Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Combofix logs [Closed]


  • This topic is locked This topic is locked

#1
Avantu

Avantu

    New Member

  • Member
  • Pip
  • 3 posts

Hello. I'm cleaning my uncle PC, i just uninstalled some Adwares and stuf but i want you to check out ComboFix log. It isn't bad overall i think, there are some files to delete IMO but i never analyzed any logs so i want someone to check it :)

 

http://wklejto.pl/197090


  • 0

Advertisements


#2
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts
Hi Avantu and welcome at GeekstoGo!
Cześć!

I'm crooleeck and I'll try to help you. But first please notice that I'm not limitless, I'm not familiar with all software, I don't know everything. However, it has taken me years to learn what I know. I would be glad to help you.

Fight against malware is NOT instantaneous, most infections require several courses of action to completely eradicate. It's also time-consuming, so be patient! We all like to know final result, so if you have since resolved the issues you were originally experiencing, or have received help elsewhere, please post.

Please be patient with me as I am currently in training, and all of my responses to you have to be reviewed by my instructor before I post them. Just keep in mind that you get the advantage as you have 2 people examining your issue.

Note:
  • Please watch this topic. Part of the fix may require you to being Safe Mode, which will not allow you to access the internet, or my instructions! Please save or print following instructions.
  • Do exactly - step by step - what I wish for. Don't be afraid! If there's anything you don't understand, stop and ask!
  • Please don't run unsupervised tools or fix on your own without my direction - it can be dangerous.
  • You must reply within 3 days or your topic will be closed.
I'm checking your log, please be patient.

