Jump to content

combo fix log


thndrballl
 Share

Recommended Posts

have the quick scan here

GMER 1.0.15.15077 [1fweccny.exe] - http://www.gmer.net

Rootkit quick scan 2009-09-10 03:27:56

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

Code 833F8648 ZwEnumerateKey

Code 833FB080 ZwFlushInstructionCache

Code 835B32BE ZwSaveKey

Code 839224AE ZwSaveKeyEx

Code 837BBEFE IofCallDriver

Code 837BC1FE IofCompleteRequest

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 5475d5a1.sys

Device \Driver\Tcpip \Device\Ip 5475d5a1.sys

Device \Driver\Tcpip \Device\Tcp 5475d5a1.sys

Device \Driver\Tcpip \Device\Udp 5475d5a1.sys

Device \Driver\Tcpip \Device\RawIp 5475d5a1.sys

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\System32\drivers\5475d5a1.sys (*** hidden *** ) [sYSTEM] 5475d5a1 <-- ROOTKIT

!!!

Service C:\WINDOWS\System32\drivers\76512ce1.sys (*** hidden *** ) [sYSTEM] 76512ce1 <-- ROOTKIT

!!!

Service C:\WINDOWS\System32\drivers\c245afe5.sys (*** hidden *** ) [sYSTEM] c245afe5 <-- ROOTKIT

!!!

Service C:\WINDOWS\System32\drivers\d71f6c18.sys (*** hidden *** ) [sYSTEM] d71f6c18 <-- ROOTKIT

!!!

Service C:\WINDOWS\system32\drivers\geyekrftjlkixd.sys (*** hidden *** ) [sYSTEM] geyekrmttprqrm <-- ROOTKIT

!!!

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Run GMER again; right-click these entries and click Kill File:

Service C:\WINDOWS\System32\drivers\5475d5a1.sys (*** hidden *** ) [sYSTEM] 5475d5a1 <-- ROOTKIT

!!!

Service C:\WINDOWS\System32\drivers\76512ce1.sys (*** hidden *** ) [sYSTEM] 76512ce1 <-- ROOTKIT

!!!

Service C:\WINDOWS\System32\drivers\c245afe5.sys (*** hidden *** ) [sYSTEM] c245afe5 <-- ROOTKIT

!!!

Service C:\WINDOWS\System32\drivers\d71f6c18.sys (*** hidden *** ) [sYSTEM] d71f6c18 <-- ROOTKIT

!!!

Service C:\WINDOWS\system32\drivers\geyekrftjlkixd.sys (*** hidden *** ) [sYSTEM] geyekrmttprqrm <-- ROOTKIT

Accept any prompts.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

ComboFix 09-09-09.04 - matt 09/10/2009 21:07.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.530 [GMT -4:00]

Running from: c:\documents and settings\matt\Desktop\blabla.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\afesi.sys

