Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newbie and need help on understanding ComboFix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 redtambisan

redtambisan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 18 October 2010 - 11:55 PM

Good day to all,

Finally found a site that could explain a few things. Has been follwoing to the letter the instruction posted on using ComboFix and hence it asked to post it in this forum so that the experts here could assist me in understanding the log report generated. Also looking forward to understand more on various problems in keeping out computer clean from unwarranted infections.. Appreciate very much everyone's effort to assist. Thanks in advance to all.

I'm posting the log report below:

ComboFix 10-10-18.03 - ADMIN 19/10/2010 12:18:54.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1006.474 [GMT 8:00]
Running from: c:\documents and settings\ADMIN\Desktop\ComboFix.exe
AV: Panda Antivirus + Firewall 2008 *On-access scanning disabled* (Updated) {EEE2D94A-D4C1-421A-AB2C-2CE8FE51747A}
FW: Panda Antivirus 2008 Personal Firewall *disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
.
---- Previous Run -------
.
c:\recycler\S-1-5-21-1446566789-5562662087-814030034-3720
c:\recycler\S-1-5-21-2735382929-2681205626-3609426877-500
c:\recycler\S-1-5-21-5920528388-3948788323-671452322-8886
c:\recycler\S-1-5-21-7205412676-5331250458-926928963-3703
c:\recycler\S-1-5-21-7205412676-5331250458-926928963-3703\Desktop.ini
c:\recycler\S-1-5-21-7205412676-5331250458-926928963-3703\MsMxEng.exe
c:\recycler\S-1-5-21-7719386926-4973338857-523654168-6737
c:\recycler\S-1-5-21-8307262849-0573463925-228711669-4104
c:\recycler\S-1-5-21-8778223603-3402692940-313784445-1898

----- BITS: Possible infected sites -----

hxxp://www.mp3codecinstall.net
.
((((((((((((((((((((((((( Files Created from 2010-09-19 to 2010-10-19 )))))))))))))))))))))))))))))))
.

2010-10-13 06:36 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-10-13 06:36 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 06:36 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 06:35 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-01 06:53 . 2010-10-01 06:53 -------- d-----w- c:\documents and settings\ADMIN\Application Data\GRETECH
2010-09-30 23:56 . 2010-10-05 05:10 -------- d-----w- c:\documents and settings\ADMIN\Application Data\Command and Conquer 3 Tiberium Wars
2010-09-29 06:24 . 2007-06-27 09:00 61440 ----a-r- c:\windows\system32\zIMF.dll
2010-09-29 06:24 . 2007-06-27 09:00 53248 ----a-r- c:\windows\system32\ztag.dll
2010-09-29 06:24 . 2007-06-27 09:00 106496 ----a-r- c:\windows\system32\ZSPOOL.dll
2010-09-29 06:24 . 2007-06-27 09:00 102400 ----a-r- c:\windows\system32\zlhp2600.dll
2010-09-29 06:24 . 2007-06-27 09:00 352256 ----a-r- c:\windows\system32\zshp2600.exe
2010-09-29 06:24 . 2007-06-27 09:00 57344 ----a-r- c:\windows\system32\Spool\prtprocs\w32x86\zimfprnt.dll
2010-09-28 00:34 . 2010-10-12 00:09 -------- d-----w- c:\documents and settings\ADMIN\Application Data\foobar2000
2010-09-28 00:34 . 2010-09-28 00:34 -------- d-----w- c:\program files\foobar2000
2010-09-23 02:01 . 2006-01-18 05:55 290918 ----a-w- c:\windows\system32\Install7x.dll
2010-09-23 02:01 . 2005-11-30 03:33 2048 ----a-w- c:\windows\system32\drivers\rt73.bin
2010-09-23 02:01 . 2005-10-17 11:50 245376 ----a-w- c:\windows\system32\drivers\rt2500usb.SYS
2010-09-23 02:01 . 2005-05-17 08:24 311296 ----a-w- c:\windows\system32\AegisI5.exe
2010-09-23 02:01 . 2010-09-23 02:01 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-09-23 02:01 . 2006-02-07 07:40 204800 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iuser.dll
2010-09-23 02:01 . 2006-02-07 07:40 69715 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\ctor.dll
2010-09-23 02:01 . 2006-02-07 07:40 274432 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iscript.dll
2010-09-23 02:01 . 2010-09-23 02:01 200836 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iGdi.dll
2010-09-23 02:01 . 2006-02-07 07:45 757760 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\iKernel.dll
2010-09-23 02:01 . 2010-09-23 02:01 331908 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\11\50\Intel32\setup.dll
2010-09-23 01:59 . 2006-01-12 11:46 252928 ----a-w- c:\windows\system32\drivers\rt73.sys
2010-09-22 10:10 . 2010-09-22 10:10 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-09-22 07:47 . 2010-09-22 07:48 -------- d-----w- c:\program files\Software Shelf International Inc
2010-09-21 02:39 . 2010-09-22 04:56 -------- d-----w- c:\program files\iCare Data Recovery

