Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What do I do with the log file after ComboFix runs?


  • Please log in to reply
1 reply to this topic

#1 standback27

standback27

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:23 AM

Posted 28 July 2010 - 06:32 PM

On the advice of an I.T. guy at work (a large daily newspaper), regarding Google redirects, he gave he a list of things to do to try to rectify the problem. First on the list was the run ComboFix ... which I did.

During Stage_3, I got a prompt that started off " PEV.cfxxe has stopped working "
I clicked the Close Program button and the program started running up through 50-some steps. It generated the log file below - but I dunno what to do with it now that I've got it or where to post it for some help or what.

Thanks!

+++++++++++++







ComboFix 10-07-27.05 - Thomas 07/28/2010 19:11:01.1.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1477 [GMT -4:00]
Running from: c:\users\Thomas\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents
c:\users\Thomas\BitTorrent-5.0.7.exe
c:\users\Thomas\flac113b.exe
c:\users\Thomas\GoToAssistDownloadHelper.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-28 23:19 . 2010-07-28 23:19 -------- d-----w- c:\users\Thomas\AppData\Local\temp
2010-07-28 23:19 . 2010-07-28 23:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-28 23:06 . 2010-07-28 23:07 -------- d-----w- C:\32788R22FWJFW
2010-07-28 05:51 . 2010-07-28 05:51 -------- d-----w- c:\programdata\Alwil Software
2010-07-28 05:51 . 2010-07-28 05:51 -------- d-----w- c:\program files\Alwil Software
2010-07-27 20:46 . 2010-07-27 20:46 63488 ----a-w- c:\users\Thomas\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-27 20:46 . 2010-07-27 20:46 52224 ----a-w- c:\users\Thomas\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-27 20:46 . 2010-07-27 20:46 117760 ----a-w- c:\users\Thomas\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-27 20:45 . 2010-07-27 20:45 -------- d-----w- c:\users\Thomas\AppData\Roaming\SUPERAntiSpyware.com
2010-07-27 20:45 . 2010-07-27 20:45 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-07-27 20:45 . 2010-07-27 20:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-27 16:39 . 2010-07-28 22:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 14:38 . 2010-07-27 14:38 -------- d-----w- C:\_OTM
2010-07-25 13:40 . 2010-07-25 13:40 6144 ----a-w- c:\windows\system32\drivers\kfkjpcuo.sys
2010-07-22 18:42 . 2010-07-22 18:42 -------- d-----w- c:\users\Thomas\AppData\Roaming\Malwarebytes
2010-07-22 18:36 . 2010-07-22 18:36 -------- d-----w- c:\programdata\Malwarebytes
2010-07-22 18:35 . 2010-07-22 18:35 6153352 ----a-w- c:\program files\mbam-setup-1.46.exe
2010-07-22 17:15 . 2010-07-22 17:15 -------- d-----w- c:\users\Thomas\AppData\Local\ElevatedDiagnostics
2010-07-22 16:39 . 2010-07-22 16:44 -------- d-----w- c:\program files\Microsoft ATS
2010-07-22 16:24 . 2010-07-22 16:24 53248 ----a-r- c:\users\Thomas\AppData\Roaming\Microsoft\Installer\{3360D505-B0AA-4284-92DF-F872AF90A448}\ARPPRODUCTICON.exe
2010-07-21 22:05 . 2010-07-21 22:05 -------- d-----w- c:\program files\iPod
2010-07-21 21:59 . 2010-07-21 21:59 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-21 21:36 . 2010-07-21 21:36 6144 ----a-w- c:\windows\system32\drivers\wbxajdgf.sys
2010-07-21 01:32 . 2010-07-21 01:36 -------- d-----w- c:\users\Thomas\AppData\Roaming\GlarySoft
2010-07-21 01:32 . 2010-07-21 01:32 -------- d-----w- c:\program files\Glary Registry Repair
2010-07-20 19:23 . 2010-07-21 02:38 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-07-05 18:37 . 2010-07-05 18:37 77000 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 22:51 . 2008-03-04 02:41 -------- d-----w- c:\users\Thomas\AppData\Roaming\DNA
2010-07-28 06:25 . 2008-07-02 03:25 -------- d-----w- c:\program files\Snood Deluxe
2010-07-28 06:01 . 2007-03-02 20:04 -------- d-----w- c:\program files\spybot - search & destroy
2010-07-28 05:46 . 2008-03-04 02:41 -------- d-----w- c:\program files\DNA
2010-07-28 04:31 . 2008-11-06 05:29 -------- d-----w- c:\users\Thomas\AppData\Roaming\FrostWire
2010-07-27 16:19 . 2008-08-16 00:05 -------- d-----w- c:\programdata\AT&T
2010-07-27 16:16 . 2007-10-25 01:57 -------- d-----w- c:\users\Thomas\AppData\Roaming\Amazon
2010-07-27 16:15 . 2010-05-06 01:46 -------- d-----w- c:\users\Thomas\AppData\Roaming\Move Networks
2010-07-27 13:54 . 2009-12-18 19:13 256 ----a-w- c:\windows\system32\pool.bin
2010-07-25 16:28 . 2010-03-08 20:09 -------- d-----w- c:\program files\McAfee
2010-07-21 22:06 . 2008-06-06 13:58 -------- d-----w- c:\program files\iTunes
2010-07-21 22:04 . 2008-06-06 13:51 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 22:15 . 2009-03-24 03:08 -------- d-----w- c:\users\Thomas\AppData\Roaming\Winamp
2010-07-20 22:15 . 2008-09-18 21:15 -------- d-----w- c:\users\Thomas\AppData\Roaming\vlc
2010-07-20 22:15 . 2007-03-03 16:29 -------- d-----w- c:\users\Thomas\AppData\Roaming\BitTorrent
2010-07-20 22:15 . 2010-04-08 01:10 -------- d-----w- c:\program files\QuickTime
2010-07-20 22:15 . 2009-03-21 16:54 -------- d-----w- c:\program files\Winamp
2010-07-20 22:15 . 2009-08-17 02:14 -------- d-----w- c:\program files\Hyplay
2010-07-20 22:15 . 2007-02-23 22:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 19:20 . 2010-07-16 22:16 112 ----a-w- c:\programdata\q5MvC2.dat
2010-07-15 19:18 . 2010-03-08 20:09 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-29 02:50 . 2008-01-20 21:34 -------- d-----w- c:\users\Thomas\AppData\Roaming\Winff
2010-06-26 07:03 . 2007-02-23 22:31 -------- d-----w- c:\program files\Microsoft.NET
2010-06-26 00:49 . 2007-04-25 10:53 -------- d-----w- c:\users\Thomas\AppData\Roaming\Apple Computer
2010-06-26 00:04 . 2010-06-26 00:04 -------- d-----w- c:\program files\Bonjour
2010-06-23 01:12 . 2007-02-23 22:26 -------- d-----w- c:\programdata\Roxio
2010-06-18 02:07 . 2008-11-20 04:40 -------- d-----w- c:\users\Thomas\AppData\Roaming\Free Sound Recorder
2010-06-17 01:04 . 2009-11-20 19:12 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-06-13 07:27 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-06-13 07:11 . 2007-02-23 22:29 -------- d-----w- c:\programdata\Microsoft Help
2010-06-02 17:55 . 2007-02-23 22:18 -------- d-----w- c:\program files\Java
2010-05-26 17:06 . 2010-06-13 01:10 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-13 01:10 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-03 01:02 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-04 05:59 . 2010-06-13 01:09 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-13 01:09 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-13 01:09 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-13 01:09 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-01 14:13 . 2010-06-13 01:09 2037248 ----a-w- c:\windows\system32\win32k.sys
2008-11-06 05:28 . 2008-11-06 05:28 14946782 ----a-w- c:\program files\frostwire-4.17.0.windows.exe
2008-09-18 21:14 . 2008-09-18 21:13 14482140 ----a-w- c:\program files\vlc-0.9.2-win32.exe
2008-09-18 21:02 . 2008-09-18 21:01 15420536 ----a-w- c:\program files\VLCfree_8676.exe
2008-07-02 03:24 . 2008-07-02 03:23 39001600 ----a-w- c:\program files\SnoodDeluxe.msi
2008-04-17 05:05 . 2008-04-17 05:05 2000324 ----a-w- c:\program files\cdex_151.exe
2007-09-09 19:20 . 2007-09-09 19:20 525012 ----a-w- c:\program files\lame3.97.zip
2007-08-21 19:21 . 2007-08-21 19:21 2228534 ----a-w- c:\program files\audacity-win-1.2.6.exe
2007-06-06 01:26 . 2007-06-06 01:26 1827640 ----a-w- c:\program files\GoogleDesktopSetup.exe
2008-07-27 22:37 . 2008-07-27 22:37 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-07-27 22:37 . 2008-07-27 22:37 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2007-02-24 06:04 . 2007-02-24 06:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-08 323392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-17 815104]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-27 1540096]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-02-23 240640]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2006-11-17 17920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"SigmatelSysTrayApp"="sttray.exe" [2006-12-01 303104]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2010-03-11 648536]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Device Detector 2.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2007-3-20 114688]
Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2007-3-20 114688]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-2-23 50688]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2008-5-14 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-11-08 03:53 323392 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:ae,07,6d,92,7a,38,ca,01

