• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1590
  • Last Modified:

Combofix log

can someone take a look at this combofix log?

I believe the main offenders were command.exe and prun.exe, and symtoms appear to be gone but I want to know if the box is clean.

thanks!
ComboFix 08-11-09.01 - admin 2008-11-09 18:13:05.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1407 [GMT -8:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
 * Created a new restore point
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\admin\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\MSINET.oca
c:\windows\system32\QsrqYcfe.ini
c:\windows\system32\QsrqYcfe.ini2
c:\windows\system32\triyhpqm.ini
c:\windows\system32\u2
c:\windows\system32\yrovpnfk.ini
c:\windows\Tasks\gwkavqbi.job
 
----- BITS: Possible infected sites -----
 
hxxp://niheradomen.com
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Service_TnIDriver
 
 
(((((((((((((((((((((((((   Files Created from 2008-10-10 to 2008-11-10  )))))))))))))))))))))))))))))))
.
 
2008-11-09 18:19 . 2008-11-09 18:19	<DIR>	d--------	c:\windows\system32\xircom
2008-11-09 18:19 . 2008-11-09 18:19	<DIR>	d--------	c:\windows\system32\oobe
2008-11-09 18:19 . 2008-11-09 18:19	<DIR>	d--------	c:\windows\srchasst
2008-11-09 18:19 . 2008-11-09 18:19	<DIR>	d--------	c:\program files\microsoft frontpage
2008-11-09 15:36 . 2008-11-09 15:36	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2008-11-09 15:36 . 2008-11-09 15:36	<DIR>	d--------	c:\documents and settings\admin\Application Data\Malwarebytes
2008-11-09 15:36 . 2008-11-09 15:36	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-09 15:36 . 2008-10-22 16:28	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-09 15:36 . 2008-10-22 16:28	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2008-11-09 14:31 . 2008-11-09 14:31	<DIR>	d--------	c:\program files\SUPERAntiSpyware
2008-11-09 14:31 . 2008-11-09 14:31	<DIR>	d--------	c:\documents and settings\admin\Application Data\SUPERAntiSpyware.com
2008-11-09 14:31 . 2008-11-09 14:31	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-09 00:31 . 2008-11-09 00:31	<DIR>	d--------	c:\program files\Trend Micro
2008-11-08 22:33 . 2008-11-09 17:23	<DIR>	d--h-----	C:\$AVG8.VAULT$
2008-11-08 22:31 . 2008-11-09 14:09	<DIR>	d--------	c:\windows\system32\drivers\Avg
2008-11-08 22:31 . 2008-11-08 22:31	97,928	--a------	c:\windows\system32\drivers\avgldx86.sys
2008-11-08 22:31 . 2008-11-08 22:31	10,520	--a------	c:\windows\system32\avgrsstx.dll
2008-11-08 22:23 . 2008-11-08 22:23	<DIR>	d--------	c:\documents and settings\admin\Application Data\IUpd721
2008-11-08 22:18 . 2008-11-09 14:41	<DIR>	d--hs----	c:\windows\R1I
2008-11-08 22:17 . 2008-11-08 22:17	<DIR>	d--------	c:\windows\system32\sX3i19
2008-11-08 22:17 . 2008-11-09 14:41	<DIR>	d--------	c:\windows\system32\svm
2008-11-08 22:17 . 2008-11-08 23:29	<DIR>	d--------	c:\windows\system32\prt
2008-11-08 22:17 . 2008-11-08 22:18	<DIR>	d--------	c:\windows\system32\db
2008-11-08 22:17 . 2008-11-08 23:28	<DIR>	d--------	c:\windows\system32\AX5
2008-11-08 22:17 . 2008-11-08 22:17	<DIR>	d--------	c:\temp\PRE45
2008-11-08 22:17 . 2008-11-08 22:17	79,094	--a------	c:\windows\system32\danurlzwfxhmdufrq.exe
2008-10-24 03:04 . 2008-10-15 08:34	337,408	---------	c:\windows\system32\dllcache\netapi32.dll
2008-10-20 15:30 . 2008-10-20 15:30	<DIR>	d--------	c:\documents and settings\admin\Application Data\Viewpoint
2008-10-15 14:29 . 2008-10-15 14:29	<DIR>	d--------	c:\documents and settings\admin\Application Data\eFax Messenger
2008-10-15 14:29 . 2008-10-15 14:29	<DIR>	d--------	c:\documents and settings\All Users\Application Data\eFax Messenger 4.4 Output
2008-10-15 14:29 . 2008-10-15 14:29	0	--a------	c:\windows\system32\eFax_4_4_Port
2008-10-15 14:28 . 2008-10-15 14:29	<DIR>	d--------	c:\program files\eFax Messenger 4.4
2008-10-15 14:28 . 2008-10-15 14:28	<DIR>	d--------	c:\documents and settings\admin\Application Data\j2 Global
