Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComboFix Log Review


  • This topic is locked This topic is locked
2 replies to this topic

#1 num001pcman

num001pcman

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 06 May 2011 - 11:39 AM

At the suggestion of many web sites I have run ComboFix and produced the following log for review, PLEASE help!

ComboFix 11-05-05.04 - Brett 05/06/2011 11:15:24.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2939.1402 [GMT -5:00]
Running from: c:\users\Brett\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brett\AppData\Local\Temp\dnscpers.dll
c:\users\Brett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair
c:\users\Brett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk
c:\users\Brett\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Repair\Windows Repair.lnk
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :P
.
((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))
.
.
2011-05-06 15:48 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9C368EC8-6EA2-4BB4-A155-D8721B3EA94E}\mpengine.dll
2011-05-06 15:09 . 2011-05-06 15:09 -------- d-----w- c:\users\Brett\AppData\Local\{CDE78E73-CB75-4703-99F6-2DDC13ACA0DD}
2011-05-01 15:23 . 2011-05-01 15:23 -------- d-----w- c:\users\Brett\AppData\Local\{18D4FFDC-6DCD-44BC-8CA5-97DCB61A1F8D}
2011-04-30 23:17 . 2011-04-30 23:17 -------- d-----w- c:\programdata\WindowsSearch
2011-04-30 17:45 . 2011-04-30 17:46 -------- d-----w- c:\users\Brett\AppData\Local\{E204E815-D090-466E-93CB-274A2E1F3B7A}
2011-04-28 23:38 . 2011-04-28 23:38 -------- d-----w- c:\users\Brett\AppData\Local\{EC3FF3A3-FD0B-4515-96EC-3358881C0295}
2011-04-28 01:53 . 2011-04-28 01:53 -------- d-----w- c:\users\Brett\AppData\Local\{DCD1DF6C-2609-40A8-9C6E-91F230FC5E2C}
2011-04-27 02:27 . 2011-04-27 02:27 -------- d--h--w- c:\users\Brett\AppData\Local\{B9375C33-42BE-4457-8790-810F5CD07E18}
2011-04-26 13:00 . 2011-04-26 16:38 -------- d--h--w- c:\users\Brett\AppData\Local\{0F9B2677-0FCA-4F26-A6BD-A2C0AAAF7638}
2011-04-26 13:00 . 2011-04-26 13:00 -------- d--h--w- c:\users\Brett\AppData\Local\{73681F32-4E20-4E56-9C43-75BE216BA96B}
2011-04-24 23:31 . 2011-04-24 23:31 -------- d--h--w- c:\users\Brett\AppData\Local\{0F34A81A-E823-4A39-AB83-576C40C7135F}
2011-04-24 01:01 . 2011-04-24 01:01 -------- d--h--w- c:\users\Brett\AppData\Local\{136A056F-F28B-4E2A-8CC2-A397B2DFFEED}
2011-04-23 02:08 . 2011-04-23 02:08 -------- d--h--w- c:\users\Brett\AppData\Local\{0C52ABD2-328D-4939-A888-2FC50B76C22F}
2011-04-23 02:08 . 2011-05-06 16:08 -------- d--h--w- c:\users\Brett\Tracing
2011-04-23 01:09 . 2011-04-23 01:09 -------- d-----w- c:\windows\en
2011-04-23 01:07 . 2011-04-23 01:07 -------- dc----w- c:\windows\system32\DRVSTORE
2011-04-23 01:07 . 2010-09-23 05:21 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2011-04-23 01:05 . 2011-04-23 01:05 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2011-04-23 01:00 . 2009-09-04 22:44 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2011-04-23 01:00 . 2009-09-04 22:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2011-04-23 01:00 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2011-04-23 01:00 . 2011-04-23 01:00 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\dc2a256f1cc015105\InstallManager_WLE_WLE.exe
2011-04-23 01:00 . 2011-04-23 01:00 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\d3d1ea6f1cc015104\MeshBetaRemover.exe
2011-04-23 01:00 . 2011-04-23 01:00 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\d11896cf1cc015103\DSETUP.dll
2011-04-23 01:00 . 2011-04-23 01:00 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\d11896cf1cc015103\DXSETUP.exe
2011-04-23 01:00 . 2011-04-23 01:00 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\d11896cf1cc015103\dsetup32.dll
2011-04-23 01:00 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2011-04-23 01:00 . 2011-04-23 01:00 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\ce08498f1cc015102\DSETUP.dll
2011-04-23 01:00 . 2011-04-23 01:00 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\ce08498f1cc015102\DXSETUP.exe
2011-04-23 01:00 . 2011-04-23 01:00 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\ce08498f1cc015102\dsetup32.dll
2011-04-23 00:59 . 2011-05-05 22:04 -------- d--h--w- c:\users\Brett\AppData\Local\Windows Live
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-23 01:01 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-21 00:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-737594619-1414829202-3786626943-1000]
"EnableNotificationsRef"=dword:00000001
.
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-11-28 122008]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-07-11 40960]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-12-17 102448]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 NETw5v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit ;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-04-28 3658752]
S3 SmartFaceVWatchSrv;SmartFaceVWatchSrv;c:\program files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [2008-04-25 73728]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Brett\AppData\Roaming\Mozilla\Firefox\Profiles\0evir8tp.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: AIM Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-06 11:24
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-06 11:26:47
ComboFix-quarantined-files.txt 2011-05-06 16:26
.
Pre-Run: 280,187,891,712 bytes free
Post-Run: 280,333,189,120 bytes free
.
- - End Of File - - 0C0874D5ED29C8DBB0F0741B9F8436AE

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 14 May 2011 - 08:38 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:06:45 AM

Posted 19 May 2011 - 06:29 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users