Jump to content

combofix log


Jamaspad
 Share

Recommended Posts

ComboFix 09-09-13.04 - Jason 09/13/2009 21:07.1.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.618 [GMT -4:00]

Running from: c:\documents and settings\Jason\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

--------

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))

.

2009-09-13 23:53 . 2009-09-13 23:53 -------- d-----w- c:\windows\McAfee.com

2009-09-13 23:41 . 2009-09-14 01:07 -------- d--h--w- c:\windows\PIF

2009-09-13 23:11 . 2009-09-13 23:11 -------- d-----w- c:\program files\Trend Micro

2009-09-13 23:00 . 2009-09-13 23:00 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE

2009-09-13 22:58 . 2009-09-13 22:58 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-09-13 22:28 . 2009-09-13 22:28 -------- d-----w- c:\documents and settings\Jason\Application Data\Malwarebytes

2009-09-13 22:28 . 2009-09-13 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-13 22:28 . 2009-09-14 00:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-13 21:53 . 2009-09-13 21:53 -------- d-----w- c:\documents and settings\All Users\AVP 2009

2009-09-13 18:44 . 2009-07-08 17:44 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-09-13 18:44 . 2009-07-08 17:44 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-09-13 18:44 . 2009-07-08 17:44 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-09-13 18:44 . 2009-07-16 16:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2009-09-13 18:43 . 2009-09-13 18:44 -------- d-----w- c:\program files\Common Files\McAfee

2009-09-13 18:43 . 2009-09-13 18:43 -------- d-----w- c:\program files\McAfee.com

2009-09-13 18:43 . 2009-09-14 00:50 -------- d-----w- c:\program files\McAfee

2009-09-13 18:41 . 2009-07-08 17:43 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-13 18:01 . 2009-09-13 18:01 -------- d-----w- c:\documents and settings\Jason\Application Data\CallingID

2009-09-13 18:00 . 2009-09-13 18:00 -------- d-----w- c:\program files\CA

2009-09-13 18:00 . 2009-09-13 18:00 -------- d-----w- c:\windows\Downloaded Installations

2009-09-13 18:00 . 2009-09-13 18:31 -------- d-----w- c:\documents and settings\Jason\Application Data\comcasttb

2009-09-13 18:00 . 2009-09-13 18:01 -------- d-----w- c:\program files\comcasttb

2009-09-12 01:11 . 2009-09-13 18:01 -------- d-----w- c:\documents and settings\Jason\Application Data\Move Networks

2009-09-10 20:54 . 2009-09-10 20:54 -------- d-----w- c:\documents and settings\Jason\Application Data\Turbine

2009-09-10 20:54 . 2009-09-10 20:54 128 ----a-w- c:\documents and settings\Jason\Local Settings\Application Data\fusioncache.dat

2009-09-10 20:54 . 2009-09-10 20:54 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Turbine

2009-09-10 20:53 . 2005-05-26 19:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll

2009-09-10 20:53 . 2009-09-13 18:46 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\ApplicationHistory

2009-09-10 20:50 . 2009-09-10 20:50 -------- d-----w- c:\windows\system32\URTTEMP

2009-09-10 20:29 . 2009-09-10 20:29 -------- d-----w- c:\program files\Turbine

2009-09-10 02:53 . 2009-09-10 20:23 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\PMB Files

2009-09-10 02:53 . 2009-09-10 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-09-10 02:52 . 2009-09-10 02:52 -------- d-----w- c:\program files\Pando Networks

2009-09-09 20:14 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

2009-08-23 23:28 . 2009-08-24 00:05 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Canon Easy-PhotoPrint EX

2009-08-21 03:14 . 2009-08-21 03:14 -------- d-----w- c:\documents and settings\Jason\Application Data\Apple Computer

2009-08-21 03:07 . 2009-08-21 03:07 -------- d-----w- c:\program files\QuickTime

2009-08-21 03:07 . 2009-08-21 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Apple

2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\program files\Apple Software Update

2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-08-21 03:06 . 2009-08-21 03:06 -------- d-----w- c:\documents and settings\Jason\Local Settings\Application Data\Apple Computer

2009-08-19 20:44 . 2009-08-19 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-14 00:10 . 2009-05-21 03:43 -------- d-----w- c:\program files\Lavasoft

2009-09-14 00:10 . 2009-05-21 03:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-09-13 20:17 . 2008-08-26 22:25 -------- d-----w- c:\documents and settings\Jason\Application Data\U3

2009-09-13 18:47 . 2008-08-24 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-09-10 20:25 . 2008-08-24 14:52 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 20:14 . 2008-08-24 20:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-09-04 19:02 . 2009-05-30 01:03 -------- d-----w- c:\program files\Privacy Guardian

2009-09-01 00:23 . 2008-08-24 15:42 -------- d-----w- c:\program files\World of Warcraft

2009-08-30 16:30 . 2009-05-17 22:53 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM

2009-08-18 00:47 . 2009-04-15 00:48 -------- d-----w- c:\program files\Java

2009-08-07 20:16 . 2008-08-26 14:50 -------- d-----w- c:\program files\Google

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-25 09:23 . 2009-04-10 00:11 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-08 17:44 . 2009-07-08 17:44 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 08:25 . 2004-08-04 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-04 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-04 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-04 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2004-08-04 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-04 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 11:18 . 2004-08-04 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2002-09-11 14:26 . 2008-08-24 03:02 63730 -c--a-w- c:\program files\viewsonicinstruct_xp.pdf

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"ComcastAntispyClient"="c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe" [2009-08-19 1589208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-10-26 652624]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth II\\game.dat"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\Turbine\\DDO Unlimited\\dndclient.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"59134:TCP"= 59134:TCP:Pando Media Booster

"59134:UDP"= 59134:UDP:Pando Media Booster

R2 AntiSpywareService;Comcast AntiSpyware;c:\program files\comcasttb\ComcastSpywareScan\ComcastAntiSpyService.exe [6/17/2009 1:49 PM 616408]

S2 0300671252889445mcinstcleanup;McAfee Application Installer Cleanup (0300671252889445);c:\windows\TEMP\030067~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\030067~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

S2 gupdate1c987ea9fa65086;Google Update Service (gupdate1c987ea9fa65086);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 7:36 PM 133104]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/23/2008 6:58 PM 33752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0300671252889445MCINSTCLEANUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 23:36]

2009-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 23:36]

2009-09-13 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-13 01:26]

2009-09-13 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-09-13 01:26]

2009-09-13 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-AntiMalware_ProNET - c:\program files\AntiMalware_Pro\AntiMalware_Pro.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-13 21:17

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)

c:\program files\CA\PPRT\bin\CACheck.dll

c:\program files\CA\PPRT\bin\CAHook.dll

c:\program files\CA\PPRT\bin\CAServer.dll

- - - - - - - > 'explorer.exe'(3900)

c:\windows\system32\WININET.dll

c:\program files\CA\PPRT\bin\CACheck.dll

c:\program files\CA\PPRT\bin\CAHook.dll

c:\program files\CA\PPRT\bin\CAServer.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Canon\IJPLM\ijplmsvc.exe

c:\program files\CA\PPRT\bin\ITMRTSVC.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe

c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe

c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe

c:\program files\McAfee\MPF\MpfSrv.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\rundll32.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2009-09-14 21:19 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-14 01:19

Pre-Run: 272,058,556,416 bytes free

Post-Run: 272,660,172,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

229 --- E O F --- 2009-09-12 03:48

Link to post
Share on other sites

  • 4 weeks later...
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.