Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran combofix by mistake, moving to a folder but double clicked.


  • This topic is locked This topic is locked
7 replies to this topic

#1 Jerhyn

Jerhyn

  • Members
  • 564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas Nv
  • Local time:06:31 PM

Posted 24 July 2013 - 07:13 PM

Well, I messed up. I made a folder for several of the utilities from your site to save on cd for emergency use.

I must have mis cliked on combofix as I droped it into folder, a blue box opened and it started counting stages. I tried to x out of it but it still kept running.

Afterward I saved the log.

I realize this is a huge mistake, can you tell me how bad the damage is ?

 

ComboFix 13-07-23.01 - jerry 07/23/2013  14:02:55.1.6 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3325.2317 [GMT -7:00]
Running from: c:\documents and settings\jerry\Desktop\123KomboFix.exe
AV: ZoneAlarm Antivirus *Disabled/Updated* {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\ReadOnlyInstaller.msi
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\D3A96964.TMP
c:\documents and settings\All Users\Application Data\uninstaller.exe
c:\documents and settings\All Users\Application Data\ZeoBIT
c:\documents and settings\All Users\Application Data\ZeoBIT\ZeoService.exe.dmp
C:\Install.exe
c:\windows\system32\drivers\etc\hosts.ics
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-23 to 2013-07-23  )))))))))))))))))))))))))))))))
.
.
2013-07-23 19:15 . 2002-12-23 18:02    102400    ----a-w-    c:\windows\system32\kmw_run.exe
2013-07-23 19:15 . 2002-12-23 18:01    167936    ----a-w-    c:\windows\system32\kmw_show.exe
2013-07-23 19:04 . 2013-07-23 20:56    --------    d-----w-    C:\ComboFix
2013-07-23 04:05 . 2013-07-23 04:05    --------    d-----w-    c:\windows\system32\wbem\Repository
2013-07-23 04:04 . 2013-07-23 04:04    --------    d-----w-    c:\program files\File Type Assistant
2013-07-23 04:04 . 2013-07-23 04:04    --------    d-----w-    c:\program files\7-zip
2013-07-22 02:27 . 2013-07-23 03:58    --------    d-s---w-    c:\documents and settings\Jerry Limited
2013-07-19 01:27 . 2013-07-19 01:27    --------    d-----w-    c:\program files\Reason
2013-07-17 16:52 . 2013-07-17 16:52    --------    d-----w-    c:\documents and settings\jerry\Local Settings\Application Data\VS Revo Group
2013-07-17 16:52 . 2013-07-17 16:52    --------    d-----w-    c:\documents and settings\All Users\Application Data\VS Revo Group
2013-07-17 16:52 . 2009-12-30 18:20    27064    ----a-w-    c:\windows\system32\drivers\revoflt.sys
2013-07-17 16:52 . 2013-07-17 16:52    --------    d-----w-    c:\program files\VS Revo Group
2013-07-12 18:05 . 2013-07-12 18:06    --------    d-----w-    C:\74636bd17b574527cf48f3dc34
2013-07-12 17:44 . 2013-07-12 17:44    --------    d-----w-    c:\documents and settings\jerry\Application Data\NVIDIA
2013-07-12 17:44 . 2013-07-12 17:44    --------    d-----w-    c:\program files\MSI Kombustor 2.5
2013-07-09 19:05 . 2013-07-12 18:06    --------    d--h--w-    c:\windows\msdownld.tmp
2013-07-09 18:53 . 2013-07-23 21:17    7304    ----a-w-    c:\windows\TMP0001.TMP
2013-07-09 18:08 . 2013-07-09 18:08    --------    d-----w-    c:\windows\ERUNT
2013-07-08 20:42 . 2013-07-08 20:42    --------    d-----w-    C:\riva tuner
2013-07-07 14:59 . 2013-07-07 14:59    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2013-07-07 14:59 . 2013-07-07 14:59    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2013-07-07 14:59 . 2013-07-07 14:59    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2013-07-07 14:59 . 2013-07-07 14:59    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2013-07-07 14:59 . 2013-07-07 14:59    159744    ----a-w-    c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2013-07-07 14:57 . 2013-07-07 14:59    --------    d-----w-    c:\program files\QuickTime
2013-07-07 00:59 . 2013-07-07 02:37    --------    d-----w-    c:\documents and settings\All Users\Application Data\HitmanPro
2013-07-06 21:57 . 2013-07-06 21:57    --------    d-----w-    c:\documents and settings\Administrator.BIGBLACK\Local Settings\Application Data\NVIDIA Corporation
2013-07-06 02:24 . 2013-07-06 02:24    --------    d-----w-    c:\windows\system32\wbem\Framework
2013-07-06 00:04 . 2013-07-15 17:58    17488    ----a-w-    c:\windows\etdrv.sys
2013-07-05 16:59 . 2013-07-23 04:06    --------    d-----w-    c:\documents and settings\Jerry regular
