Results 1 to 3 of 3

Thread: Can someone check my log??

Hybrid View

  1. #1
    Junior Member
    Join Date
    Nov 2008
    Posts
    2

    Default Can someone check my log??

    Hi. I'm a newbie at this. I had some malware on my computer and I'm hoping I got rid of it. I have a logfile from combofix from minutes ago. Here it is.


    ComboFix 08-11-01.01 - Candice 2008-11-01 18:57:31.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.174 [GMT -5:00]
    Running from: C:\Documents and Settings\Candice\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Candice\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\dllcache\figaro.sys
    C:\WINDOWS\system32\TDSSosvd.dat

    .
    ((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
    .

    2008-11-01 18:36 . 2008-11-01 18:36 3,788 --a------ C:\WINDOWS\system32\EPPICResdb0000
    2008-11-01 18:36 . 2008-11-01 18:36 115 --a------ C:\WINDOWS\system32\EPPICResdb
    2008-11-01 16:07 . 2008-11-01 17:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-11-01 16:06 . 2008-11-01 16:10 <DIR> d-------- C:\Program Files\SpywareBlaster
    2008-11-01 15:55 . 2008-11-01 15:55 <DIR> d-------- C:\Documents and Settings\Candice\Application Data\Malwarebytes
    2008-10-31 23:50 . 2008-10-31 23:50 <DIR> d-------- C:\WINDOWS\Sun
    2008-10-31 23:49 . 2008-10-31 23:48 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
    2008-10-31 23:49 . 2008-10-31 23:48 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-10-31 23:48 . 2008-10-31 23:48 <DIR> d-------- C:\Program Files\Java
    2008-10-31 23:26 . 2008-10-31 23:26 <DIR> d-------- C:\Program Files\Trend Micro
    2008-10-31 22:20 . 2008-10-31 22:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-31 22:20 . 2008-10-31 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-31 22:20 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-31 22:20 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-31 22:10 . 2008-10-31 22:10 137 --a------ C:\WINDOWS\system32\MRT.INI
    2008-10-31 22:04 . 2001-08-18 07:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
    2008-10-24 16:04 . 2008-10-24 16:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-10-05 16:34 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-10-04 17:23 . 2008-10-04 17:23 <DIR> d-------- C:\Documents and Settings\Candice\Application Data\acccore
    2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\Candice\Application Data\Viewpoint
    2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
    2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
    2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
    2008-10-04 17:17 . 2008-10-04 17:17 <DIR> d-------- C:\Program Files\Common Files\AOL
    2008-10-04 17:16 . 2008-10-04 17:18 <DIR> d-------- C:\Program Files\AIM6
    2008-10-04 17:16 . 2008-10-04 17:19 365 --ah----- C:\IPH.PH

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-02 00:00 --------- d-----w C:\Program Files\Eraser
    2008-11-01 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-11-01 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-11-01 02:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-10-24 21:06 --------- d-----w C:\Program Files\Lavasoft
    2008-10-24 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-10-18 00:42 --------- d-----w C:\Program Files\Audacity
    2008-10-04 22:18 --------- d-----w C:\Program Files\Viewpoint
    2008-10-04 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-09-06 05:12 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
    2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "Eraser"="C:\Program Files\Eraser\eraser.exe" [2002-04-12 487424]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 28672]
    "WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 131072]
    "Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
    "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
    "srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 36864]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-01-23 77824]
    "EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]
    "Smapp"="Smtray.exe" [2001-05-31 C:\WINDOWS\system32\SMTray.exe]
    "S3TRAY2"="S3tray2.exe" [2001-10-12 C:\WINDOWS\system32\S3tray2.exe]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 24633]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.SP54"= SP5X_32.DLL
    "VIDC.SP55"= SP5X_32.DLL
    "VIDC.SP56"= SP5X_32.DLL
    "VIDC.SP57"= SP5X_32.DLL
    "VIDC.SP58"= SP5X_32.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\AIM6\\aim6.exe"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-06 97928]
    R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
    R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
    R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 76040]
    R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-31 152984]
    R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 86016]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
    R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 112574]
    S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS [ ]
    S3 5lfav;Mustek MDC 3500 WDM Video Capture;C:\WINDOWS\system32\Drivers\5lfav.sys [ ]
    S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-05-10 89371]
    S3 USBCamera;Mustek MDC 3500 Still Image Capture;C:\WINDOWS\system32\Drivers\Bulk5lf.sys [ ]
    .
    Contents of the 'Scheduled Tasks' folder

    2008-11-01 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    - C:\PROGRA~1\NORTON~1\NAVW32.exe []

    2002-01-12 C:\WINDOWS\Tasks\Registration reminder 1.job
    - C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 01:56]

    2002-01-12 C:\WINDOWS\Tasks\Registration reminder 2.job
    - C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 01:56]

    2002-01-12 C:\WINDOWS\Tasks\Registration reminder 3.job
    - C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 01:56]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-MoneyStartUp - c:\Program Files\Microsoft Money\System\Money Startup.exe
    HKLM-Run-AdaptecDirectCD - C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    HKLM-Run-WorksFUD - (no file)
    HKLM-RunServices-Windows DNS Daemon - windnsd.exe
    HKU-Default-RunOnce-Windows DNS Daemon - windnsd.exe
    ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll
    MSConfigStartUp-iamapp - C:\Program Files\Norton Internet Security\IAMAPP.EXE


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\3a4nr5pz.default\
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-01 19:04:17
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    C:\WINDOWS\TEMP\be41527e-5186-4b81-bc27-fde75633133e.tmp 0 bytes
    C:\WINDOWS\TEMP\d1e83ab3-6b88-47a7-a93d-e33dbb4f5d07.tmp 0 bytes
    C:\WINDOWS\TEMP\e09869f5-84b0-46d5-b106-7c2b18d8b1c4.tmp

    scan completed successfully
    hidden files: 3

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\explorer.exe
    -> C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\scardsvr.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
    C:\Compaq\CPQInet\CPQInet.exe
    C:\Compaq\EAKDRV\EAUSBKBD.exe
    C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
    C:\WINDOWS\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-01 19:13:22 - machine was rebooted [Candice]
    ComboFix-quarantined-files.txt 2008-11-02 00:12:52

    Pre-Run: 65,106,710,528 bytes free
    Post-Run: 65,027,579,904 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

    179 --- E O F --- 2008-11-01 03:10:26

  2. #2
    Junior Member
    Join Date
    Nov 2008
    Posts
    2

    Default

    Here is also the log from malware bytes.

    Malwarebytes' Anti-Malware 1.30
    Database version: 1349
    Windows 5.1.2600 Service Pack 2

    11/1/2008 8:54:07 PM
    mbam-log-2008-11-01 (20-54-07).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 96342
    Time elapsed: 1 hour(s), 8 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\System Volume Information\_restore{EEB01FF0-0722-40BC-8DCA-5D3D36C315C6}\RP538\A0049585.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

  3. #3
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,538

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
    The junk can be tough to remove, so do not expect fast or easy.
    I'm a newbie at this
    The fact you are new is all the more reason for you to read and follow the directions. Had you done that, you would have seen this:
    Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.
    Do NOT run 'FIXES' before helpers have analyzed the HJT log
    http://forums.spybot.info/showthread.php?t=16806
    ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.
    If you still have malware issues, read the directions, post the required HijackThis log and tell me what they are.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •