Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix deleting desktop files


  • Please log in to reply
21 replies to this topic

#1 kshiz

kshiz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 18 February 2011 - 09:17 AM

recently combofix (in the past 2 days) have been deleting a folder on vista/w7 systems.
the folder is c:\programdata and also it will delete most desktop icons.
i have used combofix for years and never had this issue.

i have not verified this on xp. all searches come up with this issue in early 2010.
it does not quarantine any desktop items, just deletes them.

i was able to run system restore and get back the desktop data most of the time.

is this a bug?

Edited by Orange Blossom, 18 February 2011 - 05:09 PM.
Move to AV forum. ~ OB


BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 18 February 2011 - 09:42 PM

folder is c:\programdata

Do you have ComboFix's log for these deletions?

#3 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 18 February 2011 - 10:01 PM

Do you have ComboFix's log for these deletions?

That won't be necessary anymore. There was a typo in ComboFix that caused this.

If you're game, will you mind running an updated copy of ComboFix?

#4 Kiskatoo

Kiskatoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 18 February 2011 - 11:14 PM

I don't know if this is related, but I've been using ComboFix for years now and never had this happen: this time ComboFix deleted my programdata/desktop folder. I'm not really sure what to do about it. I used the most recent copy of ComboFix (freshly downloaded today) and had all of my anti-virus programs turned off. I did it just like I've done it the six other times I've had to ComboFix something, so I'm a little confused. It also deleted a How To txt file, but nothing else.

What should I do?

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:10:46 AM

Posted 18 February 2011 - 11:17 PM

To undo the changes, it would be easier if you deploy Windows System Restore to go back to the time before ComboFix was ran

#6 Kiskatoo

Kiskatoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 18 February 2011 - 11:26 PM

When I went to System Restore to use the most recent restore point, it showed there were no restore points on this computer at all.

#7 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 18 February 2011 - 11:33 PM

Hello Kiskatoo,

Combofix creates a restore point when it first runs, so it's odd that you don't have any restore points available. How long ago did you run ComboFix?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#8 Kiskatoo

Kiskatoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 18 February 2011 - 11:36 PM

I have the log if you'd like to see it, but I started it at 10:31 pm (EST - USA) and it's now 11:35 EST USA.

It ran very briefly, went through (I think) 50 stages, and then deleted the txt file and the programdata folder, then finished up and produced the log. Didn't restart or do anything it's done on my other Combofixes.

#9 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 18 February 2011 - 11:37 PM

Yes, please post the ComboFix.txt

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#10 Kiskatoo

Kiskatoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 18 February 2011 - 11:40 PM

ComboFix 11-02-17.02 - Admin 02/18/2011 22:31:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2814.1808 [GMT -5:00]
Running from: c:\users\Admin\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Desktop
c:\users\Admin\How to .txt

.
((((((((((((((((((((((((( Files Created from 2011-01-19 to 2011-02-19 )))))))))))))))))))))))))))))))
.

2011-02-19 03:47 . 2011-02-19 03:47 -------- d-----w- c:\users\pinky\AppData\Local\temp
2011-02-19 03:47 . 2011-02-19 03:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-19 03:47 . 2011-02-19 03:47 -------- d-----w- c:\users\brain\AppData\Local\temp
2011-02-19 03:17 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A50655E5-6BEF-465B-8C8D-758D779C0D54}\mpengine.dll
2011-02-13 22:24 . 2010-07-26 03:23 56496 ----a-w- c:\windows\system32\wbhelp2.dll
2011-02-13 22:24 . 2010-07-26 03:23 544768 ----a-w- c:\windows\system32\wbocx.ocx
2011-02-13 22:24 . 2010-07-26 03:23 33968 ----a-w- c:\windows\system32\anim.dll
2011-02-13 22:24 . 2010-07-26 03:23 4608 ----a-w- c:\windows\system32\W95INF32.DLL
2011-02-13 22:24 . 2010-07-26 03:23 2272 ----a-w- c:\windows\system32\W95INF16.DLL
2011-02-13 22:24 . 2011-02-14 00:10 -------- d-----w- c:\program files\WinUtilities
2011-02-12 01:09 . 2011-02-15 02:11 -------- d-----w- c:\users\pinky\.gimp-2.6
2011-02-11 02:15 . 2011-02-12 00:18 -------- d-----w- c:\users\Admin\.gimp-2.6
2011-02-11 02:13 . 2011-02-11 02:14 -------- d-----w- c:\program files\GIMP-2.0
2011-02-10 03:37 . 2011-01-20 14:26 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-02-10 03:37 . 2011-01-20 16:08 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-02-10 03:37 . 2011-01-20 14:11 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-02-10 03:37 . 2011-01-20 16:07 586240 ----a-w- c:\windows\system32\stobject.dll
2011-02-10 03:37 . 2011-01-20 16:04 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-02-10 03:37 . 2011-01-20 16:07 37376 ----a-w- c:\windows\system32\cdd.dll
2011-02-10 03:37 . 2011-01-20 16:04 98816 ----a-w- c:\windows\system32\mfps.dll
2011-02-10 03:37 . 2011-01-20 16:07 258048 ----a-w- c:\windows\system32\winspool.drv
2011-02-10 03:37 . 2011-01-20 16:06 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-02-10 03:37 . 2010-12-18 06:28 638232 ----a-w- c:\program files\Internet Explorer\iexplore.exe
2011-02-02 17:29 . 2011-02-02 17:59 -------- d-----w- c:\users\Admin\AppData\Roaming\vlc
2011-01-31 23:35 . 2011-01-31 23:35 -------- d-----w- c:\program files\iPod
2011-01-31 23:35 . 2011-01-31 23:37 -------- d-----w- c:\program files\iTunes
2011-01-31 11:18 . 2011-01-31 11:18 -------- d-----w- c:\users\brain\AppData\Roaming\Malwarebytes
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2011-01-30 19:57 . 2011-01-30 19:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 08:47 . 2010-07-03 19:00 38848 ----a-w- c:\windows\avastSS.scr
2011-01-13 08:47 . 2010-06-03 02:42 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-01-13 08:41 . 2010-06-03 02:42 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-01-13 08:40 . 2010-06-03 02:42 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-01-13 08:37 . 2010-06-03 02:42 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-01-13 08:37 . 2010-06-03 02:42 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2011-01-13 08:37 . 2010-06-03 02:42 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-12-28 15:55 . 2011-01-12 16:05 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 16:05 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2009-04-30 00:07 . 2010-06-03 20:23 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-22 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-10-08 22:04 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
2009-01-16 20:00 136512 ----a-w- c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2007-12-24 22:55 222504 ------w- c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-14 01:11 210216 ------w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2008-10-07 03:42 210216 ------w- c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 135664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-04-30 65224]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 aswSP;aswSP; [x]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-09-06 169312]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [2009-04-30 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-04-30 70216]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 OA004Ufd;Creative Camera OA004 Upper Filter Driver;c:\windows\system32\DRIVERS\OA004Ufd.sys [2008-06-03 144672]
S3 OA004Vid;Creative Camera OA004 Function Driver;c:\windows\system32\DRIVERS\OA004Vid.sys [2008-07-17 269760]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2011-02-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-22 01:49]

