Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

Featured Deal: Get 95% off The Ultimate MCSE Certification Training Bundle

Can someone help me with this combofix log?

Started by gripper , Feb 10 2010 01:07 PM

This topic is locked

2 replies to this topic

#1 gripper

Members
1 posts
OFFLINE

Local time:10:04 AM

Posted 10 February 2010 - 01:07 PM

Hi,

Can someone take a look at these log results and let me know if I need to take further action?

Thanks.

ComboFix 10-02-09.04 - gkg 02/10/2010 9:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1345 [GMT -8:00]
Running from: c:\gkg\dload\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
PEV Error: PersonalFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\LOG6.tmp
C:\LOG7.tmp
c:\windows\dubumu.vbs
c:\windows\epubehu.inf
c:\windows\foxyhigidi.vbs
c:\windows\system32\explorer.exe

----- BITS: Possible infected sites -----

hxxp://kvbback1:8530
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 15:31 . 2010-02-10 15:31 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-10 15:30 . 2010-02-10 15:30 -------- d-----w- c:\documents and settings\gkg\Application Data\DAEMON Tools Lite
2010-02-10 15:30 . 2010-02-10 15:30 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2010-02-04 22:59 . 2010-02-04 22:59 -------- d-----w- c:\program files\Kiwi Log Viewer
2010-01-18 17:22 . 2010-01-18 17:22 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 16:52 . 2009-07-13 22:03 137328 ----a-w- c:\documents and settings\gkg\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-10 16:36 . 2009-08-06 16:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 16:22 . 2007-07-10 19:43 12 ----a-w- c:\windows\bthservsdp.dat
2010-02-10 16:17 . 2009-07-14 01:41 -------- d-----w- c:\documents and settings\gkg\Application Data\uTorrent
2010-02-10 16:16 . 2007-01-16 21:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-10 15:31 . 2009-07-17 20:36 -------- d-----w- c:\program files\gkg
2010-02-10 05:05 . 2009-05-29 15:35 -------- d-----w- c:\program files\DesktopAuthority
2010-02-09 22:46 . 2009-07-17 20:38 -------- d-----w- c:\documents and settings\gkg\Application Data\vlc
2010-02-09 15:22 . 2009-09-16 14:48 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-05 19:00 . 2009-07-20 16:22 -------- d-----w- c:\documents and settings\gkg\Application Data\dvdcss
2010-02-03 05:07 . 2008-05-08 20:49 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2010-01-31 15:21 . 2009-07-26 15:44 -------- d-----w- c:\documents and settings\gkg\Application Data\Skype
2010-01-31 14:52 . 2009-07-26 15:47 -------- d-----w- c:\documents and settings\gkg\Application Data\skypePM
2010-01-22 15:25 . 2009-09-22 19:52 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-08 00:07 . 2009-08-06 16:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 00:07 . 2009-08-06 16:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-07 18:52 . 2008-12-16 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-07 18:51 . 2010-01-07 18:51 -------- d-----w- c:\program files\PDF-Converter
2010-01-07 18:43 . 2008-02-13 15:30 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-05 17:57 . 2010-01-05 17:57 -------- d-----w- c:\documents and settings\gkg\Application Data\Hallmark
2010-01-04 22:00 . 2008-06-01 20:34 256 ----a-w- c:\windows\system32\pool.bin
2009-12-16 19:51 . 2009-07-14 04:31 -------- d-----w- c:\documents and settings\gkg\Application Data\Apple Computer
2009-12-16 19:48 . 2009-02-16 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-09 15:45 . 2009-12-09 15:45 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-03 22:20 . 2009-07-30 21:47 149768 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-08-26 04:30 . 2009-08-26 04:30 16880 ----a-w- c:\program files\Common Files\yxylypecaz.dll
2009-08-26 04:30 . 2009-08-26 04:30 16246 ----a-w- c:\program files\Common Files\tucefo.ban
2009-08-26 04:30 . 2009-08-26 04:30 15308 ----a-w- c:\program files\Common Files\uqerih.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"DAEMON Tools Lite"="c:\program files\gkg\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"DA Remote Management GUI"="c:\program files\DesktopAuthority\rmgui.exe" [2008-05-27 489392]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-30 115560]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-13 141600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\amt\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2008-12-15 2367488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-11-18 1724416]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Photo Card Event Planner Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Photo Card Event Planner Reminder.lnk
