Jump to content

cyber security pro


Recommended Posts

I read a few of the other post and went ahead and ran combo fix. I am going to post the log in hopes that someone can read it and give me some direction. Thanks so much in advance for your help.

ComboFix 09-10-16.09 - Webber 10/17/2009 20:41.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.456 [GMT -5:00]

Running from: c:\documents and settings\Webber\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Webber\Application Data\inst.exe

c:\windows\COUPON~1.OCX

c:\windows\CouponPrinter.ocx

c:\windows\jestertb.dll

c:\windows\system32\lsp.dll

c:\windows\system32\PCLECoInst.dll

.

((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))

.

2009-10-17 23:29 . 2009-10-18 01:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-17 23:29 . 2009-10-17 23:38 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-17 19:22 . 2009-10-17 20:36 -------- d-----w- c:\documents and settings\Webber\Application Data\dvdcss

2009-10-17 19:20 . 2008-05-06 06:01 45056 ----a-w- c:\windows\system32\WNASPI32.DLL

2009-10-17 19:20 . 2008-05-06 06:01 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS

2009-10-17 18:14 . 2009-10-17 18:14 -------- d-----w- c:\documents and settings\Webber\Application Data\Malwarebytes

2009-10-17 18:14 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-17 18:14 . 2009-10-17 18:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-17 18:14 . 2009-10-17 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-17 18:14 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-17 14:27 . 2009-07-16 08:02 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-10-17 14:26 . 2009-10-17 14:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft

2009-10-17 14:26 . 2009-10-17 14:27 -------- d-----w- c:\documents and settings\Administrator

2009-10-17 14:26 . 2009-10-14 08:04 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft Help

2009-10-17 14:15 . 2009-10-17 14:49 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-17 14:01 . 2009-10-17 19:17 -------- d-----w- c:\program files\cibngd

2009-10-17 13:27 . 2009-10-17 19:43 -------- d-----w- c:\documents and settings\Webber\Application Data\Xilisoft Corporation

2009-10-14 08:04 . 2009-10-14 08:04 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-14 08:05 . 2009-01-18 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-10-09 02:19 . 2009-02-27 21:12 -------- d-----w- c:\documents and settings\Webber\Application Data\AdobeUM

2009-09-11 14:18 . 2008-04-14 05:42 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 21:03 . 2008-04-14 05:42 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-29 08:08 . 2008-04-14 05:42 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2008-04-14 05:42 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-26 02:02 . 2009-08-26 01:37 -------- d-----w- c:\documents and settings\Webber\Application Data\U3

2009-08-24 14:49 . 2009-01-18 16:16 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-24 14:49 . 2009-01-18 16:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-24 14:49 . 2009-01-18 16:16 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL

2009-08-07 00:24 . 2009-01-17 21:48 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 00:24 . 2009-01-17 21:48 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 00:24 . 2009-01-17 21:48 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 00:24 . 2008-10-16 20:09 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 00:24 . 2009-01-17 21:48 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-07 00:24 . 2008-04-14 05:41 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 00:23 . 2009-01-17 21:48 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 00:23 . 2009-01-19 00:13 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-07 00:23 . 2009-01-17 21:48 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-07 00:23 . 2008-10-16 20:07 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-05 09:01 . 2008-04-14 05:42 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 15:13 . 2008-04-14 00:54 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2008-04-14 00:01 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-07-31 02:48 . 2009-01-18 17:20 145032 ----a-w- c:\documents and settings\Webber\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

.

------- Sigcheck -------

[-] 2008-07-19 . 649B4101C35E996E1866037C28A5FD42 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogitechSoftwareUpdate"="f:\program files\ManifestEngine.exe" [2005-06-08 196608]

"AnyDVD"="f:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-01-19 2182080]

"RegClean Expert Scheduler"="f:\program files\Registry Clean Expert\RCHelper.exe" [2009-01-20 601848]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]

"ANT Agent"="c:\garmin\ANT Agent\ANT Agent.exe" [2008-09-02 8203352]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]

"AVG8_TRAY"="f:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-17 2025752]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-18 282624]

"GrooveMonitor"="f:\program files\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]

"LogitechVideoRepair"="f:\program files\ISStart.exe" [2005-06-08 458752]

"LogitechVideoTray"="f:\program files\LogiTray.exe" [2005-06-08 217088]

"CmFlywav"="c:\windows\system\CmFlywav.exe" [2006-05-19 176377]

"HostManager"="c:\program files\Common Files\AOL\1232421235\ee\AOLSoftware.exe" [2008-06-24 41824]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]