Please just copy and paste logs into topic.
  • 0

#3
Avantu

Avantu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
ComboFix 14-04-05.01 - Rafał 2014-04-06  13:41:34.1.2 - x86
Microsoft Windows 7 Enterprise   6.1.7601.1.1250.48.1045.18.3071.2074 [GMT 2:00]
Uruchomiony z: c:\users\Rafa-\Downloads\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Utworzono nowy punkt przywracania
.
.
(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\DPINST.LOG
c:\windows\PFRO.log
c:\windows\system32\tmp1C28.tmp
c:\windows\system32\tmp1C29.tmp
c:\windows\system32\tmp6D43.tmp
c:\windows\system32\tmp6D44.tmp
.
Zainfekowana kopia c:\windows\system32\winlogon.exe została znaleziona. Problem naprawiono
Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.21756_none_722aca974c6fd463\winlogon.exe
.
.
(((((((((((((((((((((((((   Pliki utworzone od 2014-03-06 do 2014-04-06  )))))))))))))))))))))))))))))))
.
.
2014-04-06 11:26 . 2014-04-06 11:28     --------        d-----w-        C:\AdwCleaner
2014-04-06 11:08 . 2014-04-06 11:08     --------        d-----w-        c:\users\Rafał\AppData\Roaming\ProductData
2014-04-06 11:08 . 2014-04-06 11:21     --------        d-----w-        c:\programdata\IObit
2014-04-06 11:08 . 2014-04-06 11:08     --------        d-----w-        c:\programdata\ProductData
2014-04-06 11:08 . 2014-04-06 11:08     --------        d-----w-        c:\users\Rafał\AppData\Roaming\IObit
2014-04-06 11:08 . 2014-04-06 11:08     --------        d-----w-        c:\program files\IObit
.
.
.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-22 06:39 . 2014-02-22 06:40     64168   ----a-w-        c:\windows\system32\drivers\aswStm.sys
2014-02-22 06:39 . 2013-03-19 22:23     79720   ----a-w-        c:\windows\system32\drivers\aswRdr2.sys
2014-02-22 06:39 . 2013-03-19 22:23     180248  ----a-w-        c:\windows\system32\drivers\aswVmm.sys
2014-02-22 06:39 . 2013-03-19 22:23     49944   ----a-w-        c:\windows\system32\drivers\aswRvrt.sys
2014-02-22 06:39 . 2011-11-01 13:55     410784  ----a-w-        c:\windows\system32\drivers\aswSP.sys
2014-02-22 06:39 . 2011-11-01 13:55     775952  ----a-w-        c:\windows\system32\drivers\aswSnx.sys
2014-02-22 06:39 . 2011-11-01 13:55     67824   ----a-w-        c:\windows\system32\drivers\aswMonFlt.sys
2014-02-22 06:39 . 2011-11-01 13:55     43152   ----a-w-        c:\windows\avastSS.scr
2014-02-22 06:39 . 2011-11-01 13:55     270240  ----a-w-        c:\windows\system32\aswBoot.exe
2014-02-10 11:49 . 2014-02-10 11:49     163504  ----a-w-        c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10145.bin
2014-01-22 14:52 . 2011-11-01 13:55     56080   ----a-w-        c:\windows\system32\drivers\aswTdi.sys
2014-01-16 00:40 . 2014-01-16 00:40     487016  ----a-w-        C:\SecurityScanner.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-01-16 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
[-] 2011-10-23 . A451CB66DFA2DE7AA5E460FC1945A0BC . 2616320 . . [6.1.7600.16385] . . c:\windows\explorer.exe
[7] 2011-10-20 . 5BD9AAA6E29BB935BFE3B30408B86E6F . 2616320 . . [6.1.7601.21624] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21624_none_543adddcf1244385\explorer.exe
[7] 2011-10-20 . 0FB9C74046656D1579A64660AD67B746 . 2616320 . . [6.1.7601.21669] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[7] 2011-02-25 . 8B88EBBB05A0E56B7DCC708498C02B3E . 2616320 . . [6.1.7601.17567] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[7] 2010-11-20 . 40D777B7A95E00593EB1568C68514493 . 2616320 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
.
(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane  
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}]
2014-04-06 11:08        752960  ----a-w-        c:\program files\IObit\IObit Uninstaller\UninstallExplorer32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-02-22 06:39        259464  ----a-w-        c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"Sony PC Companion"="c:\program files\Sony\Sony PC Companion\PCCompanion.exe" [2013-10-31 449760]
"TunesNINJA"="c:\users\Rafał\AppData\Roaming\TunesNINJA\TunesNINJA.exe" [2013-09-08 512000]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2013-04-19 18678376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-12 343168]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-04-03 3774312]
.
c:\users\Rafał\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
TunesNINJA.lnk - c:\users\Rafał\AppData\Roaming\TunesNINJA\TunesNINJA.exe [2012-12-24 512000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
.
R2 LiveUpdateSvc;LiveUpdate;c:\program files\IObit\LiveUpdate\LiveUpdate.exe [2014-04-06 2153792]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-04-19 161384]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2012-01-31 13224]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 RTL8167;Sterownik Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
R3 Sony PC Companion;Sony PC Companion;c:\program files\Sony\Sony PC Companion\PCCService.exe [2013-02-04 155824]
