Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can someone help me with this combofix log?


  • This topic is locked This topic is locked
2 replies to this topic

#1 gripper

gripper

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 10 February 2010 - 01:07 PM

Hi,

Can someone take a look at these log results and let me know if I need to take further action?

Thanks.

ComboFix 10-02-09.04 - gkg 02/10/2010 9:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1345 [GMT -8:00]
Running from: c:\gkg\dload\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
PEV Error: PersonalFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\LOG6.tmp
C:\LOG7.tmp
c:\windows\dubumu.vbs
c:\windows\epubehu.inf
c:\windows\foxyhigidi.vbs
c:\windows\system32\explorer.exe

----- BITS: Possible infected sites -----

hxxp://kvbback1:8530
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 15:31 . 2010-02-10 15:31 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-10 15:30 . 2010-02-10 15:30 -------- d-----w- c:\documents and settings\gkg\Application Data\DAEMON Tools Lite
2010-02-10 15:30 . 2010-02-10 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-04 22:59 . 2010-02-04 22:59 -------- d-----w- c:\program files\Kiwi Log Viewer
2010-01-18 17:22 . 2010-01-18 17:22 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 16:52 . 2009-07-13 22:03 137328 ----a-w- c:\documents and settings\gkg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 16:36 . 2009-08-06 16:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 16:22 . 2007-07-10 19:43 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-10 16:17 . 2009-07-14 01:41 -------- d-----w- c:\documents and settings\gkg\Application Data\uTorrent
2010-02-10 16:16 . 2007-01-16 21:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 15:31 . 2009-07-17 20:36 -------- d-----w- c:\program files\gkg
2010-02-10 05:05 . 2009-05-29 15:35 -------- d-----w- c:\program files\DesktopAuthority
2010-02-09 22:46 . 2009-07-17 20:38 -------- d-----w- c:\documents and settings\gkg\Application Data\vlc
2010-02-09 15:22 . 2009-09-16 14:48 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-05 19:00 . 2009-07-20 16:22 -------- d-----w- c:\documents and settings\gkg\Application Data\dvdcss
2010-02-03 05:07 . 2008-05-08 20:49 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-01-31 15:21 . 2009-07-26 15:44 -------- d-----w- c:\documents and settings\gkg\Application Data\Skype
2010-01-31 14:52 . 2009-07-26 15:47 -------- d-----w- c:\documents and settings\gkg\Application Data\skypePM
2010-01-22 15:25 . 2009-09-22 19:52 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 00:07 . 2009-08-06 16:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-08-06 16:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 18:52 . 2008-12-16 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-07 18:51 . 2010-01-07 18:51 -------- d-----w- c:\program files\PDF-Converter
2010-01-07 18:43 . 2008-02-13 15:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-05 17:57 . 2010-01-05 17:57 -------- d-----w- c:\documents and settings\gkg\Application Data\Hallmark
2010-01-04 22:00 . 2008-06-01 20:34 256 ----a-w- c:\windows\system32\pool.bin
2009-12-16 19:51 . 2009-07-14 04:31 -------- d-----w- c:\documents and settings\gkg\Application Data\Apple Computer
2009-12-16 19:48 . 2009-02-16 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-09 15:45 . 2009-12-09 15:45 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-03 22:20 . 2009-07-30 21:47 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-08-26 04:30 . 2009-08-26 04:30 16880 ----a-w- c:\program files\Common Files\yxylypecaz.dll
2009-08-26 04:30 . 2009-08-26 04:30 16246 ----a-w- c:\program files\Common Files\tucefo.ban
2009-08-26 04:30 . 2009-08-26 04:30 15308 ----a-w- c:\program files\Common Files\uqerih.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\gkg\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DA Remote Management GUI"="c:\program files\DesktopAuthority\rmgui.exe" [2008-05-27 489392]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-30 115560]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\amt\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2008-12-15 2367488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Card Event Planner Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Card Event Planner Reminder.lnk
backup=c:\windows\pss\Photo Card Event Planner Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RealDownload.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RealDownload.lnk
backup=c:\windows\pss\RealDownload.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 04:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2009-07-14 17:41 31552 ----a-w- c:\documents and settings\gkg\Local Settings\Application Data\Citrix\GoToMeeting\366\g2mstart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 19:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 23:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 23:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
2002-08-15 13:26 886272 ----a-w- c:\windows\system32\LXSUPMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-09-24 15:17 26112 ----a-w- c:\program files\gkg\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 15:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\MaxRecall\\Programs\\zzviewer.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\gkg\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 DAInfo;DA Remote Management Kernel Information Provider;c:\program files\DesktopAuthority\DAInfo.sys [5/29/2009 7:35 AM 12080]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\DesktopAuthority\DaMaint.exe [5/29/2009 7:35 AM 63408]
R2 DAtf;DA Remote Management Token Factory;c:\program files\DesktopAuthority\DAtf.sys [5/29/2009 7:35 AM 11184]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [5/29/2009 7:35 AM 1324976]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [5/29/2009 7:34 AM 558496]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [5/29/2009 7:35 AM 9264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/2/2009 7:29 AM 102448]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [3/8/2006 7:53 PM 77952]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [3/8/2006 7:53 PM 77952]
S0 ijhte;ijhte;c:\windows\system32\drivers\tmwptu.sys --> c:\windows\system32\drivers\tmwptu.sys [?]
S0 vyos;vyos;c:\windows\system32\drivers\dreqaipw.sys --> c:\windows\system32\drivers\dreqaipw.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/30/2009 1:46 PM 23888]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 3:04 PM 99200]
S4 HttpRouter;RM HTTP router;c:\program files\DesktopAuthority\gateway_svc.exe [5/29/2009 7:35 AM 28080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
DPF: {720A3751-EB23-45E7-B5DB-68BA712A38AB} - hxxp://172.20.11.11/ShoreWareSoftPhone/SoftPhone.cab
FF - ProfilePath - c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\
FF - plugin: c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-mserv - c:\documents and settings\gkg\Application Data\seres.exe
MSConfigStartUp-Recorder - [INSTALLDIR]Recorder.exe
AddRemove-SAE Standards Server - k:\sae standards\Uninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 09:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF2D856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f19852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9df7bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e04a21
SendHandler -> NDIS.sys @ 0xb9de287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1796)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-10 10:01:54
ComboFix-quarantined-files.txt 2010-02-10 18:01

Pre-Run: 23,978,733,568 bytes free
Post-Run: 24,979,243,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9000F84D4C92A4F3DEA6E6F282C6F990

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:04 PM

Posted 16 February 2010 - 09:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:03:04 PM

Posted 21 February 2010 - 07:39 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users