Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problems, ComboFix Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 navag8r

navag8r

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:39 AM

Posted 06 July 2011 - 04:37 AM

Please help! My hp laptop had a redirecting virus in google on internet explorer. So i downloaded combofix and fixed the problem and uninstalled it. But now my wireless internet wont connect, it also doesn't show in available wireless networks. I tried right clicking and repairing but it says, "cannot repair the problem because the following action cannot be completd. connect to the wireless network." My wireless router works because my home computer is connect,plus 2 iphones,xbox. please help. Sooo stressed out. i dont know much about computers, i learned everything from bleeping computer forums.

ComboFix 11-07-03.04 - owner 07/04/2011 19:05:22.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.643 [GMT -7:00]
Running from: c:\documents and settings\owner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-05 to 2011-07-05 )))))))))))))))))))))))))))))))
.
.
2011-07-04 20:03 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-04 20:03 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-01 06:40 . 2011-07-01 06:40 -------- d-----w- c:\documents and settings\owner\LuckyWire
2011-07-01 06:39 . 2011-07-01 09:35 -------- d-----w- c:\documents and settings\owner\.luckywire
2011-07-01 06:38 . 2011-07-01 06:38 -------- d-----w- c:\program files\LuckyWire
2011-07-01 04:57 . 2011-07-01 04:57 -------- d-----w- c:\documents and settings\owner\Application Data\bsbandmltbpi
2011-07-01 04:57 . 2011-07-01 04:57 -------- d-----w- c:\documents and settings\owner\AppData
2011-07-01 04:31 . 2011-07-01 04:58 -------- d-----w- c:\documents and settings\owner\Application Data\mediabarbs
2011-07-01 04:31 . 2011-07-01 04:31 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-07-01 04:30 . 2011-07-01 06:16 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\BearShare
2011-07-01 04:30 . 2011-07-02 21:58 -------- d-----w- c:\program files\BearShare Applications
2011-07-01 04:28 . 2011-07-01 04:28 -------- d-----w- c:\documents and settings\owner\Local Settings\Application Data\PackageAware
2011-06-29 22:12 . 2011-06-29 22:12 -------- d--h--w- c:\windows\PIF
2011-06-29 20:45 . 2011-06-29 20:45 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-06-29 20:16 . 2011-06-29 20:16 -------- d-----w- c:\program files\iPod
2011-06-29 20:12 . 2011-06-29 20:12 -------- d-----w- c:\program files\Apple Software Update
2011-06-29 18:19 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-06-29 18:19 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-06-29 18:18 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-06-29 18:17 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-29 18:10 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-06-28 21:17 . 2011-07-05 02:00 -------- d-----w- c:\windows\l2schemas
2011-06-28 21:17 . 2011-06-28 21:17 -------- d-----w- c:\windows\system32\scripting
2011-06-28 21:17 . 2011-06-28 21:17 -------- d-----w- c:\windows\system32\en
2011-06-28 21:17 . 2011-06-28 21:17 -------- d-----w- c:\windows\system32\bits
2011-06-28 20:28 . 2011-06-28 20:28 -------- d-----w- c:\documents and settings\owner\Application Data\Malwarebytes
2011-06-28 20:28 . 2011-06-28 20:28 -------- d--h--w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-28 20:28 . 2011-07-04 20:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-28 20:21 . 2011-06-28 20:49 -------- d--h--w- c:\documents and settings\All Users\Application Data\aI28601EhNaK28601
2011-06-27 00:11 . 2011-06-28 20:03 0 ----a-w- c:\windows\Fsewejesuxitokes.bin
2011-06-27 00:10 . 2011-06-27 00:10 184320 --sha-r- c:\windows\system32\f3PSSavrj.dll
2011-06-27 00:10 . 2011-06-27 00:10 184320 --sha-r- c:\windows\system32\dswavec.dll
2011-06-19 09:38 . 2011-06-19 09:40 -------- d-----w- c:\program files\eMule
2011-06-10 20:26 . 2011-06-10 20:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-06-10 20:25 . 2011-06-10 20:25 -------- d-----w- c:\program files\Bonjour
2011-06-10 20:23 . 2011-06-10 20:23 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-06-10 20:23 . 2011-06-10 20:23 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-06-10 20:23 . 2011-06-10 20:23 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-06-10 20:23 . 2011-06-10 20:23 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-06-10 20:23 . 2011-06-10 20:23 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-06-10 20:23 . 2011-06-10 20:23 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-06-10 20:23 . 2011-06-10 20:23 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-06-10 20:22 . 2011-06-10 20:23 -------- d-----w- c:\program files\QuickTime