c:\documents and settings\All Users\Application Data\akuf.scr

c:\documents and settings\All Users\Application Data\atubixat.pif

c:\documents and settings\All Users\Application Data\ijokysavo.bat

c:\documents and settings\All Users\Application Data\ixeh.com

c:\documents and settings\All Users\Application Data\lihuqofag.reg

c:\documents and settings\All Users\Application Data\mipetib._sy

c:\documents and settings\All Users\Application Data\nagigege.com

c:\documents and settings\All Users\Application Data\odecaryjo.lib

c:\documents and settings\All Users\Application Data\oryz._dl

c:\documents and settings\All Users\Application Data\poqywoz.inf

c:\documents and settings\All Users\Application Data\rudikojib.vbs

c:\documents and settings\All Users\Application Data\yxuty._sy

c:\documents and settings\All Users\Documents\sepoguc.pif

c:\documents and settings\matt\Application Data\nekumo.vbs

c:\documents and settings\matt\Application Data\osybyguzyg.exe

c:\documents and settings\matt\Application Data\ytelaw.dll

c:\documents and settings\matt\Application Data\ytuq.inf

c:\documents and settings\matt\Local Settings\Application Data\axusexag.bin

c:\documents and settings\matt\Local Settings\Application Data\jyzezipoxy.bin

c:\documents and settings\matt\Local Settings\Application Data\qujahycy.reg

c:\documents and settings\matt\Local Settings\Application Data\ymydigiby._dl

c:\documents and settings\matt\Local Settings\Application Data\ysora.dl

c:\program files\Common Files\abelewu.inf

c:\program files\Common Files\egudic.dll

c:\program files\Common Files\otazih.pif

c:\program files\Common Files\ubitipy.exe

c:\program files\Common Files\vesehoxyn.dll

c:\program files\WinPCap

c:\program files\WinPCap\rpcapd.exe

c:\windows\braviax.exe

c:\windows\cru629.dat

c:\windows\mixis.bin

c:\windows\ovovy.inf

c:\windows\sizek.ban

c:\windows\system32\_scui.cpl

c:\windows\system32\braviax.exe

c:\windows\system32\cru629.dat

c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\geyekrftjlkixd.sys

c:\windows\system32\drivers\npf.sys

c:\windows\system32\duky.reg

c:\windows\system32\geyekrbvpoptnw.dat

c:\windows\system32\geyekrdkmxewip.dat

c:\windows\system32\geyekrimdwbxtm.dll

c:\windows\system32\geyekritqmtoqo.dat

c:\windows\system32\geyekrkebwwhxf.dll

c:\windows\system32\geyekrkypuxnbm.dll

c:\windows\system32\geyekrlqpportf.dll

c:\windows\system32\geyekrnqvribab.dat

c:\windows\system32\geyekrosvnsvxt.dll

c:\windows\system32\geyekrthxfyapp.dat

c:\windows\system32\geyekrtitnwbut.dat

c:\windows\system32\geyekryunvsaax.dll

c:\windows\system32\geyekryymxrxio.dll

c:\windows\system32\geyekryyvxokos.dll

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\ruxywy.ban

c:\windows\system32\WanPacket.dll

c:\windows\system32\wisdstr.exe

c:\windows\system32\wpcap.dll

c:\windows\wynodumub.vbs

c:\windows\ybotenym.inf

c:\windows\yqyxupo.reg

c:\windows\yryrij.pif

c:\windows\system32\drivers\beep.sys . . . is infected!!

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_geyekrmttprqrm

-------\Legacy_geyekrmttprqrm

-------\Legacy_npf

-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ed}

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2009-08-11 to 2009-09-11 )))))))))))))))))))))))))))))))

.

2009-09-11 01:13 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-09-11 01:13 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-09-10 07:09 . 2009-09-10 07:09 0 ----a-w- c:\documents and settings\matt\settings.dat

2009-09-10 06:07 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 06:07 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 05:27 . 2009-09-10 06:07 -------- d-----w- c:\program files\pow

2009-09-10 05:24 . 2009-09-10 05:27 -------- d-----w- c:\windows\system32\NtmsData

2009-09-10 05:03 . 2009-09-10 05:03 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-09-10 04:50 . 2009-09-10 04:50 -------- d-----w- c:\documents and settings\matt\Application Data\SUPERAntiSpyware.com

2009-09-06 07:18 . 2009-09-10 05:21 -------- d-----w- c:\program files\box1

2009-09-06 05:22 . 2009-09-06 05:22 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-05 18:15 . 2009-09-05 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\nol

2009-09-05 18:01 . 2009-09-05 18:01 19519 ----a-w- c:\windows\system32\yjizanutu.dat

2009-09-05 18:01 . 2009-09-05 18:01 14419 ----a-w- c:\windows\jovoro.dat

2009-09-05 17:57 . 2009-09-05 17:57 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2009-08-28 13:04 . 2009-09-10 13:17 47744 ----a-w- c:\windows\system32\drivers\5475d5a1.sys

2009-08-28 12:49 . 2009-08-28 12:49 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2009-08-28 01:20 . 2009-09-10 13:17 47744 ----a-w- c:\windows\system32\drivers\c245afe5.sys

2009-08-27 17:55 . 2009-08-27 17:55 -------- d-----w- c:\documents and settings\matt\Local Settings\Application Data\{53AD7295-BA90-4615-A336-FB9CE4E479CB}

2009-08-27 17:51 . 2009-09-10 13:17 47744 ----a-w- c:\windows\system32\drivers\d71f6c18.sys

2009-08-24 12:13 . 2009-09-10 13:17 81920 ----a-w- c:\windows\system32\drivers\76512ce1.sys

2009-08-19 13:45 . 2009-08-19 18:38 -------- d-----w- c:\program files\Common Files\DivX Shared