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-03-26 93320]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 lgatbus;LG CDMA USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\lgatbus.sys [2002-07-02 42960]
R3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\DRIVERS\lgatmdm.sys [2002-07-02 75200]
R3 SWNC8U56;Sierra Wireless MUX NDIS Driver (UMTS56);c:\windows\system32\DRIVERS\swnc8u56.sys [2007-06-27 101248]
R3 SWUMX56;Sierra Wireless USB MUX Driver (UMTS56);c:\windows\system32\DRIVERS\swumx56.sys [2007-06-27 73856]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2010-03-08 17:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2010-03-08 17:22]

2010-07-28 c:\windows\Tasks\User_Feed_Synchronization-{56F08615-5DD0-405B-ABA5-CB9B57A3FF01}.job
- c:\windows\system32\msfeedssync.exe [2010-06-13 04:30]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.gmail.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: internet
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-RunOnce-<NO NAME> - (no file)
Notify-GoToAssist - c:\program files\Citrix\GoToAssist\516\G2AWinLogon.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 19:19
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Thomas\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-07-28 19:21:59
ComboFix-quarantined-files.txt 2010-07-28 23:21

Pre-Run: 29,279,002,624 bytes free
Post-Run: 29,269,991,424 bytes free

- - End Of File - - 5D65E381A21FFC7F61BEF30D60B8270B


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:23 AM

Posted 07 August 2010 - 12:03 PM

Hello standback27

Welcome to BleepingComputer smile.gif
Hi it is not a good idea to run Combofix unless specifically asked to by a trained helper.
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users