R3 Synth3dVsc;Microsoft Virtual 3D Video Transport Driver;c:\windows\system32\drivers\Synth3dVsc.sys [2011-10-20 77184]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2010-11-20 25600]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;%TsUsbGD.DeviceDesc.Generic%;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 tsusbhub;Remote Deskotop USB Hub;c:\windows\system32\drivers\tsusbhub.sys [2010-11-20 112640]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Usługa Technologie aktywacji systemu Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2011-10-20 1343400]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2014-02-22 775952]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2014-02-22 410784]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-11-20 239168]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-10-12 176128]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-02-22 67824]
S3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-02-22 64168]
S3 SiSGbeLH;Sterownik NDIS 6.0 urządzenia sieci Ethernet SiS191/SiS190;c:\windows\system32\DRIVERS\SiSGB6.sys [2009-07-13 48128]
.
.
--- Inne Usługi/Sterowniki w Pamięci ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation  REG_MULTI_SZ    SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc
HPZ12   REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
HPService       REG_MULTI_SZ    HPSLPSVC
hpdevmgmt       REG_MULTI_SZ    hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-15 20:32        1150280 ----a-w-        c:\program files\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Zawartość folderu 'Zaplanowane zadania'
.
2014-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-18 17:25]
.
2014-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-10-18 17:25]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://metromsn.pl?pc=UP22&ocid=UP22DHP&dt=031913
mStart Page = hxxp://ciaomembri.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{C4D90BBA-E336-47ED-ABC8-05702EC78CD4}: NameServer = 192.168.0.1
FF - ProfilePath - c:\users\Rafał\AppData\Roaming\Mozilla\Firefox\Profiles\o6fi0u4r.default\
FF - prefs.js: browser.search.selectedEngine -
FF - ExtSQL: !HIDDEN! 2013-02-15 15:21; [email protected]; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
Toolbar-10 - (no file)
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\S-1-5-21-2461723962-208459755-1151488117-1000\Software\Microsoft\Internet Explorer\Approved Extensions]
@DACL=(02 0000)
"{C2D64FF7-0AB8-4263-89C9-EA3B0F8F050C}"=hex:51,66,7a,6c,4c,1d,3b,1b,e7,53,c0,
   dd,8e,5e,0e,0c,9c,c4,aa,7b,0d,cc,48,14
"{74322BF9-DF26-493F-B0DA-6D2FC5E6429E}"=hex:51,66,7a,6c,4c,1d,3b,1b,e9,37,24,
   6b,10,8b,52,07,a5,d7,2d,6f,c7,a5,0f,86
"{4D2D3B0F-69BE-477A-90F5-FDDB05357975}"=hex:51,66,7a,6c,4c,1d,3b,1b,1f,27,3b,
   52,88,3d,17,09,85,f8,bd,9b,07,76,34,6d
"{98889811-442D-49DD-99D7-DC866BE87DBC}"=hex:51,66,7a,6c,4c,1d,3b,1b,01,84,9e,
   87,1b,10,b0,07,8c,da,9c,c6,69,ab,30,a4
"{82E1477C-B154-48D3-9891-33D83C26BCD3}"=hex:51,66,7a,6c,4c,1d,3b,1b,6c,5b,f7,
   9d,62,e5,be,06,8d,9c,73,98,3e,65,f1,cb
"{0E8A89AD-95D7-40EB-8D9D-083EF7066A01}"=hex:51,66,7a,6c,4c,1d,3b,1b,bd,95,9c,
   11,e1,c1,86,0e,98,90,48,7e,f5,45,27,19
"{C1AF5FA5-852C-4C90-812E-A7F75E011D87}"=hex:51,66,7a,6c,4c,1d,3b,1b,b5,43,b9,
   de,1a,d1,fd,02,94,23,e7,b7,5c,42,50,9f
"{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"=hex:51,66,7a,6c,4c,1d,3b,1b,0e,1a,64,
   e2,e8,cb,20,06,b0,87,4b,eb,43,12,87,c0
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_224_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\atieclxx.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\users\Rafac:\program files\Skype\Phone\Skype.exe
c:\program files\Sony\Sony PC Companion\PCCompanionInfo.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\vssvc.exe
.
**************************************************************************
.
Czas ukończenia: 2014-04-06  13:59:29 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt  2014-04-06 11:59
.
Przed: 115 297 652 736 bajtów wolnych
Po: 120 558 796 800 bajtów wolnych
.
- - End Of File - - 01F81534E97AB40CDAFED1BB98BE45BA
A36C5E4F47E84449FF07ED3517B43A31

Edited by Avantu, 06 April 2014 - 08:40 AM.

  • 0

#4
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts
You have a backdoor infection.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

That said, I can still help you clean out the malware as best as I can without going that route, so if you decide that you don't want to do a format and reinstall of Windows, please let me know in next post.
  • 0

#5
Avantu

Avantu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts

Ok, i will just do regular format, no problem about that really. Can you recommend any anti-backdoor software to install after format? My uncle sometimes install/download really silly programs, he doesn't know lot about computers and he even installs ad/spywares when installing regular programs because he doesn't know about unchecking unsafe options while doing it.


  • 0

#6
crooleeck

crooleeck

    Member

  • Member
  • PipPipPip
  • 882 posts

OK you should be interested about free antivirus (install only one):

 

Please look for firewall as well. In Windows Vista / 7 / 8 build in system Firewall is very good, but you can aim free Comodo Firewall.


  • 0

#7
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP