Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Java exploit and combofix


  • Please log in to reply
9 replies to this topic

#1 fredhonda

fredhonda

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 07 July 2012 - 04:18 PM

Hi guys,

I rencently did a combofix on my computer because I had a java exploit virus and pornpop adware result on a scan with microsoft security essentials, they always came back even if I deleted them

I think the combofix cleared all my problems but I want to be sure that my computer is virus free

so here is the Log (sorry for my english i'm french !)

ComboFix 12-07-07.04 - Fred 2012-07-07 16:46:00.1.4 - x64
Microsoft Windows 7 Professionnel 6.1.7601.1.1252.2.1036.18.3062.1913 [GMT -4:00]
Lancé depuis: C:\Users\Fred\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Un nouveau point de restauration a été créé


(((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))


C:\install.exe
C:\Users\Sam\AppData\Roaming\result.db


((((((((((((((((((((((((((((( Fichiers créés du 2012-06-07 au 2012-07-07 ))))))))))))))))))))))))))))))))))))


2012-07-07 20:49:50 . 2012-07-07 20:49:50 -------- d-----w- C:\Users\Sam\AppData\Local\temp
2012-07-07 20:49:50 . 2012-07-07 20:49:50 -------- d-----w- C:\Users\Manon\AppData\Local\temp
2012-07-07 20:49:50 . 2012-07-07 20:49:50 -------- d-----w- C:\Users\Default\AppData\Local\temp
2012-07-06 22:35:49 . 2012-05-31 04:04:02 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{4004C5F0-2CAB-4394-906C-00592AF10938}\mpengine.dll
2012-07-05 20:43:47 . 2012-05-31 04:04:02 9013136 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-04 21:58:41 . 2012-07-04 21:58:41 -------- d-----w- C:\Users\Manon\AppData\Local\Macromedia
2012-07-04 20:32:52 . 2012-04-06 23:30:02 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{81730370-440F-4A57-8E9C-10F80BD9724E}\gapaengine.dll
2012-07-04 01:52:42 . 2012-07-04 01:52:42 -------- d-----w- C:\Users\Manon\AppData\Local\Diagnostics
2012-06-27 13:46:48 . 2012-06-27 13:46:48 -------- d-----w- C:\Users\Sam\AppData\Local\Macromedia
2012-06-27 01:01:59 . 2012-06-27 01:01:59 -------- d-----w- C:\Users\Fred\AppData\Local\Macromedia
2012-06-25 18:56:45 . 2012-06-25 18:56:45 -------- d-----w- C:\Program Files (x86)\Oracle
2012-06-25 00:40:17 . 2012-06-25 00:40:17 -------- d-----w- C:\Users\Fred\AppData\Roaming\AnvSoft
2012-06-25 00:39:55 . 2012-06-25 00:39:55 -------- d-----w- C:\Program Files (x86)\AnvSoft
2012-06-25 00:37:09 . 2012-06-25 00:37:09 -------- d-----w- C:\ProgramData\Research In Motion
2012-06-25 00:36:28 . 2012-06-25 00:37:09 -------- d-----w- C:\Program Files (x86)\Common Files\XCPCSync.OEM
2012-06-23 20:55:46 . 2012-06-23 20:55:46 -------- d-----w- C:\Users\Sam\AppData\Local\Research In Motion
2012-06-23 20:55:45 . 2012-06-23 20:56:03 -------- d-----w- C:\Users\Sam\AppData\Roaming\Research In Motion
2012-06-22 13:40:52 . 2012-06-02 22:19:42 44056 ----a-w- C:\Windows\system32\wups2.dll
2012-06-22 13:40:51 . 2012-06-02 22:19:43 2428952 ----a-w- C:\Windows\system32\wuaueng.dll
2012-06-22 13:40:51 . 2012-06-02 22:19:42 57880 ----a-w- C:\Windows\system32\wuauclt.exe
2012-06-22 13:40:51 . 2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\system32\wucltux.dll
2012-06-22 13:40:41 . 2012-06-02 22:19:46 38424 ----a-w- C:\Windows\system32\wups.dll
2012-06-22 13:40:41 . 2012-06-02 22:19:23 701976 ----a-w- C:\Windows\system32\wuapi.dll
2012-06-22 13:40:41 . 2012-06-02 22:15:08 99840 ----a-w- C:\Windows\system32\wudriver.dll
2012-06-22 13:40:32 . 2012-06-02 19:19:42 186752 ----a-w- C:\Windows\system32\wuwebv.dll
2012-06-22 13:40:31 . 2012-06-02 19:15:12 36864 ----a-w- C:\Windows\system32\wuapp.exe
2012-06-16 20:34:17 . 2012-04-26 05:41:56 77312 ----a-w- C:\Windows\system32\rdpwsx.dll
2012-06-16 20:34:17 . 2012-04-26 05:41:55 149504 ----a-w- C:\Windows\system32\rdpcorekmts.dll
2012-06-16 20:34:17 . 2012-04-26 05:34:27 9216 ----a-w- C:\Windows\system32\rdrmemptylst.exe
2012-06-16 20:34:13 . 2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\system32\ntoskrnl.exe
2012-06-16 20:34:13 . 2012-05-01 05:40:20 209920 ----a-w- C:\Windows\system32\profsvc.dll
2012-06-16 20:34:11 . 2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-06-16 20:34:11 . 2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-06-16 20:34:06 . 2012-05-15 01:32:33 3146752 ----a-w- C:\Windows\system32\win32k.sys
2012-06-16 20:33:46 . 2012-04-28 03:55:21 210944 ----a-w- C:\Windows\system32\drivers\rdpwd.sys
2012-06-16 20:33:44 . 2012-04-07 12:31:40 3216384 ----a-w- C:\Windows\system32\msi.dll
2012-06-16 20:33:44 . 2012-04-07 11:26:29 2342400 ----a-w- C:\Windows\SysWow64\msi.dll
2012-06-13 14:19:41 . 2012-06-13 14:39:48 -------- d-----w- C:\Users\Sam\AppData\Local\Microsoft Games
2012-06-13 10:49:08 . 2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\system32\crypt32.dll
2012-06-13 10:49:07 . 2012-04-24 05:37:37 184320 ----a-w- C:\Windows\system32\cryptsvc.dll
2012-06-13 10:49:07 . 2012-04-24 05:37:37 140288 ----a-w- C:\Windows\system32\cryptnet.dll
2012-06-13 10:49:07 . 2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-06-13 10:49:07 . 2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-06-13 10:49:07 . 2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2012-06-12 23:57:57 . 2012-04-06 23:30:02 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2012-06-10 21:41:41 . 2012-06-19 21:11:09 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-10 21:41:41 . 2012-06-19 21:11:09 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
.


