Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

not sure what to do about these - screenshot


robjamell
 Share

Recommended Posts

I am not sure what to do. My computer was locking and freezing. I ran Malwarebytes and am very appreciative that the computer now seems to stay running, however I cannot browse the web.

It seems that googletalk works, but none of my browsers work. I tried to read through this forum and tried stuff, but no luck. I ran winsockfix and no luck. I have downloaded combofix.exe and have posted the log below.

I also tried right clicking my lan connection and choosing "repair", but again, still cannot browse.

PLEASE HELP

ComboFix 10-11-16.05 - rob 11/17/2010 9:49.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2519 [GMT -5:00]

Running from: I:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\rob\g2mdlhlpx.exe

c:\program files\Shared

.

((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))

.

2010-11-17 00:09 . 2010-11-17 12:57 -------- d-----w- c:\documents and settings\rob\Application Data\Udyt

2010-11-17 00:09 . 2010-11-17 01:01 -------- d-----w- c:\documents and settings\rob\Application Data\Caofa

2010-11-16 13:06 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-11-16 13:06 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-16 13:05 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-10-27 13:52 . 2010-10-27 13:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\McAfee

2010-10-26 13:31 . 2010-10-26 13:31 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee

2010-10-21 13:29 . 2010-10-21 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-02 22:44 . 2009-04-30 20:52 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2010-11-02 22:44 . 2009-04-30 20:52 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys

2010-10-08 15:10 . 2010-10-08 15:03 156928 ----a-w- c:\windows\system32\drivers\snapman.sys

2010-10-08 15:04 . 2010-10-08 15:04 902432 ----a-w- c:\windows\system32\drivers\tdrpm251.sys

2010-10-08 15:04 . 2009-03-12 05:05 570016 ----a-w- c:\windows\system32\drivers\timntr.sys

2010-09-18 17:23 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 10:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-04 10:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-04 10:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-09 22:39 . 2010-09-09 22:39 2826240 ----a-w- c:\windows\system32\GPhotos.scr

2010-09-01 11:51 . 2004-08-04 10:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-04 10:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-04 10:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-04 10:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2004-08-04 10:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-24 12:24 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-04 10:00 617472 ----a-w- c:\windows\system32\comctl32.dll

.

------- Sigcheck -------

[-] 2009-03-13 . 56F4867BAE6FD78E5365A3A7AFA59C82 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-10-19 4355576]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-10-19 960640]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-10-19 377320]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-02 281768]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-13 110592]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Chapura SyncManager.lnk - c:\program files\Chapura\Chapura SyncManager\SyncMgr.exe [2010-3-26 2185728]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk

backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2009-11-11 13:54 135664 ----atw- c:\documents and settings\rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

2008-06-09 15:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]

2010-06-01 14:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2008-03-25 19:33 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"McComponentHostService"=3 (0x3)

"LightScribeService"=2 (0x2)

"gusvc"=3 (0x3)

"Kodak Theatre Service"=3 (0x3)

"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime

"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u

"svchost"=c:\documents and settings\rob\Application Data\Microsoft\svchost.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Documents and Settings\\rob\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Documents and Settings\\rob\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\rob\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\Chapura\\Chapura SyncManager\\SyncMgr.exe"=

"c:\\Program Files\\Kodak\\Theatre HD Server\\bin\\hcavserver.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 tdrpman251;Acronis Try&Decide and Restore Points filter (build 251);c:\windows\system32\drivers\tdrpm251.sys [10/8/2010 10:04 AM 902432]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [4/30/2009 3:52 PM 135336]

S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [9/6/2007 2:30 PM 13824]

S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [10/12/2007 3:04 PM 99200]

S4 Kodak Theatre Service;Kodak Theatre Service;c:\program files\Kodak\Theatre HD Server\bin\hcavserver.exe -k runservice --> c:\program files\Kodak\Theatre HD Server\bin\hcavserver.exe -k runservice [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2008-06-09 15:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

2010-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-11-17 c:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2010-06-08 02:55]

2010-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-448539723-839522115-1003Core.job

- c:\documents and settings\rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 13:54]

2010-11-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1482476501-448539723-839522115-1003UA.job