2008-10-14 23:46 . 2008-08-14 02:11	2,189,184	---------	c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 23:46 . 2008-08-14 02:09	2,145,280	---------	c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 23:46 . 2008-08-14 01:33	2,066,048	---------	c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 23:46 . 2008-08-14 01:33	2,023,936	---------	c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 23:46 . 2008-09-15 04:12	1,846,400	---------	c:\windows\system32\dllcache\win32k.sys
2008-10-14 23:46 . 2008-09-08 02:41	333,824	---------	c:\windows\system32\dllcache\srv.sys
2008-10-14 23:46 . 2008-08-14 02:04	138,496	---------	c:\windows\system32\dllcache\afd.sys
2008-10-10 20:11 . 2008-10-10 20:11	<DIR>	d--------	c:\program files\PrivacyView Software
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 02:11	---------	d-----w	c:\documents and settings\admin\Application Data\Skype
2008-11-10 01:27	---------	d-----w	c:\documents and settings\admin\Application Data\skypePM
2008-11-09 22:31	---------	d-----w	c:\program files\Common Files\Wise Installation Wizard
2008-11-09 08:02	---------	d-----w	c:\documents and settings\admin\Application Data\BPFTP
2008-11-09 06:31	---------	d-----w	c:\documents and settings\All Users\Application Data\avg8
2008-11-09 06:21	---------	d-----w	c:\documents and settings\admin\Application Data\uTorrent
2008-10-25 21:03	---------	d-----w	c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-11 04:11	---------	d--h--w	c:\program files\InstallShield Installation Information
2008-10-06 01:09	---------	d-----w	c:\program files\Quicken
2008-10-06 01:08	---------	d-----w	c:\program files\Common Files\AnswerWorks 5.0
2008-10-06 01:07	---------	d-----w	c:\program files\Common Files\Intuit
2008-10-06 01:07	---------	d-----w	c:\documents and settings\admin\Application Data\Intuit
2008-10-06 01:07	---------	d-----w	c:\documents and settings\All Users\Application Data\Intuit
2008-10-05 07:59	---------	d-----w	c:\program files\Common Files\Adobe
2008-10-01 23:50	---------	d-----w	c:\documents and settings\admin\Application Data\Alchemy Mindworks
2008-10-01 23:22	---------	d-----w	c:\program files\Alchemy Mindworks
2008-09-26 22:02	90,112	----a-w	c:\windows\DUMP6949.tmp
2008-09-26 02:24	---------	d-----w	c:\program files\BPFTP
2008-09-25 22:58	---------	d-----w	c:\program files\HP
2008-09-25 22:58	---------	d-----w	c:\program files\Common Files\Hewlett-Packard
2008-09-24 18:02	---------	d-----w	c:\program files\Viewpoint
2008-09-24 18:02	---------	d-----w	c:\program files\AIM6
2008-09-24 18:02	---------	d-----w	c:\documents and settings\All Users\Application Data\Viewpoint
2008-09-24 18:01	---------	d-----w	c:\documents and settings\All Users\Application Data\AOL
2008-09-24 09:48	---------	d-----w	c:\documents and settings\admin\Application Data\Windows Search
2008-09-24 06:39	---------	d-----w	c:\program files\MSXML 4.0
2008-09-24 02:39	---------	d-----w	c:\program files\Windows Desktop Search
2008-09-24 02:39	---------	d-----w	c:\documents and settings\admin\Application Data\Windows Desktop Search
2008-09-24 02:28	---------	d-----w	c:\program files\MSBuild
2008-09-24 02:28	---------	d-----w	c:\program files\Microsoft Works
2008-09-24 01:24	---------	d-----w	c:\program files\uTorrent
2008-09-24 01:12	---------	d-----w	c:\documents and settings\admin\Application Data\InstallShield
2008-09-23 22:01	---------	d-----w	c:\documents and settings\admin\Application Data\acccore
2008-09-23 21:59	---------	d-----w	c:\program files\Common Files\AOL
2008-09-23 21:59	---------	d-----w	c:\documents and settings\All Users\Application Data\AOL OCP
2008-09-23 21:59	---------	d-----w	c:\documents and settings\All Users\Application Data\acccore
2008-09-23 20:27	---------	d-----w	c:\program files\Skype
2008-09-23 20:27	---------	d-----w	c:\program files\Common Files\Skype
2008-09-23 20:27	---------	d-----w	c:\documents and settings\All Users\Application Data\Skype
2008-09-23 10:48	---------	d-----w	c:\program files\Windows Media Connect 2
2008-09-23 10:27	---------	d-----w	c:\program files\VanDyke Software
2008-09-23 10:26	---------	d-----w	c:\documents and settings\All Users\Application Data\VanDyke
2008-09-23 10:22	---------	d-----w	c:\documents and settings\admin\Application Data\IDMComp