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-08-27 327472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"APVXDWIN"="c:\program files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" [2007-10-04 455984]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-04-14 1040384]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TL-WN321G Wireless Utility.lnk - c:\program files\TP-LINK\TL-WN321G Wireless Utility\Installer\WINXP\TWCU.exe [2010-9-23 622592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2007-02-16 02:02 50736 ----a-w- c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe"
"SJelite3Launch"=c:\documents and settings\ADMIN\Application Data\Transcend\SJelite3\SJelite3Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"IAAnotif"=c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" silent
"Mouse Suite 98 Daemon"=ICO.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Huawei technologies\\Huawei UMTS Data Card\\3 DataModem HSDPA.exe"=

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [05/09/2009 03:12 71608]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [05/09/2009 03:12 51256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [05/09/2009 03:12 21816]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [05/09/2009 03:12 191672]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [05/09/2009 03:12 132664]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [05/09/2009 03:08 38968]
R1 SMSFLT;SMS Filter Plugin;c:\windows\system32\drivers\smsflt.sys [05/09/2009 03:12 37304]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [05/09/2009 03:12 30648]
R2 cpoint;Panda CPoint Driver;c:\windows\system32\drivers\cpoint.sys [05/09/2009 03:12 24760]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [05/09/2009 03:08 178872]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [27/08/2010 20:59 1051968]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [26/06/2009 10:30 2054680]
R3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys --> c:\windows\system32\drivers\av5flt.sys [?]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [26/06/2009 10:21 144992]
R3 NETIMFLT01050097;PANDA NDIS IM Filter Miniport v1.5.0.97;c:\windows\system32\drivers\netimflt.sys [05/09/2009 03:12 143160]
R3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [14/10/2009 07:24 10064]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [18/08/2008 14:34 37184]

--- Other Services/Drivers In Memory ---

*Deregistered* - ComFiltr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-10-15 c:\windows\Tasks\Automatic maintenance.job
- c:\program files\TuneUp Utilities 2010\OneClickStarter.exe [2010-08-27 13:04]

2010-10-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 07:07]

2010-10-19 c:\windows\Tasks\User_Feed_Synchronization-{F947BDD3-5255-48EC-BEC3-3559555FA809}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fptb-tyc7
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Panda Security\Panda Antivirus + Firewall 2008\pavlsp.dll
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\4jenp0d7.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.pipelining - false
FF - user.js: network.http.proxy.pipelining - false
FF - user.js: network.http.pipelining.ssl - false
FF - user.js: network.http.pipelining.maxrequests - 4
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1544)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avldr.dll
.
Completion time: 2010-10-19 12:22:41
ComboFix-quarantined-files.txt 2010-10-19 04:22

Pre-Run: 5,860,474,880 bytes free
Post-Run: 5,813,362,688 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 8FFAEB7D782D305E2863B5E39E805233

Edited by Blade Zephon, 19 October 2010 - 04:13 PM.
Moved to log forum. ~BZ


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:34 AM

Posted 27 October 2010 - 06:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:34 AM

Posted 01 November 2010 - 08:37 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users