Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ComboFix


  • Please log in to reply

#1
ezgoer89

ezgoer89

    New Member

  • Member
  • Pip
  • 1 posts
Don't know how it got in my laptop, but had a antivirus rootkit that seems to have been spread quite prodigiously. I used ComboFix and it seems to have done the trick. I have posted the logfile below... anything crazy in there? Anything further you would recommend?

ComboFix 10-05-25.02 - user 05/25/2010 20:12:49.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.410 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 100525-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\g2mdlhlpx.exe
c:\documents and settings\user\Local Settings\Application Data\xtwpogtib
c:\documents and settings\user\Local Settings\Application Data\xtwpogtib\caeeayytssd.exe
c:\windows\system32\Temp
c:\windows\system32\Temp\log10-05-22 08.58.00.223.txt
c:\windows\system32\Temp\log10-05-22 08.58.10.528.txt
c:\windows\system32\Temp\log10-05-22 08.58.18.259.txt

Infected copy of c:\windows\system32\drivers\pcmcia.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-04-26 to 2010-05-26 )))))))))))))))))))))))))))))))
.

2010-05-25 23:07 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-25 23:07 . 2010-05-25 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-25 23:07 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-25 23:07 . 2010-05-25 23:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 15:42 . 2010-01-25 15:58 462848 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\extensions\[email protected]\plugins\ractrlkeyhook.dll
2010-05-23 15:42 . 2010-01-15 18:25 864256 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\extensions\[email protected]\plugins\LMIGuardianDll.dll
2010-05-23 15:42 . 2010-01-15 18:25 315392 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\extensions\[email protected]\plugins\LMIGuardianEvt.dll
2010-05-23 15:42 . 2010-01-15 18:25 372736 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\extensions\[email protected]\plugins\LMIGuardian.exe
2010-05-23 15:42 . 2010-03-07 17:49 3862528 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\extensions\[email protected]\plugins\npRACtrl.dll
2010-05-23 15:42 . 2010-01-15 18:26 70984 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\extensions\[email protected]\plugins\LMIProxyHelper.exe
2010-05-17 01:20 . 2010-05-17 01:21 -------- d-----w- c:\program files\Musicnotes
2010-05-15 00:52 . 2010-05-15 00:52 -------- d-----w- c:\program files\iPod
2010-05-15 00:51 . 2010-05-15 00:54 -------- d-----w- c:\program files\iTunes
2010-05-15 00:37 . 2010-05-15 00:37 -------- d-----w- c:\program files\Bonjour
2010-05-15 00:34 . 2010-05-15 00:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-25 23:18 . 2008-08-26 21:29 -------- d-----w- c:\program files\Support.com
2010-05-24 16:14 . 2009-05-13 22:53 -------- d-----w- c:\program files\Airfoil
2010-05-20 02:36 . 2010-03-21 20:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-17 01:25 . 2009-03-04 22:36 59 ----a-w- c:\windows\wpd99.drv
2010-05-17 01:25 . 2009-03-04 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-05-17 01:21 . 2009-03-14 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-05-17 01:21 . 2009-02-16 16:49 98280 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-15 00:52 . 2009-05-17 03:29 -------- d-----w- c:\program files\Common Files\Apple
2010-05-09 14:52 . 2009-12-24 17:26 -------- d-----w- c:\program files\Google
2010-04-12 10:45 . 2009-05-17 03:31 -------- d-----w- c:\documents and settings\user\Application Data\Apple Computer
2010-04-10 00:06 . 2010-04-10 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-09 23:57 . 2010-04-09 23:55 -------- d-----w- c:\program files\QuickTime
2010-04-09 23:44 . 2009-05-13 22:32 -------- d-----w- c:\program files\AirPort
2010-04-08 17:20 . 2010-04-08 17:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 17:20 . 2010-04-08 17:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-07 20:21 . 2010-04-07 20:21 165584 ----a-w- c:\windows\system32\AirfoilInject3.dll
2010-03-27 03:35 . 2009-08-22 00:09 -------- d-----w- c:\program files\Safari
2010-03-27 03:32 . 2010-03-27 03:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-11 12:38 . 1980-01-01 07:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ------w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 1980-01-01 07:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2002-02-26 21:58 430080 ----a-w- c:\windows\system32\vbscript.dll
2001-03-30 17:06 . 2001-03-30 17:06 32768 --sha-r- c:\windows\system32\cdosda.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-31 512000]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2003-01-17 64000]
"BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2003-01-17 20480]
"QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2003-03-27 53248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2002-12-24 204800]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2002-10-16 1622016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-11-11 771360]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2002-10-18 18:07 87751 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AirPort Base Station Agent]
2009-11-11 19:17 771360 ----a-w- c:\program files\AirPort\APAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2007-02-07 01:00 344064 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ibmmessages]
2003-01-07 21:52 495616 ----a-w- c:\program files\IBM\Messages By IBM\ibmmessages.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2007-08-23 21:36 455968 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
2001-10-12 05:32 69632 ----a-w- c:\windows\system32\S3Tray2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 09:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
2003-07-31 22:25 110592 ----a-w- c:\program files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
2002-09-04 08:05 53248 ----a-w- c:\windows\system32\TP4EX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2003-08-07 22:57 94208 ----a-w- c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPKMAPHELPER]
2003-08-08 22:39 897024 ----a-w- c:\program files\ThinkPad\Utilities\TpKmapAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"TpKmpSVC"=2 (0x2)
"QCONSVC"=2 (0x2)
"iPod Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"LightScribeService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Support.com\\Bin\\tgcmd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Airfoil\\Airfoil.exe"=
"c:\\Program Files\\Airfoil\\AirfoilSpeakers.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/16/2009 9:19 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2/19/2009 9:17 PM 114768]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [8/26/2008 5:21 PM 15360]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/19/2009 9:17 PM 20560]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/24/2009 1:26 PM 135664]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 9:19 AM 1181328]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:20]

2010-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-12-01 c:\windows\Tasks\BMMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2008-08-26 08:32]

2010-05-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 17:26]

2010-05-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-24 17:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {AF23B3EC-8C2C-4425-93AE-587CE18955DD} - hxxp://www.servision.net/SVClientSDK/SVClientSDK.CAB
DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} - hxxp://racing.youbet.com/wr_9_3/controls/YBUICtrl.cab
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\
FF - plugin: c:\documents and settings\user\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\jvcjfccl.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-aepwywwv - c:\documents and settings\user\Local Settings\Application Data\xtwpogtib\caeeayytssd.exe
HKLM-Run-UC_SMB - (no file)
HKLM-Run-aepwywwv - c:\documents and settings\user\Local Settings\Application Data\xtwpogtib\caeeayytssd.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-25 20:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-25 20:28:59
ComboFix-quarantined-files.txt 2010-05-26 00:28

Pre-Run: 20,414,455,808 bytes free
Post-Run: 20,546,129,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn /noguiboot

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 70277A84F5ADD19FF7706218806E22A3
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP