Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix broke UPS Worldship


  • This topic is locked This topic is locked
7 replies to this topic

#1 ancgllc

ancgllc

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 27 February 2013 - 12:19 PM

I was wondering if anyone had some advice we had a user run combofix on there system and now they cannot access UPS worldship. I can see looking at the logs that Combofix put these files in it's quarentine folder. I have been reading thru some post and have seen a couple articles related to using CFDQ-UsrPrf to create a CFscript file and drop that on the combofix executable. I have not tried this as I wanted to see if there was any other advice beforehand.

 

I know the user should have not run combofix in the first place but I do not want to make matter worse. I do not know if a simple system restore would be the right thing to try first. I see there are retore points.

 

The computer is up and I am connected to it remotely. The system was also scanned with Kaspersky Virrus removal tool and did not find anything on it.

 

Below is the combofix.txt log Again I hope I am posting in the right area and if not I am sorry.

 

ComboFix 13-02-18.02 - frontdesk 02/26/2013  13:50:19.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1519.1024 [GMT -5:00]
Running from: c:\documents and settings\frontdesk\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\frontdesk\Application Data\AdobeDLM.log
c:\documents and settings\frontdesk\Desktop\Setup.exe
c:\documents and settings\frontdesk\WINDOWS
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\Uninstall.ini
c:\windows\wt
c:\windows\wt\data.wts
c:\windows\wt\updater\wt.ini
c:\windows\wt\webdriver.dll
c:\windows\wt\webdriver\actorobject.dll
c:\windows\wt\webdriver\dx5drv.dll
c:\windows\wt\webdriver\dx7drv.dll
c:\windows\wt\webdriver\ObjectBundle.dll
c:\windows\wt\webdriver\rDriver.dll
c:\windows\wt\webdriver\Sound.dll
c:\windows\wt\webdriver\uiwdnu.exe
c:\windows\wt\webdriver\wdcaps.ded
c:\windows\wt\webdriver\wdengine.dll
c:\windows\wt\webdriver\webdriver.dll
c:\windows\wt\webdriver\wildtangent.jar
c:\windows\wt\webdriver\WTHost.exe
c:\windows\wt\webdriver\WTHostCtl.dll
c:\windows\wt\webdriver\wtmulti.dll
c:\windows\wt\webdriver\wtmulti.jar
c:\windows\wt\webdriver\wtwmplug.ax
c:\windows\wt\webdriver\wtwmplug.ini
c:\windows\wt\wt3d.dll
c:\windows\wt\wt3d.ini
c:\windows\wt\wtupdates\wtupdater\appinfo.dat
c:\windows\wt\wtupdates\wtwebdriver\update_info\data.wts
c:\windows\wt\wtvh.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-26 to 2013-02-26  )))))))))))))))))))))))))))))))
.
.
2013-02-22 01:50 . 2011-08-30 11:56 74104 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2013-02-22 01:50 . 2011-08-30 11:56 21496 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2013-02-22 01:48 . 2013-02-22 01:48 -------- d-----w- c:\documents and settings\frontdesk\Application Data\Managed Antivirus
2013-02-22 01:48 . 2013-02-22 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Managed Antivirus
2013-02-22 01:47 . 2012-08-03 18:22 44424 ----a-w- c:\windows\system32\sbbd.exe
2013-02-22 01:47 . 2012-02-13 22:08 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-02-21 18:47 . 2013-02-21 18:47 -------- d-----w- c:\documents and settings\frontdesk\temp
2013-02-21 18:46 . 2013-02-21 18:46 -------- d-----w- c:\program files\TeamViewer
2013-02-21 18:46 . 2013-02-26 18:50 -------- d-----w- c:\program files\Advanced Monitoring Agent
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2005-07-13 15:09 . 2004-03-30 21:43 5566656 ----a-w- c:\program files\vviewer.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn3\yt.dll" [2012-11-26 1525088]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\ypager.exe" [2005-08-19 3084288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPWH myPrintMileage Agent"="c:\program files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe" [2003-09-23 102400]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.2\SetHook.exe" [2005-03-28 53248]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-27 149280]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2010-12-09 24576]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-04-26 115624]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2006-11-15 352256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"SBAMTray"="c:\progra~1\ADVANC~1\managedav\SBAMTray.exe" [2011-10-12 1627504]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-2-14 25214]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2010-12-9 422912]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2010-12-9 34304]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\DAinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^UPS Online PLD Reminder Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\UPS Online PLD Reminder Utility.lnk
