Jump to content

Combofix results can someone help me determine what happened


Recommended Posts

Been having a problem with being redirected to ad sites whenever I try to search the internet in both firefox and explorer.

Read through the logs in this forum and followed the instructions from one of the posts that sounded like my problem.

Ran Combofix and it did find some rootkit activity, it restarted machine and the following is the log file that was created.

I want to make sure this wasn't a backdoor virus/trojan and that the security of this machine is harmed forever. I can wipe it all clean and restore the entire system but it would be nice to avoid that if possible.

Thanks for any help.

ComboFix 10-06-09.02 - WoolleyBear 06/10/2010 6:19.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.630 [GMT -4:00]

Running from: c:\documents and settings\WoolleyBear\My Documents\Downloads\ComboFix.exe

AV: PC Tools AntiVirus 6.1.0.25 *On-access scanning disabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}

FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Internet Explorer\SET4F.tmp

c:\program files\Internet Explorer\SET50.tmp

c:\program files\Internet Explorer\SET52.tmp

Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected

Restored copy from - Kitty had a snack :)

.

((((((((((((((((((((((((( Files Created from 2010-05-10 to 2010-06-10 )))))))))))))))))))))))))))))))

.

2010-06-10 02:47 . 2010-06-10 02:47 -------- d-----w- c:\program files\Trend Micro

2010-06-10 02:29 . 2010-06-10 02:29 -------- d-s---w- c:\documents and settings\WoolleyBear\UserData

2010-06-09 23:01 . 2010-06-09 23:01 -------- d-----w- c:\documents and settings\WoolleyBear\Application Data\Malwarebytes

2010-06-09 22:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-09 22:59 . 2010-06-09 22:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-06-09 22:57 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-09 22:57 . 2010-06-09 22:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-07 19:29 . 2010-06-07 19:29 -------- d-----w- c:\documents and settings\WoolleyBear\Application Data\Apple Computer

2010-06-07 19:25 . 2010-06-07 19:27 -------- d-----w- c:\program files\QuickTime

2010-06-07 19:25 . 2010-06-07 19:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-06-07 19:24 . 2010-06-07 19:24 -------- d-----w- c:\program files\Common Files\Apple

2010-06-07 19:24 . 2010-06-07 19:24 -------- d-----w- c:\documents and settings\WoolleyBear\Local Settings\Application Data\Apple

2010-06-07 19:24 . 2010-06-07 19:24 -------- d-----w- c:\program files\Apple Software Update

2010-06-07 19:24 . 2010-06-07 19:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2010-06-07 19:23 . 2010-06-07 19:23 -------- d-----w- c:\documents and settings\WoolleyBear\Local Settings\Application Data\Apple Computer

2010-05-29 09:24 . 2010-05-29 09:24 -------- d-----w- c:\documents and settings\WoolleyBear\Application Data\Foxit Software

2010-05-26 01:05 . 2010-05-26 01:05 -------- d-----w- c:\documents and settings\WoolleyBear\Application Data\Microsoft Games

2010-05-26 01:04 . 2010-06-06 04:01 -------- d-----w- c:\program files\GameSpy Arcade

2010-05-26 00:57 . 2010-05-26 00:57 -------- d-----w- c:\program files\Microsoft Games

2010-05-15 20:40 . 2010-05-15 20:40 579 ----a-w- c:\windows\eReg.dat

2010-05-15 12:48 . 2010-05-15 12:50 -------- d-----w- c:\program files\Maxis

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-10 10:18 . 2010-04-03 18:05 -------- d-----w- c:\program files\Common Files\Akamai

2010-06-10 10:08 . 2010-03-04 02:11 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-10 10:08 . 2010-03-04 02:25 -------- d-----w- c:\program files\PC Tools AntiVirus

2010-06-06 03:50 . 2010-03-09 22:51 251705 ----a-w- c:\documents and settings\WoolleyBear\Application Data\Sony Online Entertainment\npsoeact.dll

2010-06-06 03:50 . 2010-03-09 22:51 -------- d-----w- c:\documents and settings\WoolleyBear\Application Data\Sony Online Entertainment

2010-06-05 16:01 . 2010-03-12 15:56 -------- d-----w- c:\program files\History Channel Games

2010-05-26 09:20 . 2010-05-09 20:21 -------- d-----w- c:\program files\Zune

2010-05-15 15:08 . 2005-11-05 00:53 11376 ----a-w- c:\windows\system32\drivers\secdrv.sys

2010-05-15 12:50 . 2005-11-05 02:56 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-05-09 20:42 . 2010-05-09 20:42 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf

2010-05-09 20:42 . 2010-05-09 20:42 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf

2010-05-09 20:41 . 2010-05-09 20:41 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf

2010-05-09 20:24 . 2010-05-09 20:23 -------- d-----w- c:\documents and settings\WoolleyBear\Application Data\U3

2010-05-09 20:22 . 2010-05-09 20:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf

2010-05-09 20:22 . 2010-05-09 20:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

2010-04-28 11:26 . 2010-04-28 11:20 102262 ----a-w- c:\windows\hpoins05.dat

2010-04-28 11:24 . 2010-04-28 11:24 -------- d-----w- c:\program files\Common Files\Hewlett-Packard

2010-04-28 11:23 . 2010-04-28 11:22 -------- d-----w- c:\program files\HP

2010-04-18 14:57 . 2005-11-05 04:13 -------- d-----w- c:\program files\Yahoo!