(((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))

2012-06-27 01:01:41 . 2012-04-07 02:07:19 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-27 01:01:41 . 2012-04-07 02:07:19 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-05-05 13:18:51 . 2012-04-14 13:34:44 8769696 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-05-04 23:29:22 . 2012-05-11 01:28:39 772504 ----a-w- C:\Windows\SysWow64\npDeployJava1.dll
2012-05-04 23:29:16 . 2012-05-11 01:28:40 687504 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-04-11 02:54:13 . 2009-07-14 02:36:51 175616 ----a-w- C:\Windows\system32\msclmd.dll
2012-04-11 02:54:13 . 2009-07-14 02:36:51 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll


((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2010-11-20 13:25:17 1475584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 13:10:42 843712]
"RIMBBLaunchAgent.exe"="C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-11-02 06:00:44 90448]
"SunJavaUpdateSched"="C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 15:07:54 252296]
"IAStorIcon"="C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-10-17 19:12:48 284440]
"StartCCC"="C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 03:32:54 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 18:27:14 138576]
R3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-19 21:11:09 113120]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 00:44:12 98688]
R3 NisSrv;Inspection du réseau Microsoft;c:\Program Files\Microsoft Security Client\NisSrv.exe [2012-03-26 22:49:56 291696]
R3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys [2010-11-20 11:07:05 59392]
R3 WatAdminSvc;Service Windows Activation Technologies;C:\Windows\system32\Wat\WatAdminSvc.exe [2012-04-07 03:57:27 1255736]
S2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 13:10:42 63928]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-10-17 19:12:52 13592]