backup=c:\windows\pss\UPS Online PLD Reminder Utility.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\B'sCLiP]
2003-05-23 01:20 1310720 ----a-w- c:\progra~1\B'SCLI~1\Win2K\BsCLiP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2003-04-07 07:19 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2003-05-15 21:41 163840 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliType]
2002-03-22 04:41 94208 ----a-w- c:\program files\Microsoft Hardware\Keyboard\type32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 --sh--w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 09:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2003-05-30 14:42 585728 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2003-05-29 21:28 790528 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2005-08-19 23:34 3084288 ----a-w- c:\program files\Yahoo!\Messenger\YPager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=2 (0x2)
"MDM"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AllAlertsDisabled"=dword:00000001
"TermService"=dword:00000001
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Advanced Monitoring Agent\\managedav\\SBAMSvc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [3/19/2004 12:01 PM 9344]
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2/21/2013 8:47 PM 13560]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2/21/2013 8:50 PM 21496]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [8/30/2011 6:56 AM 101624]
R2 Advanced Monitoring Agent;Advanced Monitoring Agent;c:\program files\Advanced Monitoring Agent\winagent.exe [2/21/2013 1:46 PM 3510784]
R2 BsUDF;B.H.A UDF Filesystem;c:\windows\system32\drivers\BsUDF.sys [3/19/2004 12:01 PM 389888]
R2 DAInfo;DAInfo;c:\program files\DesktopAuthority\DAinfo.sys [5/21/2012 2:30 PM 12168]
R2 DAMaint;DA Remote Management Maintenance Service;c:\program files\DesktopAuthority\DAMaint.exe [5/21/2012 2:30 PM 85000]
R2 DAtf;DAtf;c:\program files\DesktopAuthority\DAtf.sys [5/21/2012 2:30 PM 11144]
R2 DesktopAuthority;DA Remote Management Service;c:\program files\DesktopAuthority\DesktopAuthority.exe [5/21/2012 2:30 PM 1360392]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 SBAMSvc;Managed Antivirus;c:\progra~1\ADVANC~1\managedav\SBAMSvc.exe [10/12/2011 12:28 PM 2804312]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2/21/2013 8:50 PM 74104]
R2 TeamViewer7;TeamViewer 7;c:\program files\TeamViewer\Version7\TeamViewer_Service.exe [7/16/2012 9:37 AM 2677160]
R3 DAmirr;DAmirr;c:\windows\system32\drivers\DAmirr.sys [5/21/2012 2:30 PM 9352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/7/2012 6:19 AM 106104]
S0 bxbjjdu;bxbjjdu;c:\windows\system32\drivers\xykp.sys --> c:\windows\system32\drivers\xykp.sys [?]
S2 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" --> c:\program files\Symantec AntiVirus\SavRoam.exe [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - GFIBTO
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ    HPSLPSVC
hpdevmgmt REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d7f6df8-daaf-11e1-bf3e-0002b3d6fa70}]
\Shell\AutoRun\command - H:\Setup.EXE
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cd21bd56-59dc-11de-beff-0002b3d6fa70}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: eb.mil\wawf
Trusted Zone: sharelnk1.net\ec005
Trusted Zone: ups.com\www
.
.
------- File Associations -------
.
.scr=AutodeskDWGViewerScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-vptray - c:\progra~1\SYMANT~1\VPTray.exe
SafeBoot-ccEvtMgr
SafeBoot-Symantec Antvirus
MSConfigStartUp-vptray - c:\progra~1\SYMANT~1\VPTray.exe
AddRemove-Foss_for_WorldShipDom - c:\ups\uows\FOSS\Foss90Uninst.isu
AddRemove-UPS UPS OnLine WorldShip QuickDoc () v2.0.0 - c:\ups\UOWS\QDOCUninstall.isu
AddRemove-wtwebdriver - c:\windows\wt\webdriver\uiwdnu.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-26 14:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Active Setup\Installed Components\{abcdf74f-9a64-4e6e-b8eb-6e5a41de6550}\0409]
@SACL=
"Version"="1.0.0.2"
.
Completion time: 2013-02-26  14:04:16
ComboFix-quarantined-files.txt  2013-02-26 19:04
.
Pre-Run: 13,173,219,328 bytes free
Post-Run: 17,257,746,432 bytes free
.
- - End Of File - - 07C281100C328FC4410766D02B851A20
 