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-11 01:00 . 2004-08-03 21:56 56320 ----a-w- c:\windows\system32\eventlog.dll

2009-09-10 13:22 . 2008-12-20 23:59 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-10 06:17 . 2008-12-20 23:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-10 04:12 . 2008-12-20 23:45 -------- d-----w- c:\program files\AVG8

2009-09-06 07:11 . 2009-05-18 22:44 -------- d-----w- c:\program files\Microsoft Money 2005

2009-09-06 03:36 . 2008-12-20 23:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-09-06 03:36 . 2008-12-20 23:45 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-09-06 03:36 . 2008-12-20 23:45 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-09-05 23:57 . 2008-12-20 23:55 -------- d-----w- c:\program files\Yahoo!

2009-09-05 23:57 . 2008-12-22 01:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-09-05 23:56 . 2009-05-04 22:37 -------- d-----w- c:\program files\EA Games

2009-09-05 23:38 . 2009-04-06 02:01 -------- d-----w- c:\documents and settings\matt\Application Data\Move Networks

2009-08-28 16:37 . 2009-04-05 20:19 -------- d-----w- c:\program files\Lavasoft

2009-08-23 06:51 . 2008-12-21 00:00 -------- d-----w- c:\documents and settings\matt\Application Data\uTorrent

2009-08-20 10:15 . 2008-12-26 19:57 -------- d-----w- c:\documents and settings\matt\Application Data\DivX

2009-08-19 18:39 . 2008-12-26 19:54 -------- d-----w- c:\program files\DivX

2009-08-13 09:12 . 2008-12-20 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-03 04:49 . 2009-08-03 04:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

2009-04-25 13:15 . 2009-04-25 13:15 2098 --sh--w- c:\windows\system32\huwokiyu.exe

2009-04-25 13:15 . 2009-04-25 13:15 2098 --sh--w- c:\windows\system32\midepoba.dll

2009-04-25 13:14 . 2009-04-25 13:14 121 --sh--w- c:\windows\system32\uyilazev.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-07-21 7110656]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-07-21 86016]

"D-Link Wireless G WDA-1320"="c:\program files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2007-08-29 1662976]

"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]

"AVG8_TRAY"="c:\progra~1\AVG8\avgtray.exe" [2009-09-06 2007832]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-02-09 65024]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-07-21 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VIA RAID TOOL.lnk - c:\program files\VIA\RAID\raid_tool.exe [2008-12-20 565248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-06 03:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG8\\avgupd.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"19707:TCP"= 19707:TCP:utorrent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/20/2008 7:11 PM 77312]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/20/2008 7:45 PM 335240]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG8\avgwdsvc.exe [12/20/2008 7:45 PM 297752]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [12/20/2008 7:18 PM 547744]

R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [12/20/2008 7:18 PM 57376]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S1 saskutil;SASKUTIL;\??\c:\program files\box1\SASKUTIL.sys --> c:\program files\box1\SASKUTIL.sys [?]

S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\Wireless G WDA-1320\JSWUtil\jswpsapi.exe [12/20/2008 7:18 PM 352338]

S4 5475d5a1;5475d5a1;c:\windows\system32\drivers\5475d5a1.sys [8/28/2009 9:04 AM 47744]

S4 76512ce1;76512ce1;c:\windows\system32\drivers\76512ce1.sys [8/24/2009 8:13 AM 81920]

S4 c245afe5;c245afe5;c:\windows\system32\drivers\c245afe5.sys [8/27/2009 9:20 PM 47744]

S4 d71f6c18;d71f6c18;c:\windows\system32\drivers\d71f6c18.sys [8/27/2009 1:51 PM 47744]

.

Contents of the 'Scheduled Tasks' folder

2009-09-11 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-27 02:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\matt\Application Data\Mozilla\Firefox\Profiles\prtky5g3.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - HiddenExtension: XUL Cache: {53AD7295-BA90-4615-A336-FB9CE4E479CB} - c:\documents and settings\matt\Local Settings\Application Data\{53AD7295-BA90-4615-A336-FB9CE4E479CB}\

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-10 21:15

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\AVG8\avgrsx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-09-11 21:17 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-11 01:17

Pre-Run: 217,718,456,320 bytes free

Post-Run: 217,715,871,744 bytes free

226 --- E O F --- 2009-06-11 13:05

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.