Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix log posted


  • This topic is locked This topic is locked
2 replies to this topic

#1 fury924

fury924

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:47 AM

Posted 26 June 2010 - 09:17 AM

EDit:moved to proper forum, Virus, Trojan, Spyware, and Malware Removal Logs~~boopme

Our computer had a browser hijack virus. We ran several virus removal tools (Windows Malicious Software Removal Tool, Spybot Search and Destroy, etc.). But the virus remained. Following instructions on this forum, I ran Combofix and it seems to have removed the virus.

The instructions suggested posting the log for review, even though the problem seems to be fixed. Any suggestions will be appreciated.

Paul.

Log is below:

ComboFix 10-06-25.04 - Nancee 06/26/2010 7:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.286 [GMT -4:00]
Running from: c:\documents and settings\Nancee\Desktop\ComboFix.exe
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\xpsp1hfm.log

Infected copy of c:\windows\system32\drivers\pciide.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))
.

2010-06-25 22:13 . 2010-06-26 11:37 -------- d-----w- c:\documents and settings\Nancee\Local Settings\Application Data\AskToolbar
2010-06-25 22:08 . 2010-06-25 23:03 -------- d-----w- c:\program files\Ask.com
2010-06-25 22:08 . 2010-06-25 22:08 129 ----a-w- c:\documents and settings\Nancee\Local Settings\Application Data\fusioncache.dat
2010-06-25 22:07 . 2010-06-25 22:07 -------- d-----w- c:\program files\MSSOAP
2010-06-25 22:07 . 2009-11-06 19:19 1563008 ----a-w- c:\windows\WRSetup.dll
2010-06-25 22:07 . 2010-06-25 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2010-06-25 22:07 . 2010-06-25 22:07 -------- d-----w- c:\program files\Webroot
2010-06-25 22:07 . 2010-06-25 22:07 -------- d-----w- c:\documents and settings\Nancee\Application Data\Webroot
2010-06-25 21:58 . 2010-06-25 22:02 164 ----a-w- c:\windows\install.dat
2010-06-25 11:58 . 2010-06-25 11:58 -------- d-----w- c:\documents and settings\Nancee\Application Data\Motive
2010-06-25 11:54 . 2010-06-25 12:02 -------- d-----w- c:\program files\Common Files\Motive
2010-06-25 11:54 . 2010-06-25 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-06-25 11:54 . 2010-06-25 11:57 -------- d-----w- c:\program files\ATT-SST
2010-06-24 01:48 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-06-24 01:40 . 2010-06-24 01:40 -------- d-----w- c:\program files\Windows Defender
2010-06-24 01:33 . 2010-06-26 12:03 -------- d--h--w- c:\documents and settings\Nancee\Temporary Internet Files
2010-06-24 01:33 . 2010-06-24 01:33 -------- d--h--w- c:\documents and settings\Nancee\History
2010-06-24 01:31 . 2010-06-24 01:31 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2010-06-24 01:23 . 2010-06-24 01:23 -------- d-----w- c:\windows\peernet
2010-06-24 01:21 . 2010-06-24 01:21 -------- d-----w- c:\windows\ServicePackFiles
2010-06-24 01:10 . 2010-06-24 01:10 -------- d-----w- c:\windows\EHome
2010-06-23 23:42 . 2010-06-23 23:58 -------- d-----w- C:\2fe93babf9d15
2010-06-22 23:24 . 2010-06-22 23:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-22 19:39 . 2010-06-22 23:22 -------- d-----w- c:\windows\system32\Adobe
2010-06-19 17:15 . 2010-06-22 23:23 -------- d-----w- c:\windows\system32\config\systemprofile\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-26 11:17 . 2008-02-23 15:22 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-24 01:32 . 2008-04-10 14:43 164424 ----a-w- c:\documents and settings\Nancee\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 01:26 . 2008-02-22 19:21 71627 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2010-06-22 23:23 . 2008-02-23 16:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-22 23:23 . 2008-02-23 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-22 16:33 . 2009-08-27 08:05 -------- d-----w- c:\documents and settings\Nancee\Application Data\Kiecti
2010-05-26 20:02 . 2010-05-26 20:02 503808 ----a-w- c:\documents and settings\Nancee\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-545e2184-n\msvcp71.dll
2010-05-26 20:02 . 2010-05-26 20:02 499712 ----a-w- c:\documents and settings\Nancee\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-545e2184-n\jmc.dll
2010-05-26 20:02 . 2010-05-26 20:02 348160 ----a-w- c:\documents and settings\Nancee\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-545e2184-n\msvcr71.dll
2010-04-21 18:06 . 2008-09-20 14:35 268 ----a-w- c:\documents and settings\Nancee\Application Data\LMCPaper.dat
2010-04-21 18:06 . 2008-03-03 13:41 3932 ----a-w- c:\documents and settings\Nancee\Application Data\LMLayout.dat
2008-02-23 15:22 . 2008-02-23 15:22 32 --sha-w- c:\windows\{C797DE21-AB7F-4560-A204-5691E9A6CC09}.dat
2008-02-23 15:22 . 2008-02-23 15:22 32 --sha-w- c:\windows\system32\{C7F6C2A9-E75D-42B9-AE87-8A692871DA69}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{00000000-6E41-4FD3-8538-502F5495E5FC}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 20:50 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-11-06 19:14 238968 ----a-w- c:\program files\Webroot\WebrootSecurity\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"SansaDispatch"="c:\documents and settings\Nancee\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2010-03-23 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"NAV CfgWiz"="c:\progra~1\NORTON~1\Cfgwiz.exe" [2002-09-27 476792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-08-20 50880]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-20 34504]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-14 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"PhilipsDM"="c:\program files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2006-12-21 663552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [6/25/2010 6:10 PM 1201640]
.
Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

2010-06-26 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 20:50]

2010-06-25 c:\windows\Tasks\wrSpySweeper_L621C2504925E498B80C2D829EFDC5E63.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-06-25 19:19]

2010-06-25 c:\windows\Tasks\wrSpySweeper_L621C2504925E498B80C2D829EFDC5E63.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-06-25 19:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Nancee\Application Data\Mozilla\Firefox\Profiles\3gw4hh5l.default\
FF - prefs.js: browser.search.selectedEngine - Google.com (in English)
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=WBR&o=13993&locale=en_US&q=
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-26 08:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-06-26 08:06:38
ComboFix-quarantined-files.txt 2010-06-26 12:06

Pre-Run: 59,146,063,872 bytes free
Post-Run: 62,561,607,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

- - End Of File - - F66B6512BBACFEFA78FFD80BA24B55D0

Edited by boopme, 26 June 2010 - 09:29 AM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 01 July 2010 - 05:07 PM

Hello.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.

For your next reply please include:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
THe Panda


#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 07 July 2010 - 04:22 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users