the forum for review. Please let me know what I need to do next. Instructions State that I am not to post the log till told to do so.

Below is a description of the computer info and the steps I have taken to fix the problem thus far.

Due to the infected computer being paralyzed with pop-up infection alerts and very slow performance, I could not do anything with the computer such as backup personal files, or create a system restore or anything.
No Windows XP CD came with the machine....The Computer came with OS pre installed.


Here is the basic computer information:

Microsoft Windows XP ( Media Center Edition )
Version 2002
Service Pack 3

Hewlet Packard Company
HP Pavilion
Pentium® D CPU 3.20GHz
2 Gig RAM


Current Status:

I managed to stop the Pop-up warnings from interfering with the repair using an application called rkill.
Next I ran the ComboFix application and I have progressed to were the Display log is shown on my screen.
I then backed-up what personal files were on the machine to partitioned drive D: But I did not use any special application to perform this task ... it was simply copy and past to the D: Drive. I was concerned that running some other backup application before completion of the Combofix application may be a problem.


My Question is, what do I do with the ComboFix generated log now that it is displayed on the screen. Do I post it to you? What do I do next?

I could sure use the help...Thanks

Neil


======================================================================
Orange Blossom Thanks for your response - Below is the log. I am not sure what you mean by editing my log before posting it. I am only copying it and pasting it below. Thanks for your help......please let me know what you want me to do next....
======================================================================






ComboFix 10-01-23.02 - Jennifer 01/24/2010 2:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1613 [GMT -5:00]
Running from: c:\documents and settings\Jennifer\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-527237240-179605362-725345543-500
c:\windows\desktop
c:\windows\desktop\CKMAG5.LNK
c:\windows\kb913800.exe
c:\windows\system32\ps2.bat
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-24 07:28 . 2010-01-24 07:28 -------- d-----w- c:\documents and settings\Jennifer\Application Data\Skinux
2010-01-24 07:28 . 2010-01-24 07:28 -------- d-----w- c:\documents and settings\Jennifer\Application Data\ArcSoft
2010-01-19 21:15 . 2010-01-19 21:15 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-01-07 20:24 . 2010-01-07 20:24 173296 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-28 00:07 . 2009-12-28 00:07 671744 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\151129-15127.dll
2009-12-28 00:07 . 2009-12-28 00:07 3358720 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\15145-15154.dll
2009-12-28 00:07 . 2009-12-28 00:07 204800 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2009-12-28 00:07 . 2009-12-28 00:07 200704 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\15127-15131.dll
2009-12-28 00:07 . 2009-12-28 00:07 1863680 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\15131-15145.dll
2009-12-28 00:07 . 2009-12-28 00:07 1089 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-24 07:39 . 2009-12-02 02:44 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-01-19 04:14 . 2006-02-28 12:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-19 04:14 . 2006-02-28 12:31 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-14 02:38 . 2008-09-13 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-28 00:09 . 2006-02-28 12:18 -------- d-----w- c:\program files\Quicken
2009-12-19 15:43 . 2009-06-07 23:22 -------- d-----w- c:\program files\Documents To Go
2009-12-19 15:05 . 2006-05-14 01:50 -------- d-----w- c:\program files\verizon
2009-12-14 01:41 . 2006-06-23 06:11 -------- d-----w- c:\program files\Webroot
2009-12-11 01:43 . 2009-06-06 05:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-11 01:41 . 2009-12-11 01:41 1924200 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2009-12-03 01:42 . 2008-09-13 22:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-02 02:56 . 2009-12-02 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\KEDDS
2009-12-02 02:51 . 2009-10-07 23:37 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
2009-12-02 02:45 . 2006-02-28 11:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-02 02:45 . 2009-12-02 02:44 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2009-12-02 02:44 . 2009-12-02 02:44 -------- d-----w- c:\program files\Common Files\ArcSoft
2009-12-02 02:44 . 2009-12-02 02:44 -------- d-----w- c:\program files\ArcSoft
2009-12-02 02:43 . 2007-07-29 17:14 -------- d-----w- c:\program files\Kodak
2009-12-02 02:42 . 2009-10-07 23:36 -------- d-----w- c:\program files\Common Files\Kodak
2009-12-02 02:35 . 2009-10-07 23:34 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2009-12-02 02:34 . 2009-12-02 02:34 175104 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\reduced_contents_PrintCreation_expanded\setup.exe
2009-12-02 02:33 . 2009-12-02 02:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\SysFiles\kb945060\kb945060.exe
2009-12-02 02:33 . 2009-12-02 02:33 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_246a63\EasyShrx.Dll
2009-12-02 02:33 . 2009-12-02 02:33 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.20.1.dll
2009-12-02 02:33 . 2009-12-02 02:33 2684304 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140001_246a63\Setup.exe
2009-11-29 06:31 . 2009-11-29 06:31 -------- d-----w- c:\program files\CCleaner
2009-11-21 15:51 . 2004-08-09 21:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-10-29 07:45 . 2004-08-09 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-22 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-02-21 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-14 7323648]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-11 15961088]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 249856]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"USB2Check"="c:\windows\system32\PCLECoInst.dll" [2006-11-06 81920]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-02-28 180269]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\kodak\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-2-28 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A Verizon App]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2005-11-11 21:11 1064960 ----a-w- c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
2005-11-11 21:10 61440 ----a-w- c:\program files\DISC\DISCUpdateMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMAScheduler]
2005-11-01 10:01 90112 ----a-w- c:\program files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 21:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD08]
2005-06-01 23:35 49152 ----a-w- c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 14:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-12-14 14:51 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2009-03-12 16:31 2303216 ----a-w- c:\program files\verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2005-08-15 19:32 3092480 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
2003-12-09 16:03 57344 -c--a-w- c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
2006-04-06 21:17 5541888 ----a-w- c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 12\\Programs\\umi.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\KodakDigitalDisplaySoftware.exe"=
"c:\\Program Files\\Kodak\\Digital Display\\OrbKodakLauncher\\DllStartupService.exe"=

R2 KodakDigitalDisplayService;KodakDigitalDisplayService;c:\program files\Kodak\Digital Display\OrbKodakLauncher\DllStartupService.exe [5/14/2009 12:21 PM 98304]
S3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [2/28/2006 6:51 AM 468768]
.
Contents of the 'Scheduled Tasks' folder

2009-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-07 c:\windows\Tasks\HPCeeSchedule.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-08 20:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://verizon.yahoo.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=desktop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)
HKLM-Run-nntcetlk - c:\documents and settings\HP_Administrator\Local Settings\Application Data\haefit\nrltsysguard.exe
MSConfigStartUp--FreedomNeedsReboot - c:\program files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-Window Washer - c:\program files\Webroot\Washer\wwDisp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-24 02:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Jennifer\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2010-01-24 02:49:42
ComboFix-quarantined-files.txt 2010-01-24 07:49

Pre-Run: 207,628,771,328 bytes free
Post-Run: 207,622,488,064 bytes free

- - End Of File - - 2F55C4312833D7E67F93EB385A7F5559


















Edited by sarge77, 24 January 2010 - 08:46 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 30 January 2010 - 05:31 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 02 February 2010 - 03:50 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 PM

Posted 04 February 2010 - 08:18 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users