Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newbie with a ComboFix log help appreciated


  • This topic is locked This topic is locked
3 replies to this topic

#1 manchester9

manchester9

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:16 AM

Posted 26 May 2011 - 01:05 PM

Hi,

I have been lurking on here for ages and picked up many valuable tips, didn't think I would have to ever ask for help but now I think I do. I have Windows XP and run Avast free AV, Windows Firewall, also run Malwarebytes regularly. Also run CCleaner almost daily. Over the last couple of days everything has slowed down and nothing has improved after running my usual stuff (CCleaner, Defrag) so I have run ComboFix as a last resort. Any advice would be most welcome:

ComboFix 11-05-21.03 - Owner 26/05/2011 18:45:08.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.183 [GMT 1:00]
Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\RECYCLER(3)
c:\recycler(3)\S-1-5-21-515967899-1644491937-725345543-1003(2)\INFO2
.
.
((((((((((((((((((((((((( Files Created from 2011-04-26 to 2011-05-26 )))))))))))))))))))))))))))))))
.
.
2011-05-26 13:53 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-26 13:53 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-26 13:53 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-26 13:53 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-26 13:53 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-26 13:53 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-26 13:53 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-26 13:53 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-26 13:53 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-26 13:53 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-26 09:09 . 2011-05-26 09:09 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-25 21:03 . 2011-05-26 08:11 -------- d-----w- c:\program files\Microsoft Security Client(2)
2011-05-25 07:36 . 2011-05-26 08:40 -------- d-----w- C:\RECYCLER(5)
2011-05-20 17:57 . 2011-05-20 17:57 -------- d-----w- c:\windows\Internet Logs
2011-05-15 21:52 . 2011-05-16 18:45 -------- d-----w- C:\RECYCLER(2)
2011-05-09 20:54 . 2011-05-09 20:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-05-09 20:51 . 2011-05-09 20:51 -------- d-----w- c:\program files\AVG
2011-04-26 17:55 . 2011-04-26 17:55 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-26 16:49 . 2010-11-09 14:32 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-07 05:33 . 2006-02-27 13:31 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2003-07-16 20:49 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 20:51 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-04-29 19:33 . 2011-03-25 15:43 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-29_15.53.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-11 22:44 . 2011-05-19 20:29 4212 c:\windows\system32\zllictbl.dat
- 2011-01-11 22:44 . 2011-03-29 20:57 4212 c:\windows\system32\zllictbl.dat
+ 2011-05-16 21:08 . 2011-05-16 21:08 301056 c:\windows\Installer\44622f.msi
+ 2010-11-07 20:35 . 2011-05-11 17:19 42829768 c:\windows\system32\MRT.exe
+ 2010-11-15 17:30 . 2011-05-26 09:10 141099280 c:\windows\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Gigaset WLAN Adapter Monitor.lnk - c:\program files\Siemens\Gigaset USB Adapter 108\Gcc.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 08:59 126976 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 08:59 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 10:17 5252408 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2004-10-14 14:42 1404928 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"EhttpSrv"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [26/05/2011 14:53 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26/05/2011 14:53 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/05/2011 14:53 19544]
S1 MpKsld1c13225;MpKsld1c13225;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8713A5A-E6F7-42E4-875D-F6C399950928}\MpKsld1c13225.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8713A5A-E6F7-42E4-875D-F6C399950928}\MpKsld1c13225.sys [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [16/07/2003 21:47 14336]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17/12/2010 23:30 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\nyyr69zt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - ZoneAlarm Security Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-26 18:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-05-26 18:54:18
ComboFix-quarantined-files.txt 2011-05-26 17:54
ComboFix2.txt 2011-05-22 19:00
ComboFix3.txt 2011-05-15 20:55
ComboFix4.txt 2011-04-29 15:55
.
Pre-Run: 26,719,105,024 bytes free
Post-Run: 26,711,531,520 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 8E5418276A942A079EA0DCD68EA7CF55

BC AdBot (Login to Remove)

 


#2 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:07:16 AM

Posted 07 June 2011 - 06:58 AM

Hello and :welcome:

My name is patndoris. I apologize for the delay in responding to your post. If you are still having problems, I will be glad to take a look at your logs and help you with solving any malware problems.


While you may see ComboFix being used quite often, and without incident, the tool should not be run unsupervised (as stated in the Disclaimer that is first displayed by ComboFix when you run the tool) Going forward, I highly recommend you heed such instructions.

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.





Download and Run DDS by sUBs

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Save both reports to your desktop.
---------------------------------------------------

Please Please copy / paste the scan reults.

DDS.txt

Please attach the second file; Attach.txt.






Download and Run GMER

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that may have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one - make sure it is UNCHECKED)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#3 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:07:16 AM

Posted 10 June 2011 - 05:43 AM

Are you having any trouble with the instructions?

Reminder: Topics with no reply in 4 days will be closed.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE

#4 patndoris

patndoris

  • Security Colleague
  • 127 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Maryland
  • Local time:07:16 AM

Posted 11 June 2011 - 09:57 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
~Doris~

Proud Graduate of the WTT Classroom
Member of  UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users