2008-09-23 10:21	---------	d-----w	c:\program files\IDM Computer Solutions
2008-09-23 10:04	---------	d-----w	c:\documents and settings\admin\Application Data\VanDyke
2008-09-23 09:54	---------	d-----w	c:\documents and settings\admin\Application Data\Nero
2008-09-23 09:53	---------	d-----w	c:\program files\Common Files\Nero
2008-09-23 09:52	---------	d-----w	c:\program files\Nero
2008-09-23 09:52	---------	d-----w	c:\documents and settings\All Users\Application Data\Nero
2008-09-22 21:39	---------	d-----w	c:\program files\AVG
2008-09-22 20:18	---------	d-----w	c:\program files\Common Files\InstallShield
2008-09-22 18:16	---------	d-----w	c:\documents and settings\admin\Application Data\SpamBayes
2008-09-22 17:54	---------	d-----w	c:\program files\SpamBayes
2008-09-22 17:48	---------	d-----w	c:\program files\Trendnet
2008-09-22 17:48	---------	d-----w	c:\documents and settings\Administrator\Application Data\InstallShield
2008-09-22 08:32	---------	d-----w	c:\documents and settings\admin\Application Data\GoodSync
2008-09-22 08:31	---------	d-----w	c:\program files\Siber Systems
2008-09-22 08:26	---------	d-----w	c:\documents and settings\All Users\Application Data\RoboForm
2008-09-22 06:40	---------	d-----w	c:\documents and settings\All Users\Application Data\FLEXnet
2008-09-22 06:35	---------	d-----w	c:\documents and settings\All Users\Application Data\ALM
2008-09-22 06:34	---------	d-----w	c:\program files\QuickTime
2008-09-22 06:29	---------	d-----w	c:\program files\Bonjour
2008-09-22 06:26	---------	d-----w	c:\program files\Common Files\Macrovision Shared
2008-09-22 06:14	---------	d-----w	c:\program files\Alcohol Soft
2008-09-15 12:12	1,846,400	----a-w	c:\windows\system32\win32k.sys
2008-09-13 22:22	990,208	----a-w	c:\windows\system32\syssetup.dll
2008-09-13 22:22	90,112	----a-w	c:\windows\system32\wshext.dll
2008-09-13 22:22	361,600	----a-w	c:\windows\system32\drivers\tcpip.sys
2008-09-13 22:22	245,248	----a-w	c:\windows\system32\mswsock.dll
2008-09-13 22:22	225,856	----a-w	c:\windows\system32\drivers\tcpip6.sys
2008-09-13 22:22	218,624	----a-w	c:\windows\system32\uxtheme.dll
2008-09-13 22:22	203,136	----a-w	c:\windows\system32\drivers\RMCast.sys
2008-09-13 22:22	180,224	----a-w	c:\windows\system32\scrobj.dll
2008-09-13 22:22	172,032	----a-w	c:\windows\system32\scrrun.dll
2008-09-13 22:22	155,648	----a-w	c:\windows\system32\wscript.exe
2008-09-13 22:22	140,288	----a-w	c:\windows\system32\sfc_os.dll
2008-09-13 22:22	1,288,192	----a-w	c:\windows\system32\quartz.dll
2008-09-13 22:21	74,240	----a-w	c:\windows\system32\mscms.dll
2008-09-13 22:21	691,712	----a-w	c:\windows\system32\inetcomm.dll
2008-09-13 22:21	272,128	----a-w	c:\windows\system32\drivers\bthport.sys
2008-09-13 22:21	253,952	----a-w	c:\windows\system32\es.dll
2008-09-13 22:21	135,168	----a-w	c:\windows\system32\cscript.exe
2008-08-21 21:16	637,984	------w	c:\windows\system32\dllcache\iexplore.exe
2008-08-21 21:09	5,699,584	------w	c:\windows\system32\dllcache\mshtml.dll
2008-08-21 21:08	878,592	----a-w	c:\windows\system32\wininet.dll
2008-08-21 21:08	878,592	------w	c:\windows\system32\dllcache\wininet.dll
2008-08-21 21:08	43,008	----a-w	c:\windows\system32\licmgr10.dll
2008-08-21 21:08	43,008	------w	c:\windows\system32\dllcache\licmgr10.dll
2008-08-21 21:08	236,544	------w	c:\windows\system32\dllcache\webcheck.dll
2008-08-21 21:08	1,206,784	------w	c:\windows\system32\dllcache\urlmon.dll
2008-08-21 21:07	755,200	------w	c:\windows\system32\dllcache\VGX.dll
2008-08-21 21:07	193,536	------w	c:\windows\system32\dllcache\msrating.dll
2008-08-21 21:07	18,944	------w	c:\windows\system32\dllcache\corpol.dll
2008-08-21 21:07	116,224	------w	c:\windows\system32\dllcache\occache.dll
2008-08-21 21:07	105,984	------w	c:\windows\system32\dllcache\url.dll
2008-08-21 21:05	70,656	------w	c:\windows\system32\dllcache\mshtmled.dll
2008-08-21 21:05	630,272	------w	c:\windows\system32\dllcache\mstime.dll
2008-08-21 21:05	48,640	------w	c:\windows\system32\PrivacIE.dll
2008-08-21 21:05	48,128	----a-w	c:\windows\system32\mshtmler.dll
2008-08-21 21:05	48,128	------w	c:\windows\system32\dllcache\mshtmler.dll
.
 
