PDA

View Full Version : Can someone check my log??



DoctorWho
2008-11-02, 02:31
Hi. I'm a newbie at this. I had some malware on my computer and I'm hoping I got rid of it. I have a logfile from combofix from minutes ago. Here it is.


ComboFix 08-11-01.01 - Candice 2008-11-01 18:57:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.174 [GMT -5:00]
Running from: C:\Documents and Settings\Candice\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Candice\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\figaro.sys
C:\WINDOWS\system32\TDSSosvd.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-02 to 2008-11-02 )))))))))))))))))))))))))))))))
.

2008-11-01 18:36 . 2008-11-01 18:36 3,788 --a------ C:\WINDOWS\system32\EPPICResdb0000
2008-11-01 18:36 . 2008-11-01 18:36 115 --a------ C:\WINDOWS\system32\EPPICResdb
2008-11-01 16:07 . 2008-11-01 17:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-11-01 16:06 . 2008-11-01 16:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-11-01 15:55 . 2008-11-01 15:55 <DIR> d-------- C:\Documents and Settings\Candice\Application Data\Malwarebytes
2008-10-31 23:50 . 2008-10-31 23:50 <DIR> d-------- C:\WINDOWS\Sun
2008-10-31 23:49 . 2008-10-31 23:48 410,976 --a------ C:\WINDOWS\system32\deploytk.dll
2008-10-31 23:49 . 2008-10-31 23:48 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-10-31 23:48 . 2008-10-31 23:48 <DIR> d-------- C:\Program Files\Java
2008-10-31 23:26 . 2008-10-31 23:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-31 22:20 . 2008-10-31 22:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 22:20 . 2008-10-31 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-31 22:20 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-31 22:20 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-31 22:10 . 2008-10-31 22:10 137 --a------ C:\WINDOWS\system32\MRT.INI
2008-10-31 22:04 . 2001-08-18 07:00 4,224 --a------ C:\WINDOWS\system32\drivers\beep.sys
2008-10-24 16:04 . 2008-10-24 16:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-05 16:34 . 2008-05-01 09:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-10-04 17:23 . 2008-10-04 17:23 <DIR> d-------- C:\Documents and Settings\Candice\Application Data\acccore
2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\Candice\Application Data\Viewpoint
2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-10-04 17:18 . 2008-10-04 17:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-10-04 17:17 . 2008-10-04 17:17 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-10-04 17:16 . 2008-10-04 17:18 <DIR> d-------- C:\Program Files\AIM6
2008-10-04 17:16 . 2008-10-04 17:19 365 --ah----- C:\IPH.PH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 00:00 --------- d-----w C:\Program Files\Eraser
2008-11-01 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2008-11-01 04:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-01 02:57 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-24 21:06 --------- d-----w C:\Program Files\Lavasoft
2008-10-24 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-18 00:42 --------- d-----w C:\Program Files\Audacity
2008-10-04 22:18 --------- d-----w C:\Program Files\Viewpoint
2008-10-04 22:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-06 05:12 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:00 2,180,352 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,057,728 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Eraser"="C:\Program Files\Eraser\eraser.exe" [2002-04-12 487424]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 28672]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 131072]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-01-23 77824]
"EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" [2004-03-04 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-10-31 136600]
"Smapp"="Smtray.exe" [2001-05-31 C:\WINDOWS\system32\SMTray.exe]
"S3TRAY2"="S3tray2.exe" [2001-10-12 C:\WINDOWS\system32\S3tray2.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-09-06 97928]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-06 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-06 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-03 76040]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-31 152984]
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 86016]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 112574]
S1 EACMOS;EACMOS;C:\WINDOWS\system32\drivers\EACMOS.SYS [ ]
S3 5lfav;Mustek MDC 3500 WDM Video Capture;C:\WINDOWS\system32\Drivers\5lfav.sys [ ]
S3 Gcr432;Gcr432;C:\WINDOWS\system32\Drivers\gcr432.sys [2001-05-10 89371]
S3 USBCamera;Mustek MDC 3500 Still Image Capture;C:\WINDOWS\system32\Drivers\Bulk5lf.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-11-01 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
- C:\PROGRA~1\NORTON~1\NAVW32.exe []

2002-01-12 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 01:56]

2002-01-12 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 01:56]

2002-01-12 C:\WINDOWS\Tasks\Registration reminder 3.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 01:56]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MoneyStartUp - c:\Program Files\Microsoft Money\System\Money Startup.exe
HKLM-Run-AdaptecDirectCD - C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
HKLM-Run-WorksFUD - (no file)
HKLM-RunServices-Windows DNS Daemon - windnsd.exe
HKU-Default-RunOnce-Windows DNS Daemon - windnsd.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - C:\Program Files\Qualcomm\Eudora\EuShlExt.dll
MSConfigStartUp-iamapp - C:\Program Files\Norton Internet Security\IAMAPP.EXE


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Candice\Application Data\Mozilla\Firefox\Profiles\3a4nr5pz.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-01 19:04:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\be41527e-5186-4b81-bc27-fde75633133e.tmp 0 bytes
C:\WINDOWS\TEMP\d1e83ab3-6b88-47a7-a93d-e33dbb4f5d07.tmp 0 bytes
C:\WINDOWS\TEMP\e09869f5-84b0-46d5-b106-7c2b18d8b1c4.tmp

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\COMPAQ\Easy Access Button Support\CPQEADM.exe
C:\Compaq\CPQInet\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-01 19:13:22 - machine was rebooted [Candice]
ComboFix-quarantined-files.txt 2008-11-02 00:12:52

Pre-Run: 65,106,710,528 bytes free
Post-Run: 65,027,579,904 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

179 --- E O F --- 2008-11-01 03:10:26

DoctorWho
2008-11-02, 04:07
Here is also the log from malware bytes.

Malwarebytes' Anti-Malware 1.30
Database version: 1349
Windows 5.1.2600 Service Pack 2

11/1/2008 8:54:07 PM
mbam-log-2008-11-01 (20-54-07).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 96342
Time elapsed: 1 hour(s), 8 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{EEB01FF0-0722-40BC-8DCA-5D3D36C315C6}\RP538\A0049585.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

pskelley
2008-11-07, 02:44
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

I'm a newbie at this
The fact you are new is all the more reason for you to read and follow the directions. Had you done that, you would have seen this:

Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. Also, helpers may think you are already being assisted because of the post count.

Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806

ComboFix is not a general purpose cleaning tool, please do not use this tool without supervision.

If you still have malware issues, read the directions, post the required HijackThis log and tell me what they are.

Thanks