Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix Log: Is my computer all better now?


  • This topic is locked This topic is locked
6 replies to this topic

#1 Virus A Day

Virus A Day

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 12 July 2010 - 12:58 AM

I know I'm supposed to post the type of infection I have in the thread title, but I honestly have no idea.


I've been having serious, chronic virus issues for the last month and a half (hence the display name). I ran ComboFix and this is the log that I received. I need to know if there are more actions for me to take. My laptop uses XP Pro. The log is as follows:


QUOTE
ComboFix 10-07-11.03 - Lisa 07/11/2010 23:29:30.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.527 [GMT -5:00]
Running from: c:\documents and settings\Lisa\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-11 22:36 . 2010-07-11 22:36 -------- d-----w- c:\documents and settings\Lisa\Application Data\Avira
2010-07-06 05:37 . 2009-03-11 16:34 303104 ----a-w- c:\windows\system32\CNC250L.dll
2010-07-06 05:37 . 2009-04-03 20:59 110592 ----a-w- c:\windows\system32\CNC250I.dll
2010-07-06 05:37 . 2009-04-03 21:00 1310720 ----a-w- c:\windows\system32\CNC250C.dll
2010-07-06 05:37 . 2009-04-03 20:57 106496 ----a-w- c:\windows\system32\CNC250U.dll
2010-07-06 05:37 . 2008-08-25 23:02 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2010-07-06 05:37 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-07-06 05:37 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-07-06 05:33 . 2010-07-06 05:33 -------- d-----w- c:\program files\Common Files\CANON
2010-07-06 05:27 . 2010-07-06 05:27 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2010-07-06 05:27 . 2009-03-17 10:00 70656 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPP9W.DLL
2010-07-06 05:27 . 2009-03-17 10:00 27648 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\CNMPD9W.DLL
2010-07-06 05:27 . 2009-03-17 10:00 272384 ----a-w- c:\windows\system32\CNMLM9W.DLL
2010-07-06 05:27 . 2010-07-06 05:27 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2010-07-06 05:26 . 2009-02-04 13:17 90112 ----a-w- c:\windows\system32\CNC250O.dll
2010-07-06 05:26 . 2009-03-18 09:09 178176 ----a-w- c:\windows\system32\CNMIU9W.DLL
2010-07-06 05:26 . 2010-07-06 05:26 -------- d--h--w- c:\program files\CanonBJ
2010-07-06 05:24 . 2010-07-06 05:36 -------- d-----w- c:\program files\Canon
2010-07-04 23:52 . 2010-07-04 23:52 -------- d-----w- c:\documents and settings\Lisa\Application Data\Adobe Mini Bridge CS5
2010-07-04 23:52 . 2010-07-04 23:52 -------- d-----w- c:\documents and settings\Lisa\Application Data\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2010-07-04 21:07 . 2010-07-04 21:07 58164 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-04 08:14 . 2010-07-04 08:14 -------- d-----w- c:\program files\iPod
2010-07-04 08:14 . 2010-07-04 08:15 -------- d-----w- c:\program files\iTunes
2010-07-04 08:14 . 2010-07-04 08:15 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-04 08:11 . 2010-07-04 08:12 -------- d-----w- c:\program files\QuickTime
2010-07-04 08:09 . 2010-07-04 08:09 -------- d-----w- c:\program files\Apple Software Update
2010-07-04 08:06 . 2010-07-04 08:06 -------- d-----w- c:\program files\Bonjour
2010-07-04 07:39 . 2010-03-01 15:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-07-04 07:39 . 2009-05-11 17:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-07-04 07:39 . 2009-05-11 17:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-07-04 07:39 . 2010-07-04 07:39 -------- d-----w- c:\program files\Avira
2010-07-04 07:39 . 2010-07-04 07:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-04 04:23 . 2010-07-04 04:23 -------- d-----w- c:\documents and settings\Lisa\Application Data\Malwarebytes
2010-07-04 04:23 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-04 04:23 . 2010-07-04 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-04 04:23 . 2010-07-04 04:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-04 04:23 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-30 06:53 . 2010-06-30 06:53 -------- d-----w- c:\documents and settings\All Users\Application Data\regid.1986-12.com.adobe
2010-06-30 06:40 . 2010-06-30 06:40 -------- d-----w- c:\program files\Adobe Media Player
2010-06-29 07:04 . 2010-06-29 07:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Intuit
2010-06-29 06:45 . 2010-06-29 06:45 162624 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-06-25 12:03 . 2010-06-25 12:03 -------- d-----w- c:\program files\Photoshop