"OpwareSE4"="f:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"DiscWizardMonitor.exe"="f:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]

"AcronisTimounterMonitor"="f:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]

"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2009-06-22 364544]

c:\documents and settings\Webber\Start Menu\Programs\Startup\

Picaboo.lnk - c:\program files\Picaboo\Picaboo\PicabooMain.exe [2008-2-28 577536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - f:\program files\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-24 14:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"f:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"f:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"f:\\Program Files\\Office12\\OUTLOOK.EXE"=

"f:\\Program Files\\Office12\\GROOVE.EXE"=

"f:\\Program Files\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"f:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=

"f:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=

"f:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=

"f:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=

"f:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\aol\\1232421235\\ee\\aolsoftware.exe"=

"f:\\Program Files\\AOL 9.1\\waol.exe"=

"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=

"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=

"c:\\Garmin\\ANT Agent\\ANT Agent.exe"=

"f:\\Program Files\\1Click DVD Copy Pro\\1ClickDvdCopyPro.exe"=

"c:\\Program Files\\Picaboo\\Picaboo\\PicabooMain.exe"=

"f:\\downloads\\utorrent.exe"=

"f:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/18/2009 11:16 AM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/18/2009 11:16 AM 108552]

R2 avg8emc;AVG Free8 E-mail Scanner;f:\progra~1\AVG\AVG8\avgemc.exe [1/18/2009 11:16 AM 908056]

R2 avg8wd;AVG Free8 WatchDog;f:\progra~1\AVG\AVG8\avgwdsvc.exe [1/18/2009 11:16 AM 297752]

R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [6/24/2008 8:56 PM 431384]

R3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys [1/19/2009 8:53 PM 1364608]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

IE: E&xport to Microsoft Excel - f:\progra~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Webber\Application Data\Mozilla\Firefox\Profiles\bjs50d3x.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: f:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: f:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCLEUSBTip - c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe

HKLM-Run-USB2Check - c:\windows\system32\PCLECoInst.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-17 20:47

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(956)

c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(1184)

c:\windows\system32\WININET.dll

f:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll

f:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\aol\acs\AOLacsd.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\HPZipm12.exe

c:\program files\Cyberlink\Shared files\RichVideo.exe

c:\program files\Analog Devices\SoundMAX\SMAgent.exe

c:\windows\system32\wdfmgr.exe

f:\program files\AVG\AVG8\avgrsx.exe

f:\progra~1\AVG\AVG8\avgnsx.exe

f:\program files\AVG\AVG8\avgcsrvx.exe

f:\program files\FxSvr2.exe

c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

c:\windows\system\cmas2ds.exe

f:\program files\Digital Imaging\bin\hpqste08.exe

c:\program files\Linksys\WMB54G\WMB54G.exe

.

**************************************************************************

.

Completion time: 2009-10-18 20:49 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-18 01:49

Pre-Run: 37,030,445,056 bytes free

Post-Run: 37,011,169,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213 --- E O F --- 2009-10-14 08:11

Link to post
Share on other sites

OK like others here on the forum i jumped the gun.. here are my malware bit logs.. the first one that seemed to work and the one i just did this am. It appears combofix might have worked as i just did a search and for the first time my results are not add companys.

Malwarebytes' Anti-Malware 1.41

Database version: 2976

Windows 5.1.2600 Service Pack 3

10/17/2009 2:15:24 PM

mbam-log-2009-10-17 (14-15-24).txt

Scan type: Quick Scan

Objects scanned: 106651

Time elapsed: 4 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System tool (Rogue.SysGuard) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System tool (Rogue.SysGuard) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\cibngd\tmrqsysguard.exe (Rogue.SysGuard) -> Delete on reboot.

C:\WINDOWS\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.41

Database version: 2977

Windows 5.1.2600 Service Pack 3

10/18/2009 8:35:21 AM

mbam-log-2009-10-18 (08-35-21).txt

Scan type: Quick Scan

Objects scanned: 105117

Time elapsed: 3 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Thanks again for anyone that will look over my post and let me know what is going on.

Link to post
Share on other sites

Autorun was disabled by combofix, you can view your camera card or usb sticks via the my computer folder.

Uninstall combofix, to do so go start run (provided it is still on the desktop) type in

combofix /u

and press enter, the space is needed between x and /, if you no longer have it re-download to your desktop and do that run command.

Think Prevention: Put in place a good hosts file

http://www.mvps.org/winhelp2002/hosts.htm

Repeat that proccess about once or even twice a month

How did that go ?

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.