2010-04-13 23:52 . 2010-03-04 02:50 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-04 12:30 . 2010-03-04 00:57 70448 ----a-w- c:\documents and settings\WoolleyBear\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-02 10:54 . 2010-04-02 10:54 18944 ----a-r- c:\documents and settings\WoolleyBear\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe

2010-04-02 10:54 . 2010-04-02 10:54 11264 ----a-r- c:\documents and settings\WoolleyBear\Application Data\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A1630.exe

2010-03-22 23:55 . 2010-03-22 23:55 503808 ----a-w- c:\documents and settings\WoolleyBear\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23ef574c-n\msvcp71.dll

2010-03-22 23:55 . 2010-03-22 23:55 499712 ----a-w- c:\documents and settings\WoolleyBear\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23ef574c-n\jmc.dll

2010-03-22 23:55 . 2010-03-22 23:55 348160 ----a-w- c:\documents and settings\WoolleyBear\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23ef574c-n\msvcr71.dll

2010-03-22 23:55 . 2010-03-22 23:55 61440 ----a-w- c:\documents and settings\WoolleyBear\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42fc4a7c-n\decora-sse.dll

2010-03-22 23:55 . 2010-03-22 23:55 12800 ----a-w- c:\documents and settings\WoolleyBear\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42fc4a7c-n\decora-d3d.dll

2010-03-22 23:54 . 2010-03-22 23:54 411368 ----a-w- c:\windows\system32\deploytk.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CFSServ.exe"="CFSServ.exe -NoClient" [X]

"RTHDCPL"="RTHDCPL.EXE" [2005-11-10 15473664]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 688218]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2005-11-25 352256]

"NDSTray.exe"="NDSTray.exe" [bU]

"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-10 73728]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-05-19 188416]

"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-01 122940]

"TFncKy"="TFncKy.exe" [bU]

"TPSMain"="TPSMain.exe" [2005-06-01 282624]

"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-07-15 1077322]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]

"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]

"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]

"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-04-16 1505168]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

c:\documents and settings\WoolleyBear\Start Menu\Programs\Startup\

Kuma_Tray.lnk - c:\program files\History Channel Games\kgsystray\Kuma_tray.exe [2010-3-12 33416]

c:\documents and settings\WoolleyBear\Start Menu\Programs\Startup\AutorunsDisabled

Kuma_Tray.lnk - c:\program files\History Channel Games\kgsystray\Kuma_tray.exe [2010-3-12 33416]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PCTAVSvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1082:TCP"= 1082:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [3/3/2010 10:11 PM 207792]

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [3/3/2010 10:11 PM 233136]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [11/4/2005 8:53 PM 14336]

R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [3/3/2010 10:11 PM 88040]

R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [3/3/2010 10:11 PM 70664]

R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [3/3/2010 10:11 PM 58816]

R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [3/3/2010 10:11 PM 115216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai REG_MULTI_SZ Akamai

.

Contents of the 'Scheduled Tasks' folder

2010-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

.

------- Supplementary Scan -------

.

LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

FF - ProfilePath - c:\documents and settings\WoolleyBear\Application Data\Mozilla\Firefox\Profiles\zcu3i4x0.default\

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-WudfPf

SafeBoot-WudfRd

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-10 06:27

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(952)

c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

.

Completion time: 2010-06-10 06:30:21

ComboFix-quarantined-files.txt 2010-06-10 10:30

Pre-Run: 12,882,255,872 bytes free

Post-Run: 12,979,466,240 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - AAF922BC80E7AA77E0A5DC5033D3B943

Link to post
Share on other sites

Hello,

You have another open "malware-removal" topic here --> http://forums.malwarebytes.org/index.php?s...showtopic=53449 "Log Files and DDS, GMER crashed"

and you did not make a reply to kahdah.

Tell me, if you have resolved your issues already? (and please note that running a tool such as Combofix without expert help is foolhardy /imprudent/ & risky)

Do you intend to reply to your other thread?

Do you still want help here? if the latter, please then run a new (fresh) DDS run & reply with copy of DDS.txt

See the guide at --> http://www.malwarebytes.org/forums/index.php?showtopic=9573

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.