2013-07-04 18:51 . 2013-07-04 18:51    --------    d-----w-    c:\documents and settings\jerry\Application Data\SUPERAntiSpyware.com
2013-07-04 18:50 . 2013-07-04 18:51    --------    d-----w-    c:\program files\SUPERAntiSpyware
2013-07-04 18:50 . 2013-07-04 18:50    --------    d-----w-    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2013-07-04 17:47 . 2013-07-17 16:40    17488    ----a-w-    c:\windows\gdrv.sys
2013-07-03 16:57 . 2005-02-17 14:15    221184    ----a-w-    c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
2013-07-03 16:57 . 2005-02-17 14:15    73728    ----a-w-    c:\windows\system32\ISUSPM.cpl
2013-07-03 16:57 . 2005-02-17 14:15    385024    ----a-w-    c:\program files\Common Files\InstallShield\UpdateService\_ispmres.dll
2013-07-01 00:32 . 2013-07-01 00:32    --------    d-----w-    c:\windows\system32\URTTEMP
2013-07-01 00:30 . 2013-07-01 00:30    --------    d-----w-    c:\windows\system32\drivers\NST
2013-07-01 00:30 . 2013-07-01 00:31    --------    d-----w-    c:\program files\Norton Safe Web Lite
2013-06-29 00:37 . 2013-06-29 00:37    --------    d-----w-    c:\documents and settings\All Users\Application Data\McAfee Security Scan
2013-06-29 00:37 . 2013-06-29 00:39    --------    d-----w-    c:\program files\McAfee Security Scan
2013-06-28 23:24 . 2013-03-27 23:57    79432    ----a-w-    c:\windows\system32\RtkCoInstIIXP.dll
2013-06-28 23:24 . 2011-11-22 23:28    11368    ----a-w-    c:\windows\system32\RtkCoLDRXP.dll
2013-06-28 23:24 . 2012-06-22 22:48    25816    ----a-w-    c:\windows\system32\drivers\RTAIODAT.DAT
2013-06-28 18:50 . 2013-03-05 22:37    891976    ----a-w-    c:\windows\system32\RTSndMgr.CPL
2013-06-28 02:05 . 2013-06-28 02:05    --------    d-----w-    c:\documents and settings\donna\Application Data\WinPatrol
2013-06-28 02:01 . 2013-07-23 18:32    --------    d-----w-    c:\program files\CCleaner
2013-06-27 23:11 . 2013-06-26 05:12    133208    ----a-w-    c:\windows\system32\drivers\90283620.sys
2013-06-27 18:41 . 2013-06-27 18:41    --------    d-----w-    c:\documents and settings\All Users\Application Data\Sophos
2013-06-27 18:40 . 2013-06-27 18:40    73728    ----a-r-    c:\documents and settings\jerry\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-06-27 18:40 . 2013-06-27 18:40    73728    ----a-r-    c:\documents and settings\jerry\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2013-06-27 18:40 . 2013-06-27 18:40    73728    ----a-r-    c:\documents and settings\jerry\Application Data\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2013-06-27 18:40 . 2013-06-27 18:40    --------    d-----w-    c:\program files\Sophos
2013-06-26 15:58 . 2013-06-26 15:58    181808    ----a-w-    c:\windows\RegBootClean.exe
2013-06-26 15:41 . 2012-06-05 07:37    256904    ----a-w-    c:\windows\system32\drivers\tmcomm.sys
2013-06-25 21:09 . 2013-06-26 05:12    133208    ----a-w-    c:\windows\system32\drivers\55438937.sys
2013-06-25 19:18 . 2013-06-26 05:12    133208    ----a-w-    c:\windows\system32\drivers\61931989.sys
2013-06-25 19:13 . 2013-06-26 05:12    133208    ----a-w-    c:\windows\system32\drivers\13178575.sys
2013-06-25 19:07 . 2013-06-26 05:12    133208    ----a-w-    c:\windows\system32\drivers\23899831.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-17 16:40 . 2011-04-24 19:11    24944    ----a-w-    c:\windows\system32\drivers\GVTDrv.sys
2013-06-27 20:45 . 2008-08-21 12:00    25600    ----a-w-    c:\windows\system32\aaaamon.dll
2013-06-22 17:55 . 2013-06-22 17:55    94632    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2013-06-22 17:55 . 2013-06-22 17:56    144896    ----a-w-    c:\windows\system32\javacpl.cpl
2013-06-22 17:55 . 2012-09-14 17:59    867240    ----a-w-    c:\windows\system32\npdeployJava1.dll
2013-06-11 22:57 . 2012-09-14 19:46    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-11 22:57 . 2012-09-14 19:46    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-05-14 22:56 . 2013-05-14 22:56    234752    ----a-w-    c:\windows\system32\drivers\afcdp.sys
2013-05-14 22:56 . 2013-05-14 22:56    888640    ----a-w-    c:\windows\system32\drivers\tdrpman.sys
2013-05-14 22:56 . 2013-05-14 22:56    130488    ----a-w-    c:\windows\system32\drivers\tib_mounter.sys
2013-05-14 22:56 . 2013-05-14 22:56    736192    ----a-w-    c:\windows\system32\drivers\tib.sys
2013-05-14 22:56 . 2013-05-14 22:56    116000    ----a-w-    c:\windows\system32\drivers\vididr.sys