BC AdBot (Login to Remove)

 


#2 ancgllc

ancgllc
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 01 March 2013 - 09:05 AM

All,

 

Just wanted to give everyone that has read the post an update, Multiple reboots has fixed the issue.

 

Thanks,

 

Jim



#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:18 AM

Posted 02 March 2013 - 09:33 PM

Greetings ancgllc and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the StartNewTopic.gif button but use the AddReply.gif button instead.
  • In the upper right hand corner of the topic you will see the WatchTopic.gif button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================


Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Can you tell my why Combofix was run in the first place? What issues were present before the running of the program?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 ancgllc

ancgllc
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:18 AM

Posted 04 March 2013 - 09:14 AM

Gary,

 

Thank you for replying, My name is Jim. The reason they ran combofix is the read on the web that combofix was the only resolution to an issue they were having with the network. The issue was originally a suer picked up a virus that turned all the mapped shared drives to executable and hid the original files. After resolving that issue for them and unhiding the original files and cleaning all the others I was told about the combofix issue. The machine with the issue has cleared itself up by rebooting.

 

It look like a great tool but also looks like a very dangerous tool in the wrong hands. I am glad that I found this site and look forward to working with folks like yourself in the future.

 

Thank you for your reply

 

Jim



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:18 AM

Posted 04 March 2013 - 09:24 AM

Hi Jim,

Nice to meet you and thanks for the clarification. Yes, Combofix is a great tool but it can be disasterous if used imporperly.

I can see looking at the logs that Combofix put these files in it's quarentine folder.

The files listed under Deletions are not related to UPS. Are there other entries you are aware of that I am not seeing? I just want to make sure we are on the same page before we begin proactively addressing the issue.

I would like you to run the following program for me. It will not modify anything, simple spit out a lot of information for us to review.

===================================================

OTL

--------------------

  • Please download OTL and save it to your desktop
  • Double click on the otlicon.png icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the runscan.png button.
  • Copy and paste the two reports in your next reply.

OTL.txt <-- Will be opened
Extra.txt <-- Will be minimized

 

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Clarifications
  • OTL log
  • Extra log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:18 AM

Posted 04 March 2013 - 09:45 AM

Hi Jim,

 

Sorry I misread the post and it seems this issue is resolved.  If you no longer desire any assistance I would at least like to sensitize you to a couple of things you might consider taking a second look at.

 

This entry appears to be malware related, although possibly just a remnant:

 

S0 bxbjjdu;bxbjjdu;c:\windows\system32\drivers\xykp.sys --> c:\windows\system32\drivers\xykp.sys [?]

 

 

It is possible you also have an older version of Adobe which, if the case, is a security concern.

 

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

 

 

In light of this if you would like continued help I would be happy to assist.  If not, no problem, we will simply close the thread.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:18 AM

Posted 14 April 2016 - 08:07 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:18 AM

Posted 12 May 2016 - 09:54 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users