Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix shuts down


  • This topic is locked This topic is locked
2 replies to this topic

#1 ch3fdan

ch3fdan

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:50 PM

Posted 02 January 2011 - 06:39 PM

Been fighting a good one for a couple of days....it shuts off any antivirus/malware programs except rkill.com which kills the rootkit but only comes back. rkill says its a \\.\globalroot\device\svhost.exe\svhost.exe, avira emergency boot cd is saying it's a crypt.xpack.gen which it removes only to come back again. combofix gets shut off!!! as well as mwb, sasw, avira is disabled, rootkit programs like gmar get shut off and on and on...this is a good one...... attached is the two logs from dds.scr and heres the dds.txt


DDS (Ver_10-12-12.02) - NTFSx86 MINIMAL
Run by kathie at 18:27:32.66 on Sun 01/02/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3070.2665 [GMT -5:00]

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Users\kathie\Desktop\dds.scr
C:\Windows\system32\conhost.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe
uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [NPSStartup]
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.exe
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue
StartupFolder: c:\users\kathie\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\users\kathie\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\users\kathie\appdata\roaming\micros~1\windows\startm~1\programs\startup\gmailn~1\gmailn~1.lnk - c:\program files\google\gmail notifier\gnotify.exe
StartupFolder: c:\users\kathie\appdata\roaming\micros~1\windows\startm~1\programs\startup\gmailn~1\uninst~1.lnk - c:\program files\google\gmail notifier\UninstallGmail.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\kathie\appdata\roaming\mozilla\firefox\profiles\1tvykw2m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkanevapatch.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-1-1 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-1-1 338880]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-1-1 98392]
S1 nltdi;nltdi;c:\program files\netlimiter 3\nltdi.sys [2010-8-30 5281672]
S1 SASDIFSV;SASDIFSV;c:\users\kathie\appdata\local\temp\sas_selfextract\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\users\kathie\appdata\local\temp\sas_selfextract\saskutil.sys [2010-5-10 67656]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-8 135336]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-8 267944]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-8 61960]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-3-14 238952]
S2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-1-1 366840]
S2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-1-1 1150936]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-3-14 36608]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\83EF.tmp [2011-1-1 6144]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-1-21 30963576]
S3 NLNdisMP;NLNdisMP;c:\windows\system32\drivers\nlndis.sys [2010-8-30 5230088]
S3 NLNdisPT;NetLimiter Ndis Protocol Service;c:\windows\system32\drivers\nlndis.sys [2010-8-30 5230088]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 ssecbus;Samsung Mobile Modem Device driver (WDM);c:\windows\system32\drivers\ssecbus.sys [2010-3-14 86528]
S3 ssecmdfl;Samsung Mobile Modem Device 2 Filter;c:\windows\system32\drivers\ssecmdfl.sys [2010-3-14 14976]
S3 ssecmdm;Samsung Mobile Modem Device 2 Driver;c:\windows\system32\drivers\ssecmdm.sys [2010-3-14 114304]

=============== Created Last 30 ================

2011-01-02 23:04:16 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2011-01-02 23:04:16 -------- d-----w- c:\users\kathie\appdata\roaming\Spyware Terminator
2011-01-02 23:04:15 -------- d-----w- c:\program files\Spyware Terminator
2011-01-02 23:04:15 -------- d-----w- c:\progra~2\Spyware Terminator
2011-01-02 23:02:26 666952 ----a-w- C:\SpywareTerminatorSetup.exe
2011-01-02 22:55:41 4012504 ----a-w- C:\Cx.exe
2011-01-02 03:14:30 4012260 ----a-w- C:\xxx.exe
2011-01-02 00:02:04 6144 ------w- c:\windows\system32\83EF.tmp
2011-01-02 00:01:21 6144 ------w- c:\windows\system32\DBFC.tmp
2011-01-02 00:01:16 -------- d-----w- c:\program files\Sophos
2011-01-01 23:51:26 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-01-01 23:42:13 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2011-01-01 23:42:13 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2011-01-01 23:42:13 249616 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2011-01-01 23:42:13 102184 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2011-01-01 23:42:11 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2011-01-01 23:42:11 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-01-01 23:42:09 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2011-01-01 23:42:06 -------- d-----w- c:\program files\common files\PC Tools
2011-01-01 23:42:05 -------- d-----w- c:\users\kathie\appdata\roaming\PC Tools
2011-01-01 23:42:05 -------- d-----w- c:\program files\PC Tools Security
2011-01-01 23:41:04 -------- d-----w- c:\progra~2\PC Tools
2011-01-01 20:25:21 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-01-01 20:25:21 27984 ----a-w- c:\windows\system32\sbbd.exe
2011-01-01 20:25:17 -------- d-----w- C:\VIPRERESCUE
2011-01-01 20:21:13 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-01-01 20:21:12 -------- d-----w- c:\users\kathie\appdata\roaming\SUPERAntiSpyware.com
2011-01-01 19:56:03 -------- d-----w- C:\SDFix
2010-12-29 23:46:52 -------- d--h--w- c:\progra~2\CanonIJScan
2010-12-29 23:27:54 307200 ----a-w- c:\windows\system32\CNC870L.dll
2010-12-29 23:27:54 15872 ----a-w- c:\windows\system32\CNHMCA.dll
2010-12-29 23:27:54 1310720 ----a-w- c:\windows\system32\CNC870C.dll
2010-12-29 23:27:54 110592 ----a-w- c:\windows\system32\CNC870I.dll
2010-12-29 23:27:54 102400 ----a-w- c:\windows\system32\CNC870U.dll
2010-12-29 23:26:14 -------- d-----w- c:\program files\common files\CANON
2010-12-29 23:22:53 179200 ----a-w- c:\windows\system32\CNMIUA7.DLL
2010-12-29 23:22:34 354816 ----a-w- c:\windows\system32\CNMNPPM.DLL
2010-12-29 23:22:34 137216 ----a-w- c:\windows\system32\CNMNPUI.DLL
2010-12-29 23:22:34 -------- d-----w- c:\windows\system32\STRING
2010-12-29 23:22:33 -------- d-----w- c:\windows\system32\CHM
2010-12-29 23:19:52 -------- d-----w- c:\program files\Canon
2010-12-23 01:12:17 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-12-23 01:11:52 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-12-23 01:10:21 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-12-23 01:09:40 -------- d-----w- c:\program files\Microsoft Analysis Services
2010-12-23 01:09:22 -------- d-----w- c:\users\kathie\appdata\local\Microsoft Help
2010-12-18 21:43:16 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-12-18 21:42:41 -------- d-----w- c:\program files\common files\L&H
2010-12-12 19:59:21 -------- d-----w- c:\program files\iTunes
2010-12-12 19:59:21 -------- d-----w- c:\program files\iPod
2010-12-12 19:59:21 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-12 19:55:40 -------- d-----w- c:\program files\Bonjour
2010-12-12 04:06:52 737072 ----a-w- c:\progra~2\microsoft\ehome\packages\sportsv2\sportstemplatecore-3\Microsoft.MediaCenter.Sports.UI.dll
2010-12-05 20:00:36 -------- d-----w- c:\program files\Kaneva
2010-12-05 00:22:44 -------- d-----w- c:\users\kathie\appdata\roaming\FrostWire

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-10-07 17:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 17:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 17:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 18:27:41.78 ===============

Attached Files

  • Attached File  log.zip   8.51KB   0 downloads

Edited by ch3fdan, 02 January 2011 - 06:53 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:50 AM

Posted 07 January 2011 - 09:09 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:50 AM

Posted 12 January 2011 - 07:48 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users