2013-05-14 22:56 . 2013-05-14 22:56    85280    ----a-w-    c:\windows\system32\drivers\vidsflt.sys
2013-05-14 22:56 . 2013-05-14 22:56    158496    ----a-w-    c:\windows\system32\drivers\snapman.sys
2013-05-14 22:55 . 2013-05-14 22:55    81184    ----a-w-    c:\windows\system32\drivers\fltsrv.sys
2013-05-07 22:30 . 2008-08-21 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2013-05-07 22:30 . 2009-03-08 11:39    11112960    ----a-w-    c:\windows\system32\ieframe(2).dll
2013-05-07 22:30 . 2008-08-21 12:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2013-05-07 22:30 . 2008-08-21 12:00    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-05-07 21:53 . 2008-08-21 12:00    385024    ----a-w-    c:\windows\system32\html.iec
2013-05-03 01:30 . 2008-08-21 12:00    2149888    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-05-03 00:38 . 2008-04-14 00:01    2028544    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-05-01 10:59 . 2013-05-01 10:59    94208    ----a-w-    c:\windows\system32\QuickTimeVR.qtx
2013-05-01 10:59 . 2013-05-01 10:59    69632    ----a-w-    c:\windows\system32\QuickTime.qts
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@="{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}"
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2013-03-28 05:36    2661104    ----a-w-    c:\program files\Acronis\TrueImageHome\tishell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@="{00F848DC-B1D4-4892-9C25-CAADC86A215D}"
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2013-03-28 05:36    2661104    ----a-w-    c:\program files\Acronis\TrueImageHome\tishell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@="{71573297-552E-46fc-BE3D-3DFAF88D47B7}"
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2013-03-28 05:36    2661104    ----a-w-    c:\program files\Acronis\TrueImageHome\tishell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2013-05-15 4760816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2010-09-07 1981016]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2013-02-15 412480]
"AcronisTibMounterMonitor"="c:\program files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe" [2013-01-10 1103424]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-11-22 738984]
"kmw_run.exe"="kmw_run.exe" [2002-12-23 102400]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Task Catcher"="c:\program files\BillP Studios\Task Catcher\tasktrap.exe" [2006-08-15 140856]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2013-03-28 6365920]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2013-01-02 73984]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-03-21 15517984]
"NvMediaCenter"="NvMCTray.dll" [2013-03-21 108832]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2013-03-23 1982312]
"RTHDCPL"="RTHDCPL.EXE" [2013-03-12 20143688]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"MSIAfterburner"="c:\program files\MSI Afterburner\MSIAfterburner.exe" [2013-01-23 425016]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.318\SSScheduler.exe [2013-2-5 272248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
backupExtension=Common Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ES lite Service"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2011.SP1x\\RpcAgentSrv.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite 2011.SP1x\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Acronis\\SyncAgent\\syncagentsrv.exe"=
"c:\\Program Files\\123CopyDVD 2013\\helper.exe"=
"c:\\Program Files\\123CopyDVD 2013\\123CopyDVD.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\drivers\fltsrv.sys [5/14/2013 3:55 PM 81184]
R0 tib;Acronis TIB Manager;c:\windows\system32\drivers\tib.sys [5/14/2013 3:56 PM 736192]
R0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\drivers\tib_mounter.sys [5/14/2013 3:56 PM 130488]
R0 vididr;Acronis Virtual Disk;c:\windows\system32\drivers\vididr.sys [5/14/2013 3:56 PM 116000]
R0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\drivers\vidsflt.sys [5/14/2013 3:56 PM 85280]
R1 crlscsi;crlscsi;c:\windows\system32\drivers\crlscsi.sys [6/13/2011 12:15 PM 6144]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [5/23/2013 1:11 PM 119056]
R2 afcdpsrv;Acronis Nonstop Backup Service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [5/14/2013 3:56 PM 3783672]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/22/2012 7:33 AM 27056]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/22/2012 7:33 AM 497320]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [4/24/2011 12:07 PM 22016]