2010-06-25 11:31 . 2010-06-25 11:31 -------- d-----w- c:\documents and settings\Lisa\Local Settings\Application Data\Intuit
2010-06-25 11:05 . 2009-06-22 14:14 4194304 ----a-w- c:\windows\system32\cdintf400.dll
2010-06-25 10:49 . 2010-06-25 10:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance
2010-06-25 10:49 . 2010-06-29 07:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2010-06-25 10:49 . 2010-06-25 10:56 -------- d-----w- c:\program files\Common Files\Intuit
2010-06-25 10:49 . 2010-06-25 10:49 -------- d-----w- c:\program files\Intuit
2010-06-25 10:47 . 2010-06-25 10:47 -------- d-----w- c:\documents and settings\All Users\Application Data\SQL Anywhere 11
2010-06-25 10:47 . 2010-06-25 10:47 -------- d-----w- c:\documents and settings\All Users\Application Data\COMMON FILES
2010-06-25 10:40 . 2010-06-25 10:40 -------- d-----w- c:\windows\Intuit
2010-06-23 00:50 . 2007-10-23 14:27 110592 ----a-w- c:\documents and settings\Lisa\Application Data\U3\temp\cleanup.exe
2010-06-23 00:47 . 2008-05-02 15:41 3493888 ---ha-w- c:\documents and settings\Lisa\Application Data\U3\temp\Launchpad Removal.exe
2010-06-23 00:47 . 2010-06-23 00:50 -------- d-----w- c:\documents and settings\Lisa\Application Data\U3
2010-06-16 01:01 . 2010-06-16 01:01 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-11 23:54 . 2009-10-02 20:08 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 05:54 . 2010-02-07 15:11 -------- d-----w- c:\documents and settings\Lisa\Application Data\Nitro PDF
2010-07-06 01:03 . 2009-08-10 05:19 -------- d-----w- c:\documents and settings\Lisa\Application Data\uTorrent
2010-07-04 08:14 . 2009-08-10 01:27 -------- d-----w- c:\program files\Common Files\Apple
2010-07-04 03:03 . 2010-05-23 07:18 0 ----a-w- c:\documents and settings\Lisa\Local Settings\Application Data\prvlcl.dat
2010-06-30 06:53 . 2009-08-11 21:33 72624 ----a-w- c:\documents and settings\Lisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-30 06:48 . 2009-06-27 02:24 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-30 06:37 . 2009-06-27 02:23 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-29 07:06 . 2009-06-27 02:23 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-26 17:19 . 2009-08-21 20:46 -------- d-----w- c:\documents and settings\Lisa\Application Data\gtk-2.0
2010-06-04 00:53 . 2009-08-07 03:54 -------- d-----w- c:\program files\Microsoft Silverlight
2010-05-24 09:28 . 2010-05-24 08:53 -------- d-----w- c:\documents and settings\Lisa\Application Data\FMZilla
2010-05-24 01:19 . 2010-05-24 01:19 503808 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5339a486-n\msvcp71.dll
2010-05-24 01:19 . 2010-05-24 01:19 499712 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5339a486-n\jmc.dll
2010-05-24 01:19 . 2010-05-24 01:19 348160 ----a-w- c:\documents and settings\Lisa\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-5339a486-n\msvcr71.dll
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-17 05:27 . 2010-05-17 05:27 -------- d-----w- c:\program files\AVG
2010-05-06 10:41 . 2004-08-12 13:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-12 13:33 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-12 13:17 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 01:47 . 2009-08-10 01:27 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-20 01:47 . 2009-08-10 01:27 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-07 149280]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-04-06 1032192]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-11-26 1087752]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-27 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-16 1153824]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2010\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [9/24/2006 7:10 PM 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [9/24/2006 7:10 PM 17664]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/4/2010 2:39 AM 135336]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [12/16/2009 11:09 AM 188736]
R2 nlsX86cc;NLS Service;c:\windows\system32\NLSSRV32.EXE [12/16/2009 11:11 AM 65856]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S4 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [9/24/2006 7:10 PM 218112]
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [9/24/2006 7:10 PM 48140]
S4 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [9/24/2006 7:10 PM 11029]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-07-11 c:\windows\Tasks\AdobeAAMUpdater-1.0-WXP-DRHVVC1-Lesley.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2010-06-30 08:44]