--- Autres Services/Pilotes en mémoire ---

*NewlyCreated* - WS2IFSL


--------- X64 Entries -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Download Assistant"="C:\Windows\system32\rundll32.exe" [2009-07-14 01:39:31 45568]
"MSC"="c:\Program Files\Microsoft Security Client\msseces.exe" [2012-03-26 22:54:34 1271168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0

------- Examen supplémentaire -------

uLocal Page = C:\Windows\system32\blank.htm
uStart Page = hxxp://www.google.ca/
mLocal Page = C:\Windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 205.236.148.130 205.236.148.131
FF - ProfilePath - C:\Users\Fred\AppData\Roaming\Mozilla\Firefox\Profiles\kux7ybcl.default\
FF - prefs.js: browser.startup.homepage - google.ca

- - - - ORPHELINS SUPPRIMES - - - -

Wow6432Node-HKCU-Run-RESTART_STICKY_NOTES - C:\Windows\System32\StikyNot.exe
AddRemove-Adobe Shockwave Player - C:\Windows\system32\Adobe\Shockwave 11\uninstaller.exe

BC AdBot (Login to Remove)

 


#2 fredhonda

fredhonda
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 07 July 2012 - 04:20 PM

Sorry i'm in the wrong section I think.

#3 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:04:28 PM

Posted 07 July 2012 - 04:39 PM

:welcome:

Please read this on ComboFix Usage and the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Please DO NOT USE COMBOFIX on your own without supervision!!!

Edited by DarkSnake-Kobra, 07 July 2012 - 04:39 PM.


#4 fredhonda

fredhonda
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 07 July 2012 - 05:14 PM

Hi,

Thank you for your fast answer, but I already did the Combofix scan, I read all the instruction about Combofix and everything went well, I just want to know how I can be 100 % sure my computer is virus free.

I am not enough experimented to know if the log says my computer is clean

Thanks !

#5 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:04:28 PM

Posted 07 July 2012 - 05:30 PM

Hi

Your'e welcome. :) That's good. Most people just run it without even knowing what it does so that's why I posted the warning. :) There is no real way to guarantee that you are 100% clean, but if you ran Malwarebytes', your antivirus and possibly SuperAntiSpyware with no detection's then I'd say you probably are clean. :) If you would like we can check your computer out by following the instructions on my second link in the previous post. A trained member will be able to read the logs and inform you on anything that needs to be done. :)

#6 fredhonda

fredhonda
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 08 July 2012 - 08:29 AM

I did the dds log file ( txt .) but I have a problem with the GMER log,

I can't check the right squares to do the rootkit scan (system, section, IAT/EAT... )

Someone have an idea what it could be ?

Thanks !

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:28 PM

Posted 08 July 2012 - 10:10 AM

Hello, please then post the DDS log and the ComboFix log above in the new topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:04:28 PM

Posted 08 July 2012 - 11:37 AM

In addition to what boopme said you should leave all your questions/problems to the helper as they will be able to do. :)

#9 fredhonda

fredhonda
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:28 PM

Posted 08 July 2012 - 08:58 PM

OK so here is the DDS log ,


DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by Fred at 8:57:57 on 2012-07-08
Microsoft Windows 7 Professionnel 6.1.7601.1.1252.2.1036.18.3062.1270 [GMT -4:00]
.
EDIT: Removed misplaced log~~ boopme

Edited by boopme, 09 July 2012 - 11:26 AM.


#10 DarkSnake-Kobra

DarkSnake-Kobra

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Iowa, USA
  • Local time:04:28 PM

Posted 08 July 2012 - 09:03 PM

Please don't post this here. You need to post the log here in a new topic as stated. :)

Edited by DarkSnake-Kobra, 08 July 2012 - 09:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users