R2 SDLService;SDLService;c:\program files\Realtek\Smart Dual Lan\SDLService.exe [4/24/2011 12:07 PM 77824]
R2 syncagentsrv;Acronis Sync Agent Service;c:\program files\Common Files\Acronis\SyncAgent\syncagentsrv.exe [3/20/2013 7:28 PM 7084672]
R3 afcdp;afcdp;c:\windows\system32\drivers\afcdp.sys [5/14/2013 3:56 PM 234752]
R3 nusb3hub;NEC Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [11/20/2009 4:15 AM 58880]
R3 nusb3xhc;NEC Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [11/20/2009 4:15 AM 137728]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [9/15/2009 1:59 PM 38248]
R3 RTCore32;RTCore32;c:\program files\MSI Afterburner\RTCore32.sys [9/6/2011 5:24 AM 5632]
R3 rtkio;rtkio;c:\program files\Realtek\Smart Dual Lan\rtkio.sys [4/24/2011 12:07 PM 5760]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [4/24/2011 12:05 PM 30392]
S1 ccSet_NST;Norton Safe Web Lite Settings Manager;c:\windows\system32\drivers\NST\0200000.010\ccSetx86.sys [8/8/2012 4:28 PM 132744]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/24/2011 12:02 PM 1691480]
S3 etdrv;etdrv;c:\windows\etdrv.sys [7/5/2013 5:04 PM 17488]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/17/2013 9:52 AM 27064]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite 2011.SP1x\RpcAgentSrv.exe [8/12/2012 12:57 PM 93848]
S4 0314974drv;0314974drv;c:\windows\system32\DRIVERS\0314974drv.sys --> c:\windows\system32\DRIVERS\0314974drv.sys [?]
S4 fileHiders;fileHiders;c:\windows\system32\drivers\fileHiders.sys [11/23/2011 2:30 PM 26392]
S4 Free Download Manager Controller;Free Download Manager Controller;c:\documents and settings\All Users\Application Data\Free Download Manager Controller\2.2.639.201\{16cdff19-861d-48e3-a751-d99a27784753}\fdmctrl.exe --> c:\documents and settings\All Users\Application Data\Free Download Manager Controller\2.2.639.201\{16cdff19-861d-48e3-a751-d99a27784753}\fdmctrl.exe [?]
S4 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [4/24/2011 12:11 PM 24944]
S4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.318\McCHSvc.exe [2/5/2013 8:48 AM 235216]
S4 MFE_RR;MFE_RR;\??\c:\docume~1\jerry\LOCALS~1\Temp\mfe_rr.sys --> c:\docume~1\jerry\LOCALS~1\Temp\mfe_rr.sys [?]
S4 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [8/8/2012 4:28 PM 138760]
S4 WinRing0_1_2_0;WinRing0_1_2_0;\??\c:\documents and settings\jerry\Local Settings\Temp\tmp16.tmp --> c:\documents and settings\jerry\Local Settings\Temp\tmp16.tmp [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RTKIO
.
Contents of the 'Scheduled Tasks' folder
.
2013-07-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-23 22:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com
Trusted Zone: google.com\www
TCP: DhcpNameServer = 192.168.2.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\jerry\Application Data\Mozilla\Firefox\Profiles\i1igu1n3.default-1372708820671\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-MSWheel - (no file)
AddRemove-DSite - c:\documents and settings\jerry\Application Data\DSite\UpdateProc\UpdateTask.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-23 14:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\2.0.0.16\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinRing0_1_2_0]
"ImagePath"="\??\c:\documents and settings\jerry\Local Settings\Temp\tmp16.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-602162358-527237240-1801674531-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1176)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(1232)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(2920)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\kmw_dll.dll
c:\windows\system32\wow32.dll
c:\program files\Acronis\TrueImageHome\tishell.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\program files\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\kmw_run.exe
c:\windows\system32\KMW_SHOW.EXE
c:\windows\system32\RunDLL32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2013-07-23  14:28:08 - machine was rebooted
ComboFix-quarantined-files.txt  2013-07-23 21:28
.
Pre-Run: 668,315,004,928 bytes free
Post-Run: 668,389,990,400 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /usepmtimer /NoExecute=OptIn
.
- - End Of File - - 5EA9472A5155DBB9B7FE45FD58F111A7
8F558EB6672622401DA993E1E865C861


