Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

combofix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 computersareweird

computersareweird

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 07 May 2011 - 02:41 PM

ComboFix 11-05-06.05 - js 05/07/2011 12:01:36.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.958.292 [GMT -7:00]
Running from: c:\users\js\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\js\AppData\Roaming\Microsoft\1eaadjc.dll
c:\users\js\AppData\Roaming\Microsoft\bass.dll
c:\users\js\AppData\Roaming\Microsoft\kfgresk.dll
c:\users\js\AppData\Roaming\Microsoft\mjcriu.dll
c:\users\js\AppData\Roaming\Microsoft\peaadje.dll
c:\users\js\AppData\Roaming\Microsoft\qwadjb.dll
c:\users\js\AppData\Roaming\Microsoft\rsaadjd.dll
c:\users\js\AppData\Roaming\MiniDm
c:\users\js\AppData\Roaming\MiniDm\conf.ini
c:\users\js\AppData\Roaming\MiniDm\history.dat
c:\windows\system32\admshare.dat
c:\windows\system32\config\mcckmplayervod.ini
c:\windows\system32\taoY.ico
c:\windows\XSxS
.
.
((((((((((((((((((((((((( Files Created from 2011-04-07 to 2011-05-07 )))))))))))))))))))))))))))))))
.
.
2011-05-07 16:34 . 2011-05-07 16:34 -------- d-----w- C:\!KillBox
2011-05-07 02:10 . 2011-05-07 02:11 -------- d-----w- c:\users\js\AppData\Local\{28DA9C3D-4B0B-4960-98C7-2D100E4E3435}
2011-05-06 03:41 . 2011-05-06 03:42 -------- d-----w- c:\users\js\AppData\Local\{E4155B27-B7B0-43D2-836F-80C3B02D5DDA}
2011-05-01 03:48 . 2011-05-01 03:48 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-05-01 00:43 . 2011-05-01 00:43 -------- d-----w- c:\program files\Common Files\Java
2011-05-01 00:43 . 2011-05-01 00:49 -------- d-----w- c:\program files\Java
2011-04-30 08:35 . 2011-05-07 18:40 -------- d-----w- c:\users\js\AppData\Roaming\uTorrent
2011-04-30 00:10 . 2011-05-05 05:19 -------- d-----w- c:\users\js\AppData\Roaming\Skype
2011-04-30 00:08 . 2011-04-30 00:08 -------- d-----r- c:\program files\Skype
2011-04-29 18:54 . 2011-04-29 18:54 -------- d-----w- c:\users\js\AppData\Local\{93B918F7-7E2F-4510-BBFF-F0B6633887DB}
2011-04-28 20:49 . 2011-04-28 20:49 -------- d-----w- c:\users\js\AppData\Local\{876BABBC-DFB1-41A4-B5C0-2B9B0968064E}
2011-04-27 20:05 . 2011-04-27 20:05 -------- d-----w- c:\users\js\AppData\Local\{6C2141AF-532C-4656-B750-8E33828FA156}
2011-04-26 19:20 . 2011-04-26 19:20 -------- d-----w- c:\users\js\AppData\Local\{06DC3E9D-F141-4C85-BDFD-0BCF58F067AC}
2011-04-26 03:45 . 2011-04-26 03:46 -------- d-----w- c:\users\js\AppData\Local\{44EDFECA-89B4-4F3E-BD52-5FB2E6312889}
2011-04-23 20:23 . 2011-04-23 20:23 -------- d-----w- c:\users\js\AppData\Local\{4FAE6F8C-67F7-4BE6-86BB-3479DEECC40E}
2011-04-23 20:22 . 2011-04-23 20:22 -------- d-----w- c:\users\js\AppData\Local\{7613EDA7-42A5-45B0-B568-ACA11EAF8EB9}
2011-04-18 01:35 . 2011-02-22 13:24 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-04-18 01:35 . 2011-02-22 13:24 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-04-18 01:35 . 2011-02-22 13:23 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-18 01:35 . 2011-02-22 13:23 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-04-18 01:35 . 2011-02-18 14:03 305152 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-18 01:35 . 2011-02-18 14:03 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-18 01:35 . 2011-02-18 14:03 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-18 01:35 . 2011-02-16 16:16 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-18 01:35 . 2011-02-16 14:02 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-04-17 02:35 . 2011-04-17 02:36 -------- d-----w- c:\users\js\AppData\Local\{83CBC111-65D3-4499-9730-5E3E666D9949}
2011-04-10 19:32 . 2011-04-10 19:32 -------- d-----w- c:\users\js\AppData\Local\{F1981563-C958-4B62-B06C-6B902E29A46A}
2011-04-10 07:34 . 2011-04-10 07:34 -------- d-----w- c:\program files\IrfanView
2011-04-09 18:22 . 2011-04-09 18:22 -------- d-----w- c:\users\js\AppData\Local\{9103C26D-CF2F-47EF-B90B-D209E8BFFADB}
2011-04-09 06:21 . 2011-04-09 06:21 -------- d-----w- c:\users\js\AppData\Local\{AFC7FE2E-A71E-4098-BBE8-A8642924EA53}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-01 00:43 . 2010-04-22 22:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-27 20:04 . 2010-06-24 18:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-04-29 09:11 . 2011-04-27 02:34 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2011-01-16 . 0D06C75864F70E902937540CB5FA6E00 . 2924032 . . [6.0.6000.16386] . . c:\windows\explorer.exe
[7] 2009-04-11 . D07D4C3038F3578FFCE1C0237F2A1253 . 2926592 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe
[7] 2008-10-30 . 50BA5850147410CDE89C523AD3BC606E . 2927616 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_51e4f8c7931bd1e1\explorer.exe
[7] 2008-10-29 . 4F554999D7D5F05DAAEBBA7B5BA1089D . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_5177ca9879e978e8\explorer.exe
[7] 2008-10-29 . 37440D09DEAE0B672A04DCCF7ABF06BE . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_4f83bb287ccdb7e3\explorer.exe
[7] 2008-10-28 . E7156B0B74762D9DE0E66BDCDE06E5FB . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_5033cb5995cd990b\explorer.exe
[7] 2008-01-19 . FFA764631CB70A30065C12EF8E174F9F . 2927104 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_51b4a71279bc6ebf\explorer.exe
[7] 2007-11-19 . 6D06CD98D954FE87FB2DB8108793B399 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16549_none_4fac29707cae347a\explorer.exe
[7] 2007-11-19 . BD06F0BF753BC704B653C3A50F89D362 . 2923520 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20668_none_501f261995dcf2cf\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStatusMessages"= 1 (0x1)
"DisableStartupSound"= 1 (0x1)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoNetConnectDisconnect"= 1 (0x1)
"TaskbarNoThumbnail"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiSpyWareDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1759969739-133204858-3277122302-1000]
"EnableNotificationsRef"=dword:00000005
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-04-18 01:41 114176 ----a-w- c:\windows\System32\advpack.dll
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\js\AppData\Roaming\Mozilla\Firefox\Profiles\bmfohwuf.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\js\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-07 12:14
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
[0] 0x55002D00
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1759969739-133204858-3277122302-1000\Software\SecuROM\License information*]
"datasecu"=hex:f0,62,31,b0,d4,e6,4e,60,9d,c5,b8,77,a3,03,63,00,a4,36,d5,98,ea,
bf,f5,59,e9,c8,f8,88,b8,b6,e9,9b,3c,74,5d,f0,b0,5e,22,20,ae,11,84,db,78,1e,\
"rkeysecu"=hex:87,73,d6,65,04,f0,c2,be,df,e9,78,f6,6a,f8,7f,8a
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-07 12:21:40
ComboFix-quarantined-files.txt 2011-05-07 19:21
.
Pre-Run: 117,039,226,880 bytes free
Post-Run: 117,150,216,192 bytes free
.
- - End Of File - - BAB1E2F976F6BDB297E27B99F2162AB0





am i infected?

bump need help D:

besides scanning your computer for known infections, what else exactly does combofix do? i've noticed that it deleted a few items here and there and it changed some of my desktop visual preferences...like moving around the taskbar properties or w/e

EDIT: Please be patient. There are over 290 unanswered topics in this forum at present and the current average wait time to receive help is 8 days. ~Budapest

Edited by Budapest, 10 May 2011 - 08:09 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 AM

Posted 16 May 2011 - 07:15 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:51 AM

Posted 21 May 2011 - 07:59 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users