Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google hijack - ComboFix Log File Review


  • This topic is locked This topic is locked
2 replies to this topic

#1 klm9er

klm9er

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 13 July 2010 - 11:52 AM

I have the Google Hijack Search results malware and did the Combofix scan via my IT's advice. I would like feedback on my log report to ensure that I am clean... Thanks to whoever can help me out!

LOG FILE

ComboFix 10-07-12.06 - Alli 07/13/2010 9:14.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.158 [GMT -7:00]
Running from: c:\documents and settings\Alli\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\documents and settings\Alli\g2mdlhlpx.exe
c:\documents and settings\Alli\Local Settings\Application Data\{810C59FB-D351-4F5C-B5BF-7D1A65509E90}
c:\documents and settings\Alli\Local Settings\Application Data\{810C59FB-D351-4F5C-B5BF-7D1A65509E90}\chrome.manifest
c:\documents and settings\Alli\Local Settings\Application Data\{810C59FB-D351-4F5C-B5BF-7D1A65509E90}\chrome\content\_cfg.js
c:\documents and settings\Alli\Local Settings\Application Data\{810C59FB-D351-4F5C-B5BF-7D1A65509E90}\chrome\content\overlay.xul
c:\documents and settings\Alli\Local Settings\Application Data\{810C59FB-D351-4F5C-B5BF-7D1A65509E90}\install.rdf
c:\program files\Shared
c:\windows\enetidacirojikeh.dll
c:\windows\imenukifasocuke.dll
c:\windows\ocokububovidog.dll
c:\windows\patch.exe
c:\windows\system\oeminfo.ini
c:\windows\xpsp1hfm.log
C:\zip.exe
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))
.

2010-07-13 16:08 . 2010-07-13 16:08 -------- d-----w- C:\found.009
2010-07-07 16:32 . 2010-07-13 15:33 0 ----a-w- c:\windows\Vxasiyalogu.bin
2010-07-07 16:32 . 2010-07-13 15:33 120 ----a-w- c:\windows\Evunokaxuwena.dat
2010-06-28 16:56 . 2010-06-28 16:56 1039712 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-06-22 12:11 . 2010-06-22 12:11 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-06-22 12:11 . 2010-06-22 12:11 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-06-22 12:10 . 2010-06-22 12:10 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-06-22 12:08 . 2010-06-22 12:08 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-06-22 12:08 . 2010-06-22 12:08 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-06-22 12:08 . 2010-06-22 12:08 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-13 14:05 . 2008-03-28 00:35 -------- d-----w- c:\program files\LogMeIn
2010-07-09 17:34 . 2009-11-10 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-06-22 12:11 . 2008-08-05 22:21 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-06-22 12:09 . 2008-08-05 22:21 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-09 16:41 . 2008-03-28 00:36 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2010-06-09 16:41 . 2008-03-28 00:36 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-09 16:41 . 2008-03-28 00:35 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-05 00:08 . 2010-06-05 00:08 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2010-06-01 16:24 . 2008-07-25 19:30 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-17 21:45 . 2008-07-30 15:56 -------- d-----w- c:\program files\Google
2010-05-04 17:20 . 2004-08-04 07:56 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 07:56 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2004-08-04 06:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 07:56 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-14 18:30 . 2010-04-14 18:30 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-08-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-14 278528]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-04-01 155648]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2005-04-12 98304]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-02-08 98304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-02 155648]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-12 98304]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-06-22 2065760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AltiSupervisor.lnk - c:\program files\Altigen\AltiSupervisor\AltiSupervisor.exe [2007-7-31 2543616]
AltiView.lnk - c:\program files\Altigen\AltiView\AltiView.exe [2007-7-31 2543616]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-06-22 12:10 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-09 16:41 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\PVSW\\Bin\\w3dbsmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Altigen\\AltiSupervisor\\AltiSupervisor.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [8/5/2008 3:21 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [8/5/2008 3:21 PM 216400]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [8/5/2008 3:21 PM 243024]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [6/22/2010 5:09 AM 921440]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [6/22/2010 5:10 AM 308136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 4:09 PM 12856]
S2 gupdate1c9fb72ac733166;Google Update Service (gupdate1c9fb72ac733166);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2009 5:10 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2005-06-06 c:\windows\Tasks\Easy Internet Sign-up.job
- c:\program files\Easy Internet signup\HPSdpApp.exe [2004-08-13 09:50]