backup=c:\windows\pss\Photo Card Event Planner Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RealDownload.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RealDownload.lnk
backup=c:\windows\pss\RealDownload.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 04:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoToMeeting]
2009-07-14 17:41 31552 ----a-w- c:\documents and settings\gkg\Local Settings\Application Data\Citrix\GoToMeeting\366\g2mstart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-13 00:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 19:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-10-25 23:33 563984 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-10-25 23:37 2178832 ----a-w- c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
2002-08-15 13:26 886272 ----a-w- c:\windows\system32\LXSUPMON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 23:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-09-24 15:17 26112 ----a-w- c:\program files\gkg\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 15:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]
2009-07-21 18:02 2707526 ----a-w- c:\program files\Zinio\ZinioReader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\MaxRecall\\Programs\\zzviewer.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\gkg\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 DAInfo;DA Remote Management Kernel Information Provider;c:\program files\DesktopAuthority\DAInfo.sys [5/29/2009 7:35 AM 12080]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\DesktopAuthority\DaMaint.exe [5/29/2009 7:35 AM 63408]
R2 DAtf;DA Remote Management Token Factory;c:\program files\DesktopAuthority\DAtf.sys [5/29/2009 7:35 AM 11184]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [5/29/2009 7:35 AM 1324976]
R2 SLClient;ScriptLogic Service;c:\windows\system32\slclient.exe [5/29/2009 7:34 AM 558496]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [5/29/2009 7:35 AM 9264]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/2/2009 7:29 AM 102448]
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;c:\windows\system32\drivers\nwdelmdm.sys [3/8/2006 7:53 PM 77952]
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;c:\windows\system32\drivers\nwdelser.sys [3/8/2006 7:53 PM 77952]
S0 ijhte;ijhte;c:\windows\system32\drivers\tmwptu.sys --> c:\windows\system32\drivers\tmwptu.sys [?]
S0 vyos;vyos;c:\windows\system32\drivers\dreqaipw.sys --> c:\windows\system32\drivers\dreqaipw.sys [?]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/30/2009 1:46 PM 23888]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 3:04 PM 99200]
S4 HttpRouter;RM HTTP router;c:\program files\DesktopAuthority\gateway_svc.exe [5/29/2009 7:35 AM 28080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-10-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Name-Space Handler: ftp\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
Name-Space Handler: http\RealDownload - {EBCDDA5E-2A68-11D3-8A43-0060083CFB9C} - c:\windows\system32\nzdd.dll
DPF: {720A3751-EB23-45E7-B5DB-68BA712A38AB} - hxxp://172.20.11.11/ShoreWareSoftPhone/SoftPhone.cab
FF - ProfilePath - c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\
FF - plugin: c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\gkg\Application Data\Mozilla\Firefox\Profiles\aaokfab5.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus
MSConfigStartUp-mserv - c:\documents and settings\gkg\Application Data\seres.exe
MSConfigStartUp-Recorder - [INSTALLDIR]Recorder.exe
AddRemove-SAE Standards Server - k:\sae standards\Uninst.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 09:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AF2D856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f19852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xb9df7bb0
PacketIndicateHandler -> NDIS.sys @ 0xb9e04a21
SendHandler -> NDIS.sys @ 0xb9de287b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1796)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-02-10 10:01:54
ComboFix-quarantined-files.txt 2010-02-10 18:01

Pre-Run: 23,978,733,568 bytes free
Post-Run: 24,979,243,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 9000F84D4C92A4F3DEA6E6F282C6F990

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:04 PM

Posted 16 February 2010 - 09:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

m0le is a proud member of UNITE

Back to top

#3 m0le

Can U Dig It?

Malware Response Team
34,527 posts
OFFLINE

Gender:Male
Location:London, UK
Local time:03:04 PM

Posted 21 February 2010 - 07:39 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

m0le is a proud member of UNITE