- c:\documents and settings\rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-11 13:54]

2010-11-17 c:\windows\Tasks\User_Feed_Synchronization-{C5146EA1-89AD-4CF1-B8C8-F6031FC697AE}.job

- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:50370

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

DPF: {4ED4AAA0-2CEC-4D84-AB72-74E53E092CFD} - hxxp://www.freehandmusic.com/update/biblionet.cab

DPF: {63F5866B-A7C5-40B4-9A89-0CCA99726C8D} - hxxps://secure.logmeinrescue.com/Customer/x86/RescueDownloader.cab

FF - ProfilePath - c:\documents and settings\rob\Application Data\Mozilla\Firefox\Profiles\ty021qmr.default\

FF - prefs.js: network.proxy.http - 127.0.0.1

FF - prefs.js: network.proxy.http_port - 50370

FF - prefs.js: network.proxy.type - 1

FF - plugin: c:\documents and settings\rob\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\rob\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll

FF - plugin: c:\documents and settings\rob\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\progra~1\SONYON~1\npsoe.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-17 09:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1482476501-448539723-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2010-11-17 10:01:39

ComboFix-quarantined-files.txt 2010-11-17 15:01

Pre-Run: 35,501,322,240 bytes free

Post-Run: 39,145,422,848 bytes free

- - End Of File - - CDACE83C71B9B2E8F0DB45F5756BE86F

Link to post
Share on other sites

What error message do you get when opening a browser? You commonly will have to clear the proxy settings in order to have access to the internet again.

For Internet Explorer, it is under Tools -> Internet Options. Click the Connections tab, then click on "Lan Settings". If you're not sure what your settings here should be, try unchecking all the boxes. This will work for most configurations.

For Firefox go to Tools -> Options. Click "Advanced", then click on the "Network" tab. Click the "Settings" button, and then select "No proxy".

It is a good idea to do this for Internet Explorer, even if you do not use it, because other browsers (such as Google Chrome) use the settings specified by your Internet Options as a basis for their own setup. Please be sure to check both locations, even if you normally only use Firefox.

Link to post
Share on other sites

Hi Rob,

If You use Citrix Go to Meeting then this is probably the reason for your inability to remotely connect:

c:\documents and settings\rob\g2mdlhlpx.exe

You may also need this although that is a less obvious conclusion to draw, so although I am going to restore it - please check it's contents to confirm that it is indeed legit.

c:\program files\Shared

This is why Combofix's author specifically has a disclaimer advising you not to run it independently!

Do You know what these two directories created today and reported in Combofix are:

((((((((((((((((((((((((( Files Created from 2010-10-17 to 2010-11-17 )))))))))))))))))))))))))))))))

.

2010-11-17 00:09 . 2010-11-17 12:57 -------- d-----w- c:\documents and settings\rob\Application Data\Udyt

2010-11-17 00:09 . 2010-11-17 01:01 -------- d-----w- c:\documents and settings\rob\Application Data\Caofa

I am going to restore the items Combofix deleted using a script.

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

DeQuarantine::
c:\documents and settings\rob\g2mdlhlpx.exe
c:\program files\Shared

DirLook::
c:\documents and settings\rob\Application Data\Udyt
c:\documents and settings\rob\Application Data\Caofa
c:\program files\Shared

File::
c:\documents and settings\rob\Application Data\Microsoft\svchost.exe

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log (C:\Combofix.txt) that opens when it finishes.

Also, post the MBAM log (not the new one, the one that you ran prior to your connection problems.

Link to post
Share on other sites

Hi Rob,

You have two topics going at once that are directly related (the same computer).

I have responded to your topic here:

http://forums.malwarebytes.org/index.php?s...mp;#entry346931

As I advised you in the other topic, you need to post the MBAM log:

After malwarebytes and combofix got rid of my problems, I can no longer log in remotely.
Link to post
Share on other sites

You can safely leave those detections alone for now because they are inactive threats that are locked away in your system restore data, but do not attempt to restore your system to an earlier date by performing a "System Restore". At the end of your clean-up we'll purge that data so those detections will no longer appear. For now, just post your new Combofix log so I can see where we go from here!

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.