2010-07-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-07-12 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://www.facebook.com/fbplugin/win32/axfbootloader.cab?1265396546906
FF - ProfilePath - c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\vdig5xgr.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Lisa\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Lisa\Application Data\Mozilla\Firefox\Profiles\vdig5xgr.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-hdcpmdlf - c:\documents and settings\Lisa\Local Settings\Application Data\ucmhmghap\ucbvxnhtssd.exe
MSConfigStartUp-xxlinpwk - c:\documents and settings\Lisa\Local Settings\Application Data\gjwlkmkfa\psitqxbtssd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-11 23:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8650EEC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7602f28
\Driver\ACPI -> ACPI.sys @ 0xf7495cb8
\Driver\atapi -> atapi.sys @ 0xf7409852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom NetXtreme 57xx Gigabit Controller -> SendCompleteHandler -> NDIS.sys @ 0xf72a2bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7291a0d
SendHandler -> NDIS.sys @ 0xf72a5b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-11 23:57:20
ComboFix-quarantined-files.txt 2010-07-12 04:56

Pre-Run: 6,490,132,480 bytes free
Post-Run: 9,439,518,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 89EB15F25924E63B97C14B081AC1A5C3


I am a neophyte. Please use small words and your inside voice.

Thanks!

ETA: It was a redirecting virus and it's still active.

Edited by Virus A Day, 12 July 2010 - 02:42 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 PM

Posted 12 July 2010 - 03:15 AM

Hello Virus A Day,



Looks like you had a rootkit at some point according to one of the sections of ComboFix. Is MBAM showing anything at this point?

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Virus A Day

Virus A Day
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 12 July 2010 - 03:02 PM

What's an MBAM?

gmer.log:
QUOTE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-12 14:46:41
Windows 5.1.2600 Service Pack 3
Running: fxlth74w.exe; Driver: C:\DOCUME~1\Lisa\LOCALS~1\Temp\pflirfow.sys


---- System - GMER 1.0.15 ----

SSDT A0B521CE ZwCreateKey
SSDT A0B521C4 ZwCreateThread
SSDT A0B521D3 ZwDeleteKey
SSDT A0B521DD ZwDeleteValueKey
SSDT A0B521E2 ZwLoadKey
SSDT A0B521B0 ZwOpenProcess
SSDT A0B521B5 ZwOpenThread
SSDT A0B521EC ZwReplaceKey
SSDT A0B521E7 ZwRestoreKey
SSDT A0B521D8 ZwSetValueKey

Code \??\C:\DOCUME~1\Lisa\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Lisa\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\DOCUME~1\Lisa\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[488] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1364] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1364] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A
.text C:\WINDOWS\explorer.exe[3296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\explorer.exe[3296] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\explorer.exe[3296] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- EOF - GMER 1.0.15 ----


Thanks!

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 PM

Posted 12 July 2010 - 03:15 PM

Apologies....MBAM is Malwarebytes smile.gif
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Virus A Day

Virus A Day
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 12 July 2010 - 11:07 PM

MBAM log:
QUOTE
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4304

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/12/2010 10:55:33 PM
mbam-log-2010-07-12 (22-55-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 206628
Time elapsed: 2 hour(s), 20 minute(s), 36 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\NetworkService\Local Settings\Application Data\lfxrylnlb\wqdrkaqtssd.exe (Trojan.Downloader) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\minkmawp (Trojan.Downloader) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\minkmawp (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\2824846e.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\lfxrylnlb\wqdrkaqtssd.exe (Trojan.Downloader) -> No action taken.


Thanks!


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 PM

Posted 14 July 2010 - 07:21 AM

Hello,

Apologies for the delay. sad.gif I Guess you let MBAM clean those, yes? smile.gif If not, please run it again and do let it clean them.

Do you use a router?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:23 PM

Posted 24 July 2010 - 10:04 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users