Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combo fix log


  • This topic is locked This topic is locked
1 reply to this topic

#1 noah_1

noah_1

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 27 February 2011 - 02:34 PM

i hope it is not in bad taste to try and move my thread (http://www.bleepingcomputer.com/forums/topic380811.html) up to the front of the line but it has gone to page 25 and i doubt it will get a response. maybe because i attatched the log as a download? i noticed Gringo specifically mentions not to attach files.it appears most people paste text directly in topic? i'll try:
ComboFix 11-02-17.02 - Owner 02/18/2011 14:19:38.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.284 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Immunet Protect *Enabled/Updated* {F1220F1F-7E2E-48CD-846D-B98C6F85CD37}
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-18 14:21 . 2011-01-13 08:41 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-02-18 14:21 . 2011-01-13 08:37 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-02-18 14:21 . 2011-01-13 08:37 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-02-18 14:21 . 2011-01-13 08:40 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-02-18 14:21 . 2011-01-13 08:40 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-02-18 14:21 . 2011-01-13 08:39 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-02-18 14:21 . 2011-01-13 08:37 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-02-18 14:21 . 2011-01-13 08:47 38848 ----a-w- c:\windows\avastSS.scr
2011-02-18 14:21 . 2011-01-13 08:47 188216 ----a-w- c:\windows\system32\aswBoot.exe
2011-02-18 14:21 . 2011-02-18 14:21 -------- d-----w- c:\program files\Alwil Software
2011-02-18 14:21 . 2011-02-18 14:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2011-02-18 14:19 . 2011-02-18 14:19 -------- d-----w- c:\documents and settings\Owner\Application Data\Registry Mechanic
2011-02-18 00:56 . 2011-02-18 02:40 -------- d-----w- c:\windows\system32\NtmsData
2011-02-18 00:05 . 2011-02-18 14:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2011-02-17 22:15 . 2011-02-17 22:15 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10
2011-02-17 22:12 . 2011-02-17 22:12 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-02-17 22:08 . 2011-02-18 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2011-02-17 22:07 . 2011-02-18 00:41 -------- d-----w- c:\program files\AVG
2011-02-17 21:49 . 2011-02-17 22:08 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-02-17 19:52 . 2011-02-17 19:52 -------- d-----w- c:\program files\support.com
2011-02-17 19:52 . 2011-02-17 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Support.com
2011-02-17 19:44 . 2011-02-17 19:44 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2011-02-17 19:30 . 2011-02-18 03:08 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\NPE
2011-02-17 19:20 . 2011-02-17 19:20 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-16 15:47 . 2011-02-16 15:47 -------- d-----w- c:\program files\Uniblue
2011-02-16 15:47 . 2011-02-16 15:47 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\PackageAware
2011-02-16 15:37 . 2001-08-17 20:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2011-02-16 15:37 . 2001-08-17 18:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys
2011-02-16 15:37 . 2004-08-04 04:32 10880 -c--a-w- c:\windows\system32\dllcache\admjoy.sys
2011-02-16 15:37 . 2001-08-17 18:19 747392 -c--a-w- c:\windows\system32\dllcache\adm8830.sys
2011-02-16 15:37 . 2001-08-17 18:19 553984 -c--a-w- c:\windows\system32\dllcache\adm8820.sys
2011-02-16 15:37 . 2001-08-17 18:19 584448 -c--a-w- c:\windows\system32\dllcache\adm8810.sys
2011-02-16 15:37 . 2001-08-17 19:53 7424 -c--a-w- c:\windows\system32\dllcache\adicvls.sys
2011-02-16 15:37 . 2001-08-17 18:11 20160 -c--a-w- c:\windows\system32\dllcache\adm8511.sys
2011-02-16 15:35 . 2001-08-17 20:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-02-15 20:51 . 2011-02-15 20:54 -------- d-----w- c:\documents and settings\Owner\Application Data\My Games
2011-02-13 16:52 . 2011-02-13 16:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-02-13 16:52 . 2011-02-13 16:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-02-13 16:51 . 2011-02-13 16:51 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-02-13 16:46 . 2011-02-13 16:51 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-02-07 22:30 . 2011-02-07 22:30 -------- d-----w- c:\windows\LMI69.tmp
2011-02-07 22:30 . 2011-02-07 22:44 -------- d-----w- c:\windows\LMI68.tmp
2011-02-07 22:17 . 2011-02-07 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2011-02-06 23:26 . 2011-02-06 23:26 -------- d-----w- c:\documents and settings\Owner\Application Data\Tific
2011-01-30 00:37 . 2011-01-30 00:37 173 ----a-w- c:\documents and settings\LocalService\Application Data\del.bat
2011-01-28 23:25 . 2011-01-29 15:30 -------- d-----w- c:\program files\Windows Live Safety Center
2011-01-23 20:23 . 2011-01-23 20:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-08 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-08-05 1596096]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"EEventManager"="c:\program files\Epson Software\Event Manager\EEventManager.exe" [2009-12-03 976320]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Epson all-in-one Registration.lnk - d:\common\EpsonReg\EpsonReg.exe [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-3-4 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"McSysmon"=3 (0x3)
"McShield"=2 (0x2)
"dmadmin"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/18/2011 8:21 AM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/18/2011 8:21 AM 17744]
S2 gupdate1c9e05db00b3678;Google Update Service (gupdate1c9e05db00b3678);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2009 7:02 AM 133104]
.
Contents of the 'Scheduled Tasks' folder

2011-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2011-02-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 13:01]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-29 13:01]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: pogo.com\game3
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-18 14:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-287218729-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c1,b3,37,fc,64,48,3b,5f,f3,e7,32,b6,d0,18,ea,36,8e,fa,26,42,d5,30,96,
ea,bf,25,93,89,67,23,fa,45,95,51,82,d9,86,30,71,4f,61,bb,40,2d,d5,1b,40,91,\
"??"=hex:92,46,80,00,6a,1d,25,d4,dd,36,c5,79,a8,ec,9d,3f

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-02-18 14:39:29
ComboFix-quarantined-files.txt 2011-02-18 20:39

Pre-Run: 139,922,939,904 bytes free
Post-Run: 140,332,400,640 bytes free

- - End Of File - - 9E3FB502A2D017E51BB2DBA4B48FFC39


hoped that worked. thanks for any help anyone can offer, noah

BC AdBot (Login to Remove)

 


#2 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:10:16 AM

Posted 27 February 2011 - 02:58 PM

You have a reply by gringo_pr to the topic you link to. Please continue in that topic. I will close this one to avoid confusion.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users