2010-07-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-30 00:08]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 00:09]

2010-07-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-03 00:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Ijafera - c:\windows\mfxr40.dll
HKLM-Run-Hgapowedi - c:\windows\enetidacirojikeh.dll
ShellExecuteHooks-{FA010552-4A27-4cb1-A1BB-3E2D697F1639} - (no file)
AddRemove-05E21449-3BA3-42BF-BBDA-95205F4EA40A - c:\program files\WildTangent\Apps\GameChannel\Games\05E21449-3BA3-42BF-BBDA-95205F4EA40A\Uninstall.exe
AddRemove-26DC0ED6-93A7-43C1-8DC5-EC16079580F9 - c:\program files\WildTangent\Apps\GameChannel\Games\26DC0ED6-93A7-43C1-8DC5-EC16079580F9\Uninstall.exe
AddRemove-29FF6D07-4A15-41F1-9D5E-E0F3A58012C6 - c:\program files\WildTangent\Apps\GameChannel\Games\29FF6D07-4A15-41F1-9D5E-E0F3A58012C6\Uninstall.exe
AddRemove-3330A279-CC39-4A17-AE19-DA464B26AD9A - c:\program files\WildTangent\Apps\GameChannel\Games\3330A279-CC39-4A17-AE19-DA464B26AD9A\Uninstall.exe
AddRemove-66195170-D19D-46C5-8FB7-8A4630071ADC - c:\program files\WildTangent\Apps\GameChannel\Games\66195170-D19D-46C5-8FB7-8A4630071ADC\Uninstall.exe
AddRemove-75528D5F-DD82-402E-BA7C-045B7DC6A712 - c:\program files\WildTangent\Apps\GameChannel\Games\75528D5F-DD82-402E-BA7C-045B7DC6A712\Uninstall.exe
AddRemove-9D7E7CDA-051E-4B0D-8CEE-58F41F449CF9 - c:\program files\WildTangent\Apps\GameChannel\Games\9D7E7CDA-051E-4B0D-8CEE-58F41F449CF9\Uninstall.exe
AddRemove-A2E85A38-C2D9-4EDF-AFDA-F76BCBFEBBC4 - c:\program files\WildTangent\Apps\GameChannel\Games\A2E85A38-C2D9-4EDF-AFDA-F76BCBFEBBC4\Uninstall.exe
AddRemove-BBCBAA5D-AC5A-4098-A53E-EC60A68F38F9 - c:\program files\WildTangent\Apps\GameChannel\Games\BBCBAA5D-AC5A-4098-A53E-EC60A68F38F9\Uninstall.exe
AddRemove-BFAF1EEC-E987-415B-BCB8-80CDB0BC6CDF - c:\program files\WildTangent\Apps\GameChannel\Games\BFAF1EEC-E987-415B-BCB8-80CDB0BC6CDF\Uninstall.exe
AddRemove-C43D84CD-EBFC-48D3-A330-7868C8AD415A - c:\program files\WildTangent\Apps\GameChannel\Games\C43D84CD-EBFC-48D3-A330-7868C8AD415A\Uninstall.exe
AddRemove-DE87FA96-7840-420C-86F9-33F3B7B3CED1 - c:\program files\WildTangent\Apps\GameChannel\Games\DE87FA96-7840-420C-86F9-33F3B7B3CED1\Uninstall.exe
AddRemove-FA7F5211-C629-4711-BD82-7DFFB08CB518 - c:\program files\WildTangent\Apps\GameChannel\Games\FA7F5211-C629-4711-BD82-7DFFB08CB518\Uninstall.exe
AddRemove-CSec - c:\program files\CSec\cs.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-13 09:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-07-13 09:38:09
ComboFix-quarantined-files.txt 2010-07-13 16:38

Pre-Run: 49,539,244,032 bytes free
Post-Run: 50,129,580,032 bytes free

- - End Of File - - D58D7A9594BE85B7DE2597EE76C2B807


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:39 PM

Posted 18 July 2010 - 04:30 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:39 PM

Posted 22 July 2010 - 07:44 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users