Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

comboFix log


  • This topic is locked This topic is locked
2 replies to this topic

#1 ahmadyazidozi

ahmadyazidozi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:29 AM

Posted 17 January 2015 - 08:49 PM

hi, im new in this forum.

 

i got infected with trz3e.tmp

so i try to use combofix.

 

this is what i got as the log

i am not good with computer.

 

i am so very grateful if anyone can help.

 

 

ComboFix 15-01-08.01 - lenovo 18/01/2015   8:21.1.4 - x86
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.62.1033.18.3489.1932 [GMT 7:00]
Running from: c:\users\lenovo\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\lenovo\AppData\Local\assembly\tmp
c:\users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trz3E.tmp
c:\windows\system\bdt52exf.dll
c:\windows\system\bivbx31.32n
c:\windows\system\VI30AUT.DLL
D:\install.exe
.
c:\windows\ehome\ehprivjob.exe . . . is infected!!
.
c:\windows\ehome\ehrecvr.exe . . . is infected!!
.
c:\windows\System32\aitagent.exe . . . is infected!!
.
c:\windows\System32\bthudtask.exe . . . is infected!!
.
c:\windows\System32\LocationNotifications.exe . . . is infected!!
.
c:\windows\System32\lpremove.exe . . . is infected!!
.
c:\windows\System32\msra.exe . . . is infected!!
.
c:\windows\System32\wsqmcons.exe . . . is infected!!
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_KernelMemory
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-18 to 2015-01-18  )))))))))))))))))))))))))))))))
.
.
2015-01-18 01:33 . 2015-01-18 01:35    --------    d-----w-    c:\users\lenovo\AppData\Local\temp
2015-01-18 01:33 . 2015-01-18 01:33    --------    d-----w-    c:\users\Default\AppData\Local\temp
2015-01-16 16:06 . 2015-01-16 16:06    --------    d-----w-    c:\users\lenovo\AppData\Roaming\PCFixKit
2015-01-16 16:06 . 2015-01-16 16:10    --------    d-----w-    c:\program files\PCFixKit
2015-01-04 06:22 . 2015-01-04 06:22    --------    d-----w-    c:\program files\LogMeIn Hamachi
2014-12-29 08:08 . 2014-12-29 08:08    --------    d-----w-    c:\users\lenovo\AppData\Roaming\Carbon
2014-12-26 14:02 . 2014-12-26 14:02    --------    d-----w-    c:\users\lenovo\AppData\Roaming\EurekaLab s.a.s
2014-12-26 14:02 . 2014-09-12 02:23    3421696    ----a-w-    c:\windows\performersoftsetup.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-12 04:53 . 2013-02-08 05:32    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-12-12 04:53 . 2013-02-08 05:32    701616    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-11-25 08:55 . 2013-02-08 01:56    779536    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2014-11-12 11:19 . 2014-01-31 12:14    96680    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-08-14 20:01    578240    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\users\lenovo\AppData\Roaming\uTorrent\uTorrent.exe" [2014-11-19 1385808]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2011-05-20 284440]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-12-21 144152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-12-21 179992]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-12-21 188184]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2011-09-05 10992232]
"UMonit"="c:\windows\system32\UMonit.exe" [2011-05-25 49152]
"jmekey"="c:\windows\jmesoft\hotkey.exe" [2011-06-08 118784]
"jmesoft"="c:\windows\jmesoft\ServiceLoader.exe" [2011-03-15 28672]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2012-09-25 2629632]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-18 959904]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-08-14 4085896]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-10-07 507776]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2014-12-13 3838800]
.
c:\users\lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
TP-LINK Wireless Configuration Utility.lnk - c:\program files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe -nogui [2013-11-14 841216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [2010-01-25 245760]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2009-07-13 657408]
R3 VSPerfDrv100;Performance Tools Driver 10.0;c:\program files\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\VSPerfDrv100.sys [2009-12-08 48128]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-08 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 OracleJobSchedulerXE;OracleJobSchedulerXE;c:\oraclexe\app\oracle\product\10.2.0\server\Bin\extjob.exe XE [x]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-29 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-29 366936]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-11-25 779536]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-08-14 414520]
S1 catchurl;catchurl;c:\windows\system32\drivers\catchurl.sys [2013-02-07 43776]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2013-05-21 242240]
S2 AIPS;Arp Intelligent Protection Service;c:\program files\netcut\services\AIPS.exe [2011-07-28 262144]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-08-14 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-08-14 67824]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-08-14 71944]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2014-12-13 1895760]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2011-05-20 13592]
S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe [2011-12-08 423136]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [2011-12-16 161560]
S2 JME Keyboard;JME Keyboard Driver;c:\windows\jmesoft\Service.exe [2011-03-15 32768]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn Hamachi\LMIGuardianSvc.exe [2014-12-02 411920]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 OracleServiceXE;OracleServiceXE;c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE XE [x]
S2 OracleXETNSListener;OracleXETNSListener;c:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe [2006-02-01 204800]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-12-16 363800]
S3 GeneStor;Genesys Logic Storage Driver;c:\windows\system32\DRIVERS\GeneStor.sys [2011-05-18 54784]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-12-05 280576]
S3 MEI;Intel® Management Engine Interface ;c:\windows\system32\DRIVERS\HECI.sys [2011-11-09 46080]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-08-23 414824]
S3 RTL8192cu;300Mbps Wireless USB Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2012-05-14 801896]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-08 04:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = localhost;127.0.0.1;<local>
uInternet Settings,ProxyServer = ftp=192.168.0.253:2278;http=192.168.0.253:2278;https=192.168.0.253:2278;socks=192.168.0.253:2278
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
TCP: Interfaces\{96F3AD53-CAE3-4476-8CD3-74A0D6123993}: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{96F3AD53-CAE3-4476-8CD3-74A0D6123993}\0716E6361626574696F51455449445: NameServer = 208.67.222.222,208.67.220.220
TCP: Interfaces\{96F3AD53-CAE3-4476-8CD3-74A0D6123993}\2757265637E65647: NameServer = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\users\lenovo\AppData\Roaming\Mozilla\Firefox\Profiles\muhh9onf.default\
FF - prefs.js: browser.startup.homepage - about:home
FF - prefs.js: network.proxy.ftp - 192.168.0.253
FF - prefs.js: network.proxy.ftp_port - 2278
FF - prefs.js: network.proxy.http - 192.168.0.253
FF - prefs.js: network.proxy.http_port - 2278
FF - prefs.js: network.proxy.socks - 192.168.0.253
FF - prefs.js: network.proxy.socks_port - 2278
FF - prefs.js: network.proxy.ssl - 192.168.0.253
FF - prefs.js: network.proxy.ssl_port - 2278
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ProxyCap - c:\progra~1\PROXYL~1\ProxyCap\pcapui.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ChromeHTML"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\system32\taskhost.exe
c:\program files\Smadav\SMc:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\conhost.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2015-01-18  08:39:01 - machine was rebooted
ComboFix-quarantined-files.txt  2015-01-18 01:39
.
Pre-Run: 19.725.828.096 bytes free
Post-Run: 20.087.566.336 bytes free
.
- - End Of File - - 88292FA358290EE91BB75D91075F90D3
A36C5E4F47E84449FF07ED3517B43A31
 

 

im so thankful....

thank you



BC AdBot (Login to Remove)

 


m

#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:29 PM

Posted 18 January 2015 - 09:27 AM

Hey, :)

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,894 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:04:29 PM

Posted 22 January 2015 - 10:18 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users