------- Sigcheck -------
 
2008-09-13 14:22  361600  cbeebeb899e31ef52b962cb31fc8ca5c	c:\windows\system32\drivers\tcpip.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-09-22 160592]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-06-24 1840424]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-09-23 21755688]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-07-31 95744]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 2221352]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-08 1234712]
"nwiz"="nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2008-08-21 c:\windows\system32\advpack.dll]
 
c:\documents and settings\admin\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-07-31 656896]
 
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-10-05 295606]
Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
 
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
 
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll dgznea.dll
 
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Private Proxy Cleanup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Private Proxy Cleanup.lnk
backup=c:\windows\pss\Private Proxy Cleanup.lnkCommon Startup
 
[HKLM\~\startupfolder\C:^Documents and Settings^admin^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\admin\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\IDM Computer Solutions\\UltraEdit\\Uedit32.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
 
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-08 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-08 231704]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run
 
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53a92a3e-88ce-11dd-bc40-a92708f9d812}]
\Shell\AutoRun\command - "G:\Install FreeAgent Tools.exe" /run
 
*Newly Created Service* - HELPSVC
.
- - - - ORPHANS REMOVED - - - -
 
BHO-{ECB3930E-8813-B4C0-43D6-A8588D59950B} - c:\windows\system32\lretqnlzrryfl.dll
Notify-yayXnNGW - yayXnNGW.dll
 
 
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\76aifdlf.default\
FF -: plugin - c:\program files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 18:32:36
Windows 5.1.2600 Service Pack 3 NTFS
 
scanning hidden processes ... 
 
scanning hidden autostart entries ...
 
scanning hidden files ... 
 
scan completed successfully
hidden files: 0
 
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\searchindexer.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Nero\Lib\NMIndexingService.exe
c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-11-09 18:36:41 - machine was rebooted
ComboFix-quarantined-files.txt  2008-11-10 02:36:28
 
Pre-Run: 161,574,838,272 bytes free
Post-Run: 163,597,107,200 bytes free
 
303	--- E O F ---	2008-10-25 10:00:19

Open in new window

0
lexshine
Asked:
lexshine
  • 3
  • 2
1 Solution
 
rpggamergirlCommented:
Just some leftovers.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
c:\windows\system32\danurlzwfxhmdufrq.exe
c:\windows\system32\dgznea.dll

Folder::
c:\windows\system32\svm
c:\windows\system32\sX3i19
c:\windows\system32\AX5
c:\windows\system32\prt
c:\windows\system32\db
c:\temp\PRE45
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

0
 
lexshineAuthor Commented:
thanks!
0
 
rpggamergirlCommented:
Glad to know it's resolved.

To uninstall Combofix:
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

The procedure will delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore and a new restore point will be created.

Thanks for the points and the grade!
0
 
lexshineAuthor Commented:
is it necessary to remove combofix or can I just leave it on the system in case I need it again?

thanks again..

0
 
rpggamergirlCommented:
Yes, you can leave it in the system. It has an update feature so the next time you run it just OK when prompted for it to be updated.
Thanks, :)
 
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now