Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 31

Thread: Virtumonde, Antivirus Override, and more

  1. #11
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Cannot get ComboFix to run

    Shaba,

    I cannot locate ComboFix on my computer, so I tried installing from the link you posted previously-it begins, but I cannot get it to run. First I get an error saying it cannot be renamed as ComboFix(2), then when I uninstalled ComboFix and re-installed per the instructions on bleepingcomputer.com, it gets to the beginning blue screen saying it is going to begin scanning, but then it never moves on to the next step as normal.

    What should I try now?

    Thanks!
    Cristy

  2. #12
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default re-posting reply-seems to not work from my computer

    Shaba,

    I cannot locate ComboFix on my computer, so I tried installing from the link you posted previously-it begins, but I cannot get it to run. First I get an error saying it cannot be renamed as ComboFix(2), then when I uninstalled ComboFix and re-installed per the instructions on bleepingcomputer.com, it gets to the beginning blue screen saying it is going to begin scanning, but then it never moves on to the next step as normal. I have done this several times, waiting at least two to three hours with nothing happening.

    What should I try now?

    Thanks!
    Cristy

  3. #13
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi SLRHCristy

    I am very sorry but I didn't get a notification this time either. I will now look manually if any new replies.

    Please try to run combofix in safe mode and let me know it if works there.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  4. #14
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Running ComboFix in Safe Mode

    Hi Shaba,

    I was able to run ComboFix in safe mode, but the power went out right when ComboFix was preparing the log. Should I just run ComboFix again, or is there a way to retrieve the log?

    Thanks,
    Cristy

  5. #15
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default (power outage)

    Just to clarify, the power went out in our town, not just on the computer...

  6. #16
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Ran Combofix

    Hi Shaba,

    I don't know what happened to my last two posts. I seriously feel like someone has access to my file and is deleting my posts or something. I updated the same day you responded to me, but I do not see it here anywhere. Strange...anyhow, I ran combofix, but our power went out due to a thunderstorm when the system was generating the ComboFix log. Should I re-run combofix again, or how should I proceed?


    Thanks!
    Cristy

  7. #17
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi SLRHCristy

    Yes I think it has been a forum bug because it did show my post as latest in board index before your latest one.

    Yes please rerun combofix.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  8. #18
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Fresh ComboFix Log

    Hi Shaba,

    Here is a fresh ComboFix log.

    Thanks!
    Cristy

    ComboFix 11-08-04.02 - Jason 08/04/2011 14:09:26.3.2 - x86 NETWORK
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2036.1456 [GMT -6:00]
    Running from: c:\users\Jason\Downloads\ComboFix.exe
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\assembly\GAC_MSIL\desktop.ini
    .
    ---- Previous Run -------
    .
    c:\windows\assembly\GAC_MSIL\desktop.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_1205265706
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-04 to 2011-08-04 )))))))))))))))))))))))))))))))
    .
    .
    2011-08-04 20:14 . 2011-08-04 20:15 -------- d-----w- c:\users\Jason\AppData\Local\temp
    2011-08-04 20:14 . 2011-08-04 20:14 -------- d-----w- c:\users\Public\AppData\Local\temp
    2011-08-04 20:14 . 2011-08-04 20:14 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-08-02 07:13 . 2011-07-13 03:39 6881616 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5BF49CC8-32F7-4FF6-8569-34F81EAF1BA6}\mpengine.dll
    2011-07-13 03:54 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
    2011-07-13 03:54 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
    2011-07-13 03:54 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-16 14:48 . 2011-06-14 08:22 0 ----a-w- c:\users\Jason\AppData\Local\Pbegaxacodene.bin
    2011-05-28 06:08 . 2011-06-16 21:25 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-05-28 06:04 . 2011-06-16 21:25 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-05-28 06:04 . 2011-06-16 21:25 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-05-28 06:04 . 2011-06-16 21:25 71680 ----a-w- c:\windows\system32\iesetup.dll
    2011-05-28 06:04 . 2011-06-16 21:25 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2011-05-28 05:10 . 2011-06-16 21:25 385024 ----a-w- c:\windows\system32\html.iec
    2011-05-28 04:33 . 2011-06-16 21:25 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2011-05-28 04:31 . 2011-06-16 21:25 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2011-05-25 01:14 . 2009-10-03 15:47 222080 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-01-19 942080]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Desktop Software"="c:\program files\Common Files\SupportSoft\bin\bcont.exe" [2009-04-24 1025320]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="RtHDVCpl.exe" [2008-07-03 6266880]
    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
    "OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "DT HPW"="c:\program files\Portrait Displays\HP My Display\DTHtml.exe" [2007-06-30 278528]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-26 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-26 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-26 133656]
    "WPCUMI"="c:\windows\system32\WpcUmi.exe" [2006-11-02 176128]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
    "ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-20 583016]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 aswSP;avast! Self Protection; [x]
    S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-04 c:\windows\Tasks\User_Feed_Synchronization-{75F4A956-7178-4257-A9AE-BB2C68A6FF0E}.job
    - c:\windows\system32\msfeedssync.exe [2011-06-16 04:32]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net?cid=NET_mmhpset
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
    uInternet Settings,ProxyOverride = *.local
    LSP: c:\windows\system32\wpclsp.dll
    LSP: mswsock.dll
    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
    FF - ProfilePath - c:\users\Jason\AppData\Roaming\Mozilla\Firefox\Profiles\fjz7lecu.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2310140&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - LegendsOfZork Customized Web Search
    FF - prefs.js: browser.startup.homepage - www.msn.com
    FF - Ext: Sukoku: {7AB6D133-2A14-4C11-B3AD-35B1548D38F9} - c:\program files\Mozilla Firefox\extensions\{7AB6D133-2A14-4C11-B3AD-35B1548D38F9}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: LegendsOfZork Toolbar: {0fc0ec69-5eca-413a-a7cb-765fff3f9768} - %profile%\extensions\{0fc0ec69-5eca-413a-a7cb-765fff3f9768}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-04 14:16
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Device Parameters\MODES]
    @DACL=(02 0000)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{83da6326-97a6-4088-9453-a1923f573b29}]
    @DACL=(02 0000)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\DISPLAY\HWP26A4\4&2d4f67a9&0&UID16843008\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}]
    @DACL=(02 0000)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(676)
    c:\windows\system32\mswsock.dll
    mswsock.dll 750f0000 241664 \\?\globalroot\systemroot\system32\mswsock.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast4\aswUpdSv.exe
    c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\RtHDVCpl.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\ehome\ehmsas.exe
    c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe
    c:\windows\system32\wermgr.exe
    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-04 14:21:27 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-04 20:21
    .
    Pre-Run: 307,328,016,384 bytes free
    Post-Run: 305,092,399,104 bytes free
    .
    - - End Of File - - 2D21E3FC1C6E5CDCF6F9E5914A3D3A35

  9. #19
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi,

    That log looks pretty fine now.

    How is computer working at the moment?
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006

  10. #20
    Member SLRHCristy's Avatar
    Join Date
    Jan 2008
    Location
    Riverton
    Posts
    50

    Default Running okay...

    Hi Shaba,

    Seems to be running okay...still cannot run Spybot or ComboFix in normal mode-probably just need to uninstall and download a fresh version. What do you think? What's next?

    Thanks!
    Cristy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •