Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 jstarbeam

jstarbeam

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 16 August 2010 - 04:38 PM

Here is my combofix log. I have a hijacker somewhere that is disabling internet explorer, it works fine in safe mode butwill not run in regular mode. I get an http:/// in the broweser or an error the webpage can't be opened. I have also run malware bytes superantivirus and spybot. Help!

Vista 32 bit Compaq CQ60

ComboFix 10-08-16.01 - Jody 08/16/2010 14:01:48.1.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2814.2337 [GMT -7:00]
Running from: c:\users\Jody\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\CyberDefender
c:\program files\CyberDefender\Registry Cleaner\unins000.dat
c:\program files\CyberDefender\Registry Cleaner\unins000.msg
c:\users\Jody\AppData\Roaming\CyberDefender

.
((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
.

2010-08-16 21:09 . 2010-08-16 21:10 -------- d-----w- c:\users\Jody\AppData\Local\temp
2010-08-16 21:09 . 2010-08-16 21:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-16 05:35 . 2010-08-16 05:35 63488 ----a-w- c:\users\Jody\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-16 05:35 . 2010-08-16 05:35 52224 ----a-w- c:\users\Jody\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-16 05:35 . 2010-08-16 05:35 117760 ----a-w- c:\users\Jody\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-16 05:35 . 2010-08-16 05:35 -------- d-----w- c:\users\Jody\AppData\Roaming\SUPERAntiSpyware.com
2010-08-16 05:35 . 2010-08-16 05:35 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-16 05:34 . 2010-08-16 05:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\users\Jody\AppData\Roaming\Yahoo!
2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\programdata\Yahoo! Companion
2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\program files\Yahoo!
2010-08-16 03:51 . 2010-08-16 03:51 -------- d-----w- c:\program files\CCleaner
2010-08-15 18:05 . 2010-08-15 18:05 -------- d-----w- c:\users\Jody\AppData\Roaming\Malwarebytes
2010-08-15 18:05 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-15 18:05 . 2010-08-15 18:05 -------- d-----w- c:\programdata\Malwarebytes
2010-08-15 18:05 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-15 18:05 . 2010-08-15 18:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-15 09:11 . 2010-08-16 20:59 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-15 09:11 . 2010-08-15 09:11 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-15 08:34 . 2010-06-11 15:31 274432 ----a-w- c:\windows\system32\schannel.dll
2010-08-15 08:34 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 05:53 . 2009-08-10 01:26 31776 ----a-w- c:\programdata\nvModes.dat
2010-08-16 04:00 . 2009-08-09 23:51 75832 ----a-w- c:\users\Jody\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-15 16:59 . 2009-04-20 11:59 -------- d-----w- c:\program files\Microsoft Works
2010-08-15 09:05 . 2009-04-20 12:11 -------- d-----w- c:\programdata\Microsoft Help
2010-08-15 08:53 . 2009-04-20 11:28 -------- d-----w- c:\programdata\WildTangent
2010-07-23 05:26 . 2010-03-29 06:05 684 ----a-w- c:\users\Jody\AppData\Roaming\wklnhst.dat
2010-07-20 21:35 . 2010-06-11 04:14 -------- d-----w- c:\users\Jody\AppData\Roaming\iWin
2010-06-22 22:30 . 2010-06-22 22:30 -------- d-----w- c:\users\Jody\AppData\Roaming\funkitron
2010-06-22 17:53 . 2009-10-05 05:14 -------- d-----w- c:\users\Jody\AppData\Roaming\SPORE Creature Creator
2010-06-10 20:41 . 2010-06-01 05:34 16 ----a-w- c:\windows\popcinfo.dat
2010-05-26 22:24 . 2010-05-17 01:18 18488 ----a-w- c:\windows\Help\OEM\scripts\HPHC_BUY_BATTERY.exe
2010-05-26 16:16 . 2010-06-10 01:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-10 01:56 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 21:14 . 2009-10-02 18:13 221568 ------w- c:\windows\system32\MpSigStub.exe
2009-04-20 11:26 . 2009-04-20 11:16 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC78E410-0EFA-4BEC-B283-D1DB1922F420}]
2007-12-23 07:54 1445888 ----a-w- c:\program files\CoolChaser Layout Auto Insert\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{B0208007-27C1-4BCD-93EF-EFF5DB61FC22}"= "c:\program files\CoolChaser Layout Auto Insert\Toolbar.dll" [2007-12-23 1445888]

[HKEY_CLASSES_ROOT\clsid\{b0208007-27c1-4bcd-93ef-eff5db61fc22}]
[HKEY_CLASSES_ROOT\FCTB000060531.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{80E55E64-0B78-4AA3-B48A-6CBF0536832A}]
[HKEY_CLASSES_ROOT\FCTB000060531.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{B0208007-27C1-4BCD-93EF-EFF5DB61FC22}"= "c:\program files\CoolChaser Layout Auto Insert\Toolbar.dll" [2007-12-23 1445888]

[HKEY_CLASSES_ROOT\clsid\{b0208007-27c1-4bcd-93ef-eff5db61fc22}]
[HKEY_CLASSES_ROOT\FCTB000060531.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{80E55E64-0B78-4AA3-B48A-6CBF0536832A}]
[HKEY_CLASSES_ROOT\FCTB000060531.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2007-12-21 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0305020.00B\BHDrvx86.sys [2007-12-27 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0305020.00B\ccHPx86.sys [2007-12-27 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20091230.004\IDSvix86.sys [2009-12-31 343088]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe [2007-12-27 117640]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-12-27 102448]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\N360\0305020.00B\SYMNDISV.SYS [2007-12-27 48688]
S0 adecvba;adecvba;c:\windows\system32\DRIVERS\adecvba.sys [2009-02-13 43520]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0305020.00B\SYMEFA.SYS [2007-12-27 310320]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-10 c:\windows\Tasks\HPCeeScheduleForJody.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-20 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\Jody\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Inbox\ctbr.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{80f6f9bf-9fd1-4f41-9ddf-6dd070f4f62f} - (no file)
Toolbar-Locked - (no file)
Toolbar-{80f6f9bf-9fd1-4f41-9ddf-6dd070f4f62f} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{80F6F9BF-9FD1-4F41-9DDF-6DD070F4F62F} - (no file)
HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-16 14:10
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.5.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-16 14:12:33
ComboFix-quarantined-files.txt 2010-08-16 21:12

Pre-Run: 86,566,682,624 bytes free
Post-Run: 86,502,735,872 bytes free

- - End Of File - - D0A2FC0853A81934D17CAAE4AB664D32


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:10 PM

Posted 24 August 2010 - 06:31 AM

Hello jstarbeam

Welcome to BleepingComputer smile.gif
==========================
  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold

    netsvcs
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
====================
Download the following GMER Rootkit Scanner from Here
  • Download the randomly named EXE file to your Desktop. Remember what its name is since it is randomly named.
  • Double click on the new random named exe file you downloaded and run it. If prompted about the Security Warning and Unknown Publisher go ahead and click on Run
  • It may take a minute to load and become available.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically only C:\ should be checked)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
  • **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  • Click OK and quit the GMER program.
  • Note: On Firefox you need to go to Tools/Options/Main then under the Downloads section, click on Always ask me where to save files so that you can choose the name and where to save to, in this case your Desktop.
  • Post that log in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:10 PM

Posted 22 November 2010 - 07:48 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users