2011-06-07 19:35 . 2011-06-07 19:35 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-10 15:06 . 2010-04-15 21:16 18432 ----a-w- c:\windows\system32\drivers\netaapl.sys
2011-05-10 15:06 . 2010-04-15 21:16 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-10 15:06 . 2010-04-15 21:16 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-05-02 15:31 . 2010-04-14 21:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-03 22:56 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-03 21:15 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-03 22:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-03 22:56 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 16:11 . 2004-08-03 22:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 12:01 . 2004-08-03 20:59 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-03 21:15 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-06 23:20 . 2011-04-06 23:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 23:20 . 2011-04-06 23:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-05_01.06.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-05 02:01 . 2011-07-05 02:01 16384 c:\windows\Temp\Perflib_Perfdata_210.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2011-06-01 18:28 1236400 ----a-w- c:\progra~1\BEARSH~1\MediaBar\Datamngr\IEBHO.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}]
2011-05-30 13:48 87480 ----a-w- c:\progra~1\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}"= "c:\progra~1\BEARSH~1\MediaBar\Datamngr\ToolBar\bsdtxmltbpi.dll" [2011-05-30 87480]
.
[HKEY_CLASSES_ROOT\clsid\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-14 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-01 30192]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-04-14 126976]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2009-03-10 570664]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-03-24 599328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-05-12 623888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-04-11 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-08 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BearShare Applications\\MediaBar\\Datamngr\\ToolBar\\dtUser.exe"=
"c:\\Program Files\\LuckyWire\\LuckyWire.exe"=
.
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [10/24/2009 3:18 AM 360224]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 2:06 PM 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2010 2:44 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [4/14/2010 2:43 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/14/2010 2:44 PM 135664]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [4/15/2010 2:16 PM 18432]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-04-14 21:42]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 21:44]
.
2011-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 21:44]
.
2011-06-17 c:\windows\Tasks\Norton Security Scan for owner.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-04-16 07:51]
.
2011-07-05 c:\windows\Tasks\User_Feed_Synchronization-{F01C9E40-571E-4A9B-BFA6-90914F9332A3}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:52545
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-04 19:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1452)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Google\Quick Search Box\bin\1.2.1151.245\qsb.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2011-07-04 19:13:58
ComboFix-quarantined-files.txt 2011-07-05 02:13
ComboFix2.txt 2011-07-05 01:10
.
Pre-Run: 10,632,462,336 bytes free
Post-Run: 10,618,056,704 bytes free
.
- - End Of File - - 451BF698C1452810A5F662E00DA0D014

Attached Files


Edited by hamluis, 06 July 2011 - 02:05 PM.
Merged posts, deleted others, moved topic to Malware Removal Logs.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:39 AM

Posted 07 July 2011 - 01:12 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic408076.html/page__view__findpost__p__2322822

Folder::
c:\documents and settings\owner\Application Data\bsbandmltbpi
c:\documents and settings\All Users\Application Data\aI28601EhNaK28601

File::
c:\windows\Fsewejesuxitokes.bin

Collect::
c:\windows\system32\f3PSSavrj.dll
c:\windows\system32\dswavec.dll

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:52545

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:11:39 AM

Posted 13 July 2011 - 02:14 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users