Earlier today I obtained a Yahoo messneger virus. I was told to use combofix to remove it. I downloaded the program and I just ran combofix, now I need help analyzing the log. How do I know if the virus has been removed?
ComboFix 10-08-03.01 - Teri 08/03/2010 14:34:54.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1739 [GMT -4:00]
Running from: c:\users\Teri\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Teri\g2mdlhlpx.exe
c:\users\Teri\GoToAssistDownloadHelper.exe
c:\windows\TEMP\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_0\dbdata.dll
.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.
2010-08-03 18:45 . 2010-08-03 18:48 -------- d-----w- c:\users\Teri\AppData\Local\temp
2010-08-03 17:26 . 2010-08-03 18:12 -------- d-----w- c:\users\Teri\AppData\Local\NPE
2010-07-29 17:18 . 2010-07-29 17:18 -------- d-----w- c:\users\Teri\AppData\Roaming\Nikon
2010-07-29 16:32 . 2010-07-29 16:34 -------- d-----w- c:\program files\Common Files\Nikon
2010-07-29 16:32 . 2010-07-29 16:32 -------- d-----w- c:\programdata\Nikon
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\program files\Nikon
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\programdata\Ultima_T15
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\programdata\EnterNHelp
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\programdata\Clips
2010-07-29 16:28 . 2010-07-29 16:29 -------- d-----w- c:\program files\QuickTime
2010-07-29 16:28 . 2010-07-29 16:28 -------- d-----w- c:\programdata\Apple Computer
2010-07-29 16:27 . 2010-07-29 16:27 -------- d-----w- c:\program files\ArcSoft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 18:47 . 2008-11-19 16:56 31776 ----a-w- c:\programdata\nvModes.dat
2010-08-03 18:23 . 2008-11-18 17:07 -------- d-----w- c:\programdata\Yahoo! Companion
2010-08-03 18:23 . 2009-05-21 20:39 -------- d-----w- c:\programdata\Yahoo!
2010-08-03 18:23 . 2008-08-04 18:37 -------- d-----w- c:\program files\Yahoo!
2010-08-03 17:26 . 2010-04-29 07:16 -------- d-----w- c:\programdata\Norton
2010-08-02 17:37 . 2010-08-02 17:37 27591840 ----a-w- c:\programdata\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-07-29 17:19 . 2010-07-29 16:31 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-07-29 16:42 . 2010-07-29 16:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-07-29 16:35 . 2010-07-29 16:35 49152 ----a-r- c:\users\Teri\AppData\Roaming\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-07-29 16:34 . 2010-07-29 16:34 335872 ----a-r- c:\users\Teri\AppData\Roaming\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2010-07-29 16:30 . 2008-08-04 17:01 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-07-29 16:27 . 2008-08-04 16:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 21:05 . 2010-04-05 19:35 -------- d-----w- c:\users\Teri\AppData\Roaming\Skype
2010-07-20 20:18 . 2010-04-05 19:37 -------- d-----w- c:\users\Teri\AppData\Roaming\skypePM
2010-07-15 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-01 17:38 . 2008-10-04 08:47 -------- d-----w- c:\programdata\CyberLink
2010-06-26 07:03 . 2008-08-04 18:15 -------- d-----w- c:\program files\Microsoft.NET
2010-06-08 19:52 . 2010-06-08 19:52 -------- d-----w- c:\program files\MSECache
2010-05-26 16:16 . 2010-06-10 14:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-10 14:44 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 17:03 . 2009-06-22 13:53 2379 ----a-w- c:\programdata\Intuit\QuickBooks 2008\qbbackup.sys
2010-05-13 15:55 . 2010-05-13 15:55 20 ----a-w- c:\programdata\FedEx\FSM\LDS\BACKUP\MCI1NP00.SCR
2010-05-13 15:55 . 2010-04-16 20:19 20 ----a-w- c:\programdata\FedEx\FSM\SCRIPT\MCI1NP00.SCR
2010-05-13 15:55 . 2010-05-13 15:55 18 ----a-w- c:\programdata\FedEx\FSM\LDS\DLOAD\MCI1NP00.SCR
2010-05-13 15:54 . 2008-11-18 16:27 84536 ----a-w- c:\users\Teri\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-13 15:51 . 2010-05-13 15:51 46432 ----a-r- c:\users\Teri\AppData\Roaming\Microsoft\Installer\{06A787F4-10AC-486F-8F90-5BA4A3B0CB75}\NewShortcut1_2617210572B04EA098F27D43D6959EDA.exe
2009-04-01 02:47 . 2009-06-23 13:55 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-04 15:03 . 2008-08-04 15:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]
c:\users\Teri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-9-11 972064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 FedExShipService;FedEx Shipping Engine;c:\program files\FedEx\ShipManager\BIN\ShipEngineService.exe [2010-04-16 5120]
R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\FedEx\ShipManager\BIN\TransEngineService.exe [2010-04-16 6656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20100729.001\IDSvix86.sys [2010-06-23 281648]
S2 FedExAdminService;FedEx Administration Service;c:\program files\FedEx\ShipManager\BIN\AdminService.exe [2010-04-16 24576]
S2 FedExLoggingService;FedEx Logging Service;c:\program files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe [2010-04-16 7168]
S2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe -hvFedExShipnetDBService [x]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - COMHOST
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 21:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: bankofamerica.com\direct-certs
FF - ProfilePath - c:\users\Teri\AppData\Roaming\Mozilla\Firefox\Profiles\7kdwcqkn.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-08-03 14:49
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(4004)
c:\windows\System32\NLSData0009.dll
c:\windows\system32\stobject.dll
c:\windows\system32\imapi2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\FedEx\ShipManager\Bin\FxConWnd.exe
c:\program files\FedEx\ShipManager\Bin\LDS.EXE
c:\program files\FedEx\ShipManager\Bin\EUSWORK.EXE
.
**************************************************************************
.
Completion time: 2010-08-03 14:57:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-03 18:57
Pre-Run: 153,688,166,400 bytes free
Post-Run: 153,920,159,744 bytes free
- - End Of File - - 1CC66B9CA77DA25E34DB623FA214C3B2