Edited by Jerhyn, 24 July 2013 - 07:31 PM.


BC AdBot (Login to Remove)

 


#2 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:12:31 PM

Posted 28 July 2013 - 05:24 AM

Hello and welcome to BleepingComputer. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :welcome:

 

ComboFix was run but it doesn't appear to have removed anything important. Do you notice any issues on your computer?

 

Please go to http://www.virustotal.com, click on Choose File, and upload the following files for analysis: You will only be able to have one file scanned at a time.

 

c:\windows\system32\drivers\55438937.sys
c:\windows\system32\drivers\61931989.sys
c:\windows\system32\drivers\13178575.sys
c:\windows\system32\drivers\23899831.sys

 

Then click Scan It!. Allow the file to be scanned, and then please copy/paste the results here for me to see.
Note: If a message appears saying the file has already been analysed, please resend the file.


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#3 Jerhyn

Jerhyn
  • Topic Starter

  • Members
  • 564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas Nv
  • Local time:06:31 PM

Posted 29 July 2013 - 12:00 PM

All files listed came back as

SHA256: a8c1577876cf16186610f26d7d859f8fda4057aafc33e8212339f56da6a5f874 File name: 23899831.sys Detection ratio: 0 / 46 Analysis date: 2013-07-29 16:41:36 UTC ( 0 minutes ago )

That is 0/46 detecxtions

 

The only issue so far is when I tried to update windows or mmo, I get a no internet connectivity error.

When I look at controll panel/ internet options, I only saw 2 checkboxes, and no tabs at the top , like it had been locked by combo. When I looked just now I dont see the internet options icon at all. I looked on desktop to see if i moved the icon by mistake, but its not there either.

I only have enough ofd a connection to get online, but dl fails.

 

Oh, and iexplorer says (no addons) and proxy says disabled. I dont know what those are set to normally.


Edited by Jerhyn, 29 July 2013 - 12:41 PM.


#4 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:12:31 PM

Posted 30 July 2013 - 08:49 PM

Hello Jerhyn,

 

Please restore your computer back to an earlier System Restore Point to before you ran ComboFix. Let me know if you need help with that. :)


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#5 Jerhyn

Jerhyn
  • Topic Starter

  • Members
  • 564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas Nv
  • Local time:06:31 PM

Posted 31 July 2013 - 05:23 PM

Restored back to 7-20, got windows to update some trhings, had to use revo to uninstall microsoft framework.net 1.1.

Still; can not update lord of the rings, tried removin lotro completely, and doing clean install, it updates their installer, but then freezes and gives error, no internet connectivity fopund. Odd because Im pretty sure this chat is travelin over the net.

 

Still can not open internet options in internet explorer 8. I Am wonderin if ie8 needs to be reset to default, or reinstalled. firefox seems ok, but any download that defaults to ie8, has no internet connection.

 

Im still trying to get windows to update ms framework 3.5 to install, 1, 4, and 5 loaded successfully.

.



#6 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:12:31 PM

Posted 02 August 2013 - 06:22 PM

Hello Jerhyn,

 

I suggest rolling back IE:

 

http://support.microsoft.com/kb/957700/en-us

 

Did that help?


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image


#7 Jerhyn

Jerhyn
  • Topic Starter

  • Members
  • 564 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Las Vegas Nv
  • Local time:06:31 PM

Posted 03 August 2013 - 05:24 PM

Hi Dark Knight, I did an update iexplorer and now things look right.

The download issue with lotro was resolved by changing zone alarm settings to allow lotro launcher in program controll.

Lotro just had an upsdate and Za was blocking the new different sized program.

 

If there was a za box asking if lotro should run, it might have been hidden under the launcher box, so I never saw the accept/  decline option.

 

As of today the system seems ok, I will create a restore point daily for a while. and see if any issues pop up.

 

I have been subscribed to Zone Alarm pro for a few years now, but clearly there are things that can get past.

Can you recommend which anti virus/ firewall catches most of the nasties.

And which utilities should be run periodicaly to sift out any that get through ?

Thank you for your help.



#8 The Dark Knight

The Dark Knight

    The Magician


  • Security Colleague
  • 661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krypton
  • Local time:12:31 PM

Posted 04 August 2013 - 04:48 AM

Hello Jerhyn,

 

A little housekeeping to uninstall ComboFix:

Please click Start>Run and copy/paste the following text, including the space between "ComboFix and "/uninstall", into the Run box and click OK:

ComboFix /uninstall

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Right-click the Recycle Bin and please select Empty Recycle Bin.

=====

 

Please consider using these ideas to help secure your computer.  While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection.  While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.   :)


IMPORTANT: Please enable Automatic Updates under Start > Control Panel > Automatic Updates to ensure your Windows updates regularly. This is extremely important in ensuring you remain protected against vulnerabilities and infections. This is a crucial security measure.


As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Please consider installing and running the following program (there is a free version available):

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.


Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.  A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.  However, it is important to run only one resident program of each type since they can conflict and become less effective.  That means only one antivirus, firewall and scanning anti-spyware program at a time.  Passive protectors, like SpywareBlaster, can be run with any of them.  

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure and looking for anti-spyware programs, you may be able to find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

A similar category of programs is now called "scareware."  Scareware programs are active infections that will pop-up on your computer and tell you that you are infected.  If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed.  It tells you to click and install it right away.  If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further.  Keeping protection updated and running resident protection can help prevent these infections.  If it happens anyway, get offline as quickly as you can.  Pull the internet connection cable or shut down the computer if you have to.  Contact someone to help by using another computer if possible.  These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.


Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and Add-ons, like Adblock Plus and NoScript, can make it even more secure. To avoid dangerous sites Web of Trust or McAfee SiteAdvisor can be installed. Google Chrome or Opera are other good options.

Two useful programs for keeping your programs up-to-date are FileHippo or Secunia PSI. Running one of these regularly will help you obtain the latest program updates.

Please also read Tony Klein's excellent article: How did I get infected in the first place.

Hopefully these steps will help to keep you error free.  If you run into more difficulty, we will certainly do what we can to help.  :)


If you make yourself more than just a man, if you devote yourself to an ideal...you become something else entirely. A legend, Mr. Wayne, a legend!


If I have helped you please consider donating to the Neuroscience Research Institute.


Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users