2011-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 03:07]

2011-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 03:07]

2011-02-16 c:\windows\Tasks\HPCeeScheduleForAdmin.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-25 18:34]

2011-01-31 c:\windows\Tasks\HPCeeScheduleForbrain.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-25 18:34]

2011-02-07 c:\windows\Tasks\HPCeeScheduleForpinky.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-25 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\v5197vva.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Aviary: {d5eeb813-935a-435d-b01e-b3a02f2cb408} - %profile%\extensions\{d5eeb813-935a-435d-b01e-b3a02f2cb408}
FF - Ext: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - %profile%\extensions\{91da5e8a-3318-4f8c-b67e-5964de3ab546}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\programdata\Google\Toolbar for Firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{91da5e8a-3318-4f8c-b67e-5964de3ab546} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-Sidebar - %ProgramFiles%\Windows Sidebar\Sidebar.exe
AddRemove-GIF Animator - f:\portableapps\setup\GifACME.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-18 22:48
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Admin\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-18 23:03:11
ComboFix-quarantined-files.txt 2011-02-19 04:02

Pre-Run: 193,678,049,280 bytes free
Post-Run: 192,606,265,344 bytes free

- - End Of File - - A417B3B0BB831F97B15551ACB4044C7C

#11 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 18 February 2011 - 11:45 PM

That folder appears to have been empty. Do you notice anything missing?

As a side note, I see IE proxy settings that are typically malware related. Are you experiencing any issues with IE?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#12 Kiskatoo

Kiskatoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 18 February 2011 - 11:50 PM

I wouldn't know. This is my parents' computer and I'm not sure if they even use IE or not. I think my mom prefers Firefox, though. If there are IE issues they haven't mentioned them previously. I haven't noticed anything missing besides the usual web-addresses-not-being-filled-in-while-I-type, although it's a little strange that my computer continued to remember my cookies and all of that after the last Combofix and my mother's didn't. Other than that, no.

Can I just create a new programdata/desktop folder, or should I leave things be?

Also, have you any idea why there was no system restore point created?

#13 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 19 February 2011 - 12:05 AM

It's not necessary to make a new folder. ComboFix makes backups of the deletions listed. Do this (this will also take care of the IE entries)

Delete your existing ComboFix.exe and download the latest version from here

Next, open notepad and copy/paste the text in the code box below into it:

DDS::
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:5555

DeQuarantine::
c:\programdata\Desktop

Save this as CFScript.txt, and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************


Posted Image


Refering to the picture above, drag CFScript into ComboFix.exe and follow the prompts.




================================


Regarding no restore points, is System Restore turned on?



I haven't noticed anything missing besides the usual web-addresses-not-being-filled-in-while-I-type,...


What browser are you referring to?

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."


#14 Kiskatoo

Kiskatoo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:46 PM

Posted 19 February 2011 - 12:08 AM

I'm using Firefox currently. I think it has to do with deleting the cookies (I CCleaned the computer before running ComboFix).

#15 Ried

Ried

  • Malware Response Team
  • 1,009 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:46 PM

Posted 19 February 2011 - 12:09 AM

That would be my thought, as well as clearing the history. :)

Microsoft MVP - Consumer Security 2010, 2011, 2012

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users