Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix


  • This topic is locked This topic is locked
2 replies to this topic

#1 joscastel

joscastel

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:36 AM

Posted 13 December 2010 - 06:31 PM

This is my log file of ComboFix, could somebody help me with this ?
thanks in advance.
--------------------
ComboFix 10-12-13.02 - Administrador 13/12/2010 17:49:56.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.735.412 [GMT -5:00]
Running from: c:\documents and settings\Administrador\Escritorio\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dfinstall.log
c:\windows\system32\AutoRun.inf
c:\windows\system32\Cache
c:\windows\system32\esclavx.cfg
c:\windows\system32\explorer.exe

Infected copy of c:\windows\regedit.exe was found and disinfected
Restored copy from - c:\windows\XPize Darkside\Backup\regedit.exe

.
((((((((((((((((((((((((( Files Created from 2010-11-13 to 2010-12-13 )))))))))))))))))))))))))))))))
.

2010-12-13 22:56 . 2010-12-13 22:56 -------- d-----w- c:\windows\system32\wbem\snmp
2010-12-13 22:56 . 2010-12-13 22:56 -------- d-----w- c:\windows\system32\xircom
2010-12-13 22:56 . 2010-12-13 22:56 -------- d-----w- c:\windows\system32\oobe
2010-12-13 22:56 . 2010-12-13 22:56 -------- d-----w- c:\windows\srchasst
2010-12-12 00:22 . 2010-12-12 00:22 -------- d-----w- c:\documents and settings\Pantalla5\Datos de programa\Uniblue
2010-12-01 03:16 . 2010-12-01 03:16 -------- d--h--w- c:\archivos de programa\Uniblue

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-11 02:22 . 2010-11-11 02:22 40448 ----a-w- c:\windows\system32\esclavohw.exe
2010-11-11 02:22 . 2009-06-19 15:35 1556480 ----a-w- c:\windows\system32\esclavo.exe
2010-11-11 02:18 . 2009-06-19 15:37 40960 ----a-w- c:\windows\system32\escmult.exe
2010-11-11 02:18 . 2009-05-31 04:45 45056 ----a-w- c:\windows\system32\escsrv.exe
2010-11-11 02:18 . 2009-06-19 15:37 53248 ----a-w- c:\windows\system32\escdll.dll
2010-11-01 19:43 . 2008-06-28 20:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-11-01 19:43 . 2008-06-28 20:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-09-18 17:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 05:48 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 05:48 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-24 16:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2009-04-24 02:46 . 2009-04-24 02:47 774144 ----a-w- c:\archivos de programa\RngInterstitial.dll
1998-05-06 02:43 . 2008-07-22 00:45 653824 ----a-r- c:\archivos de programa\I_view32.exe
.

------- Sigcheck -------


[-] 2008-04-14 . 97D44EE3E44CDC7035E3CB2EF20BABDB . 30208 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[7] 2008-04-14 . DAAE1CB1B1875B760496E7D3336DA1AD . 15360 . . [5.1.2600.5512] . . c:\windows\XPize Darkside\Backup\ctfmon.exe


[-] 2008-05-11 18:28 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll

c:\windows\System32\wscntfy.exe ... is missing !!
c:\windows\System32\regsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"\\HP-PANTALLA6\EPSON TX115 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIFBB.EXE" [2008-09-26 199680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-01-15 49152]
"PCTVOICE"="pctspk.exe" [2004-01-30 180224]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 843776]
"nod32kui"="c:\archivos de programa\Eset\nod32kui.exe" [2009-11-18 921600]
"UpdateReminder"="c:\archivos de programa\Eset\UpdateReminder.exe" [2010-12-03 434176]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 30208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\cristina\Men£ Inicio\Programas\Inicio\
Acceso directo a servidor.exe.lnk - d:\cibercontrol\servidor.exe [2009-6-11 334822]

c:\documents and settings\Pantalla5\Men£ Inicio\Programas\Inicio\
Acceso directo a firefox.lnk - c:\archivos de programa\Mozilla Firefox\firefox.exe [2009-4-30 912344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SMSlisto"="c:\archivos de programa\SMSlisto.com\SMSlisto\SMSlisto.exe" -nosplash -minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCTVOICE"=pctspk.exe
"GrooveMonitor"="c:\archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe"
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe"
"TkBellExe"="c:\archivos de programa\real\realplayer\update\realsched.exe" -osboot
"NeroFilterCheck"=c:\archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Archivos de programa\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Archivos de programa\\SMSlisto.com\\SMSlisto\\SMSlisto.exe"=
"c:\\Archivos de programa\\InterVoip.com\\InterVoip\\InterVoip.exe"=
"d:\\CiberControl\\servidor.exe"=
"c:\\Archivos de programa\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Archivos de programa\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Archivos de programa\\Microsoft Office2000\\OFFICE11\\FRONTPG.EXE"=
"c:\\Archivos de programa\\SopCast\\SopCast.exe"=
"c:\\Archivos de programa\\SopCast\\adv\\SopAdver.exe"=
"c:\\Archivos de programa\\Ares\\Ares.exe"=
"c:\\Archivos de programa\\iTunes\\iTunes.exe"=
"c:\\Archivos de programa\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Archivos de programa\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Archivos de programa\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Archivos de programa\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Archivos de programa\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [28/06/2008 14:58 717296]
R2 escSrv;Cargador del Terminal;c:\windows\system32\escsrv.exe [30/05/2009 23:45 45056]
S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\RkPavproc1.sys [13/12/2008 9:41 16952]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [18/08/2008 13:19 223128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-1292428093-1606980848-1017.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2010-10-20 23:32]

2010-12-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2025429265-1292428093-1606980848-500.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2010-10-20 23:32]

2010-12-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-1292428093-1606980848-1017.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2010-10-20 23:32]

2010-12-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2025429265-1292428093-1606980848-500.job
- c:\archivos de programa\Real\RealUpgrade\realupgrade.exe [2010-10-20 23:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://medicion.une.net.co/
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\imon.dll
TCP: {DE579784-BC8A-4AB5-BCC9-B201823B392C} = 200.13.249.101,200.13.224.254
FF - ProfilePath - c:\documents and settings\Pantalla5\Datos de programa\Mozilla\Firefox\Profiles\8tdb020m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.congeneiros.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Datos de programa\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -

AddRemove-VIA Audio Driver Setup Program - c:\archivos de programa\VIA Technologies



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 17:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–|ÿÿÿÿ¤•|ù•9~*]
"A0C0710900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(604)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\imon.dll
c:\archivos de programa\Eset\pr_imon.dll

- - - - - - - > 'explorer.exe'(3888)
c:\windows\system32\WININET.dll
c:\windows\System32\cscui.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\archivos de programa\Java\jre6\bin\jqs.exe
c:\archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\mdm.exe
c:\archivos de programa\Eset\nod32krn.exe
c:\archivos de programa\CyberLink\Shared Files\RichVideo.exe
c:\archivos de programa\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\pctspk.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexStoreSvr.exe
c:\archivos de programa\Archivos comunes\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wbem\wmiapsrv.exe
.
**************************************************************************
.
Completion time: 2010-12-13 18:00:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-13 23:00

Pre-Run: 5.199.765.504 bytes libres
Post-Run: 5.205.430.272 bytes libres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 392426A86CA0BE0F2580FFCA480A668D

Edited by hamluis, 13 December 2010 - 06:34 PM.
Moved from XP to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 PM

Posted 22 December 2010 - 09:54 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:36 PM

Posted 27 December 2010 - 08:01 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users