-
ComboFix Log
Hi Ken,
CoComboFix 11-04-16.03 -
John
04/17/2011 17:54:23.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.156 [GMT -4:00]
Running from: c:\documents and settings\John\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2011-03-17 to 2011-04-17 )))))))))))))))))))))))))))))))
.
.
2011-04-16 22:13 . 2011-04-16 22:13 -------- d-----w- C:\_OTL
2011-04-14 04:48 . 2011-04-14 04:48 -------- d-----w- c:\program files\ERUNT
2011-03-25 15:49 . 2011-03-25 15:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-25 15:49 . 2011-03-25 15:49 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2009-10-02 14:51 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 04:56 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 03:17 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 04:56 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 23:06 . 2004-08-04 04:56 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 04:56 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 11:41 . 2004-08-04 02:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-17 13:18 . 2004-08-04 03:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 03:14 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-10-02 19:57 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 04:56 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 04:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 04:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2004-08-04 04:56 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-04 04:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2009-10-02 14:50 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-10-02 14:50 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-04 04:56 439296 ----a-w- c:\windows\system32\shimgvw.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 ----a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 ----a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 ----a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 ----a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 ----a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 ----a-w- c:\program files\Common Files\IRASRIAL.DLL
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2003-12-01 892928]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Logitech Utility"=Logi_MwX.Exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\1033\\WFXMSRVR.EXE"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
.
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\eraserutilrebootdrv.sys [6/5/2010 8:46 AM 102448]
S0 nhvx;nhvx;c:\windows\system32\drivers\splk.sys --> c:\windows\system32\drivers\splk.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/28/2009 6:06 PM 133104]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [1/11/2011 10:15 AM 16968]
S3 HitmanPro35Crusader;Hitman Pro 3.5 Crusader;"e:\hitmanpro35.exe" /crusader --> e:\HitmanPro35.exe [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 22:06]
.
2011-04-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-10-28 22:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
Trusted Zone: google.com\b.mail
Trusted Zone: google.com\mail
Trusted Zone: google.com\www
Trusted Zone: landrecordsonline.com\sussex
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\amsntw2b.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-17 18:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1644491937-879983540-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-17 18:07:19
ComboFix-quarantined-files.txt 2011-04-17 22:07
.
Pre-Run: 36,181,733,376 bytes free
Post-Run: 36,266,225,664 bytes free
.
- - End Of File - - 144AFC4AE8B457B88DBCF17A3C618080
mbofix log
-
Hello John,
How are things running, any better ?
You need to enable windows to show all files and folders, instructions Here
Go to VirusTotal and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see. If the site says this file has been checked before, have them check it again
c:\windows\system32\drivers\splk.sys <--This file
If the site is busy you can try this one
http://virusscan.jotti.org/en
-
Which file to submit
Hi Ken ,
All my files are showing again.
Are you talking about the previous combo fix file to submit.
John
-
Well, its on this system , it may be safe but lets check it
c:\windows\system32\drivers\splk.sys <--This file
-
Virus Total Scan
Hi Ken,
Things seem much better
This is the scan from virus total.
Futher issues lleft over startup empty entertainment empty (all games gone) system tools show IE - no add ons, windows fix disc present in start up-
show on click uninstall, colors faded from icons that were restored.
thanks
John
onFile name: log.txt 4-17-11.txt
Submission date: 2011-04-19 12:11:13 (UTC)
Current status: finished
Result: 0 /42 (0.0%)
VT Community
not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.04.19.01 2011.04.19 -
AntiVir 7.11.6.182 2011.04.19 -
Antiy-AVL 2.0.3.7 2011.04.18 -
Avast 4.8.1351.0 2011.04.19 -
Avast5 5.0.677.0 2011.04.19 -
AVG 10.0.0.1190 2011.04.19 -
BitDefender 7.2 2011.04.19 -
CAT-QuickHeal 11.00 2011.04.19 -
ClamAV 0.97.0.0 2011.04.19 -
Commtouch 5.3.2.6 2011.04.19 -
Comodo 8398 2011.04.19 -
DrWeb 5.0.2.03300 2011.04.19 -
Emsisoft 5.1.0.5 2011.04.19 -
eSafe 7.0.17.0 2011.04.18 -
eTrust-Vet 36.1.8279 2011.04.19 -
F-Prot 4.6.2.117 2011.04.19 -
F-Secure 9.0.16440.0 2011.04.19 -
Fortinet 4.2.257.0 2011.04.19 -
GData 22 2011.04.19 -
Ikarus T3.1.1.103.0 2011.04.19 -
Jiangmin 13.0.900 2011.04.18 -
K7AntiVirus 9.96.4412 2011.04.18 -
Kaspersky 7.0.0.125 2011.04.19 -
McAfee 5.400.0.1158 2011.04.19 -
McAfee-GW-Edition 2010.1D 2011.04.19 -
Microsoft 1.6802 2011.04.19 -
NOD32 6054 2011.04.19 -
Norman 6.07.07 2011.04.19 -
Panda 10.0.3.5 2011.04.18 -
PCTools 7.0.3.5 2011.04.19 -
Prevx 3.0 2011.04.19 -
Rising 23.54.01.05 2011.04.19 -
Sophos 4.64.0 2011.04.19 -
SUPERAntiSpyware 4.40.0.1006 2011.04.19 -
Symantec 20101.3.2.89 2011.04.19 -
TheHacker 6.7.0.1.176 2011.04.18 -
TrendMicro 9.200.0.1012 2011.04.19 -
TrendMicro-HouseCall 9.200.0.1012 2011.04.19 -
VBA32 3.12.16.0 2011.04.19 -
VIPRE 9058 2011.04.19 -
ViRobot 2011.4.19.4418 2011.04.19 -
VirusBuster 13.6.311.0 2011.04.18 -
Additional informationShow all
MD5 : 9f4d19f7fba0205413a26adcfb31884d
SHA1 : 1c4d989bf27e5dc35117c19857aa96fdddd4189e
SHA256: 5c3a6e9cf647e3202bff3673aa4123821788de708cc5302ce7c649c840ec07d2
click shows - uninstall, 4 media plugins, colors on restored icons faded.
-
Well, where at a point that all the malware is gone, whether it damaged your system I dont know. Sounds like the the problems your having now are windows related.
Why dont you post here for help, all us forums work together so you can link them to this thread so they can see what we have done.
http://forums.whatthetech.com/index.php?showforum=119
Lets see if they can sort out your problems.
-
Thank you Ken
Hi Ken,
Thank you for all your help. I am making a donation to help support this great help forum. I will look at the site you recommended.
Thank You
John Chambers
-
Your welcome John,
I will find you at WhattheTech and follow along.
Open OTL and click on CleanUp and it will remove programs we have used and there backups from your system
Safe Surfn
Ken
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules