Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet access after running ComboFix


  • This topic is locked This topic is locked
2 replies to this topic

#1 ndmike2009

ndmike2009

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 28 December 2011 - 02:43 PM

My computer got infected by the fake "XP Antivirus 2012" malware and I used Malarebytes to get rid of the immediate threat. Unfortunately it also infected my browser and was redirecting it to other websites. Without reading the warnings, I ran ComboFix, which I really regret since I can no longer access the internet at all. While comboFix was running a couple windows popped up mentioning the computer was infected by a rootkit.

Here is the comboFix Log:

ComboFix 11-12-28.03 - kpfarrer 12/28/2011 13:13:24.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.652 [GMT -6:00]
Running from: c:\documents and settings\kpfarrer\Desktop\Antivirus\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\dasetup.log
c:\windows\EventSystem.log
c:\windows\system32\Thumbs.db
c:\windows\system32\zip32.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 18:44 . 2011-12-28 19:13 -------- d-----w- c:\windows\system32\CatRoot2
2011-12-28 14:28 . 2011-12-28 14:28 -------- d-----w- c:\documents and settings\kpfarrer\Local Settings\Application Data\Mozilla
2011-12-27 22:26 . 2011-12-27 22:05 302187 ----a-w- C:\remove_proxy.exe
2011-12-27 20:20 . 2011-12-27 20:20 -------- d-----w- c:\documents and settings\kpfarrer\Application Data\Malwarebytes
2011-12-27 20:20 . 2011-12-27 20:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-12-27 20:20 . 2011-12-28 14:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-27 20:20 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-27 20:18 . 2011-12-27 20:18 -------- d-----w- c:\windows\system32\sdtmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 15:26 . 2009-11-10 22:06 88 --sh--r- c:\documents and settings\All Users\Application Data\7D6F2DE433.sys
2011-12-28 15:26 . 2009-11-10 22:06 848 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2011-12-27 22:05 . 2011-12-27 22:26 302187 ----a-w- C:\remove_proxy.exe
2011-12-10 21:24 . 2011-12-27 20:20 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2009-09-23 20:21 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-01 16:07 . 2004-05-26 19:30 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-31 23:43 . 2009-09-21 15:14 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-10-31 23:43 . 2004-05-26 19:30 832512 ----a-w- c:\windows\system32\wininet.dll
2011-10-31 23:43 . 2004-05-26 19:29 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2011-10-31 23:43 . 2004-05-26 19:29 17408 ----a-w- c:\windows\system32\corpol.dll
2011-10-28 05:31 . 2009-09-23 20:21 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2009-09-23 20:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2009-09-23 20:21 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-05-26 19:29 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-05-26 20:22 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-12-21 07:24 . 2011-12-28 14:28 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . 93EF5EC16539913D81A68CA00082906E . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[-] 2008-04-13 19:19 . 93EF5EC16539913D81A68CA00082906E . 75264 . . [------] . . c:\windows\system32\drivers\ipsec.sys
[7] 2004-08-04 . 64537AA5C003A6AFEEE1DF819062D0D1 . 74752 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ipsec.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-10-13 17351304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"RTHDCPL"="RTHDCPL.EXE" [2005-07-13 14679552]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"PBIReproOrderForm"="c:\program files\PBI Repro Order Form\PBIROF.exe" [2006-06-26 712704]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2010-12-09 24576]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-01 57344]
"Act.Outlook.Service"="c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe" [2008-08-01 28672]
"Act! Preloader"="c:\program files\ACT\Act for Windows\ActSage.exe" [2008-08-01 393216]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-15 623992]
"HP Software Update"="c:\program files\HP Software Update\HPWuSchd2.exe" [2005-12-15 49152]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [N/A]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2010-12-9 422912]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2010-12-9 34304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Printers\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Seiko I Infotech\\PlotShareOne DX\\PlotShareScanToFile.exe"=
"c:\\Program Files\\Seiko I Infotech\\PlotShareOne DX\\PlotShareOneLT.exe"=
"c:\\Program Files\\PBI Repro Order Form\\PBIROF.Exe"= c:\\Program Files\\PBI Repro Order Form\\PBIROF.exe
"c:\\ocerd\\jobmain.exe"=
"c:\\ocerd\\apftp.exe"=
"c:\\Program Files\\SnapServerManager\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\UPS\\WSTD\\MSSQL$UPSWSDBSERVER\\Binn\\sqlservr.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1434:UDP"= 1434:UDP:UDP 1434
.
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [7/31/2008 10:02 PM 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2009 7:57 AM 133104]
S2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\MICROSOFT SQL SERVER\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2009 7:57 AM 133104]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPHNDUService REG_MULTI_SZ HPHNDUSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-27 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-05-26 00:12]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-12 13:57]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-12 13:57]
.
.
------- Supplementary Scan -------
.
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\kpfarrer\Application Data\Mozilla\Firefox\Profiles\fhyqf2ks.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-28 13:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2444)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\progra~1\SYMANT~1\SYMANT~1\DefWatch.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\progra~1\SYMANT~1\SYMANT~1\Rtvscan.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Digital Imaging\bin\hpqnrs08.exe
c:\program files\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2011-12-28 13:32:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-28 19:32
ComboFix2.txt 2011-12-28 18:09
ComboFix3.txt 2011-12-28 17:34
.
Pre-Run: 44,329,369,600 bytes free
Post-Run: 44,327,690,240 bytes free
.
- - End Of File - - 98A05827C361F852317491B1023100D8


Any help in on this problem would be much appreciated!
Thank you!

BC AdBot (Login to Remove)

 


#2 ndmike2009

ndmike2009
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 29 December 2011 - 01:55 PM

UPDATE: I used windows restore and that fixed the internet connectivity problem. The browser is no longer being redirected either. Everything seems normal again.

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:47 PM

Posted 02 January 2012 - 04:33 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users