Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Apple's New Data & Privacy Portal Lets You Download Your Data

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Photo

Need Help analyzing Combofix log

Started by Teri.Gauntt , Aug 03 2010 02:12 PM

  • This topic is locked This topic is locked
2 replies to this topic

#1 Teri.Gauntt

Teri.Gauntt

  • Members
  • 1 posts
  • OFFLINE
    •  
  • Local time:12:17 PM

Posted 03 August 2010 - 02:12 PM

Earlier today I obtained a Yahoo messneger virus. I was told to use combofix to remove it. I downloaded the program and I just ran combofix, now I need help analyzing the log. How do I know if the virus has been removed?

ComboFix 10-08-03.01 - Teri 08/03/2010 14:34:54.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1739 [GMT -4:00]
Running from: c:\users\Teri\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Teri\g2mdlhlpx.exe
c:\users\Teri\GoToAssistDownloadHelper.exe
c:\windows\TEMP\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_0\dbdata.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-03 to 2010-08-03 )))))))))))))))))))))))))))))))
.

2010-08-03 18:45 . 2010-08-03 18:48 -------- d-----w- c:\users\Teri\AppData\Local\temp
2010-08-03 17:26 . 2010-08-03 18:12 -------- d-----w- c:\users\Teri\AppData\Local\NPE
2010-07-29 17:18 . 2010-07-29 17:18 -------- d-----w- c:\users\Teri\AppData\Roaming\Nikon
2010-07-29 16:32 . 2010-07-29 16:34 -------- d-----w- c:\program files\Common Files\Nikon
2010-07-29 16:32 . 2010-07-29 16:32 -------- d-----w- c:\programdata\Nikon
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\program files\Nikon
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\programdata\Ultima_T15
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\programdata\EnterNHelp
2010-07-29 16:31 . 2010-07-29 16:31 -------- d-----w- c:\programdata\Clips
2010-07-29 16:28 . 2010-07-29 16:29 -------- d-----w- c:\program files\QuickTime
2010-07-29 16:28 . 2010-07-29 16:28 -------- d-----w- c:\programdata\Apple Computer
2010-07-29 16:27 . 2010-07-29 16:27 -------- d-----w- c:\program files\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-03 18:47 . 2008-11-19 16:56 31776 ----a-w- c:\programdata\nvModes.dat
2010-08-03 18:23 . 2008-11-18 17:07 -------- d-----w- c:\programdata\Yahoo! Companion
2010-08-03 18:23 . 2009-05-21 20:39 -------- d-----w- c:\programdata\Yahoo!
2010-08-03 18:23 . 2008-08-04 18:37 -------- d-----w- c:\program files\Yahoo!
2010-08-03 17:26 . 2010-04-29 07:16 -------- d-----w- c:\programdata\Norton
2010-08-02 17:37 . 2010-08-02 17:37 27591840 ----a-w- c:\programdata\Yahoo!\YUpdater\msgup1000_1270_us_u2.exe
2010-07-29 17:19 . 2010-07-29 16:31 20 ---h--w- c:\programdata\PKP_DLdu.DAT
2010-07-29 16:42 . 2010-07-29 16:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2010-07-29 16:35 . 2010-07-29 16:35 49152 ----a-r- c:\users\Teri\AppData\Roaming\Microsoft\Installer\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}\ARPPRODUCTICON.exe
2010-07-29 16:34 . 2010-07-29 16:34 335872 ----a-r- c:\users\Teri\AppData\Roaming\Microsoft\Installer\{237CD223-1B9D-47E8-A76C-E478B83CCEA2}\ARPPRODUCTICON.exe
2010-07-29 16:30 . 2008-08-04 17:01 106496 ----a-w- c:\windows\system32\ATL71.DLL
2010-07-29 16:27 . 2008-08-04 16:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-20 21:05 . 2010-04-05 19:35 -------- d-----w- c:\users\Teri\AppData\Roaming\Skype
2010-07-20 20:18 . 2010-04-05 19:37 -------- d-----w- c:\users\Teri\AppData\Roaming\skypePM
2010-07-15 07:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-01 17:38 . 2008-10-04 08:47 -------- d-----w- c:\programdata\CyberLink
2010-06-26 07:03 . 2008-08-04 18:15 -------- d-----w- c:\program files\Microsoft.NET
2010-06-08 19:52 . 2010-06-08 19:52 -------- d-----w- c:\program files\MSECache
2010-05-26 16:16 . 2010-06-10 14:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-10 14:44 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-25 17:03 . 2009-06-22 13:53 2379 ----a-w- c:\programdata\Intuit\QuickBooks 2008\qbbackup.sys
2010-05-13 15:55 . 2010-05-13 15:55 20 ----a-w- c:\programdata\FedEx\FSM\LDS\BACKUP\MCI1NP00.SCR
2010-05-13 15:55 . 2010-04-16 20:19 20 ----a-w- c:\programdata\FedEx\FSM\SCRIPT\MCI1NP00.SCR
2010-05-13 15:55 . 2010-05-13 15:55 18 ----a-w- c:\programdata\FedEx\FSM\LDS\DLOAD\MCI1NP00.SCR
2010-05-13 15:54 . 2008-11-18 16:27 84536 ----a-w- c:\users\Teri\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-13 15:51 . 2010-05-13 15:51 46432 ----a-r- c:\users\Teri\AppData\Roaming\Microsoft\Installer\{06A787F4-10AC-486F-8F90-5BA4A3B0CB75}\NewShortcut1_2617210572B04EA098F27D43D6959EDA.exe
2009-04-01 02:47 . 2009-06-23 13:55 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
2008-08-04 15:03 . 2008-08-04 15:03 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-02-26 2289664]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-06-12 468264]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-03-14 202032]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-04-15 70912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-02-06 622592]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-07-19 65536]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-12-11 286720]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

c:\users\Teri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-9-11 972064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 FedExShipService;FedEx Shipping Engine;c:\program files\FedEx\ShipManager\BIN\ShipEngineService.exe [2010-04-16 5120]
R3 FedExTransactionService;FedEx Transaction Engine;c:\program files\FedEx\ShipManager\BIN\TransEngineService.exe [2010-04-16 6656]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20100729.001\IDSvix86.sys [2010-06-23 281648]
S2 FedExAdminService;FedEx Administration Service;c:\program files\FedEx\ShipManager\BIN\AdminService.exe [2010-04-16 24576]
S2 FedExLoggingService;FedEx Logging Service;c:\program files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe [2010-04-16 7168]
S2 FedExShipnetDBService;FedEx Shipnet Database Service;c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe -hvFedExShipnetDBService [x]
S2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\SMINST\BLService.exe [2008-04-26 361808]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-05-26 102448]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2009-02-19 41008]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-02-26 21:06 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: bankofamerica.com\direct-certs
FF - ProfilePath - c:\users\Teri\AppData\Roaming\Mozilla\Firefox\Profiles\7kdwcqkn.default\
FF - component: c:\program files\Mozilla Firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-03 14:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4004)
c:\windows\System32\NLSData0009.dll
c:\windows\system32\stobject.dll
c:\windows\system32\imapi2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WLANExt.exe
c:\program files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\FedEx\ShipManager\Bin\FxConWnd.exe
c:\program files\FedEx\ShipManager\Bin\LDS.EXE
c:\program files\FedEx\ShipManager\Bin\EUSWORK.EXE
.
**************************************************************************
.
Completion time: 2010-08-03 14:57:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-03 18:57

Pre-Run: 153,688,166,400 bytes free
Post-Run: 153,920,159,744 bytes free

- - End Of File - - 1CC66B9CA77DA25E34DB623FA214C3B2

BC AdBot (Login to Remove)

 

#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:UK
  • Local time:04:17 PM

Posted 12 August 2010 - 06:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
    •  
  • Gender:Female
  • Location:At home
  • Local time:06:17 PM

Posted 19 August 2010 - 08:42 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+

Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·