Need assistance running ComboFix

A tutorial here:
 
< http://www.bleepingcomputer.com/combofix/how-to-use-combofix >

Thanks aadih...I know how to use it I simply don't know how to read the logs.  My understanding is that you should never use it without assistance with someone that knows how to interpret the outcome.

Did you see anything in the attached logs that show any red flags?

No, I don't see any red-flag items.  Why don't run Combofix and post the log file?

I will tomorrow.  aadith I appreciate your assistance.  What is your experience in reading ComboFix logs?

I have used it several times over the years to fix virus problems that MBAM could not clean.

Here is the ComboFix log.  Looks like it took care of some things but since I can't read it I'm not sure if there is a fix that needs to be run or not.  Thanks for reading it for me and letting me know at your earliest convenience.
Mags
ComboFix-log.txt

Please check the following files (if you recognize them or know the programs that use them):

cvhsvc.exe            
sasdifsv64.sys
a2ddax64.sys            
sftlist.exe            
g2ax_customer_downloadhelper_win32_x86.exe      
nissrv.exe            
wlcrasvc.exe      
hitmanpro37.sys      
gapaengine.dll
chrmstp.exe            
sftvsa.exe            
saskutil64.sys      
ppcrlconfig600.dll            
hpcee.exe

cvhsvc.exe - Client Virtualization Handler - Part of MS Office
sasdifsv64.sys - SUPERAntiSpyware
a2ddax64.sys - Emsisoft
sftlist.exe - Microsoft Application Virtualization Client Service
g2ax_customer_downloadhelper_win32_x86.exe - My remote Go-to-Assist
nissrv.exe - Microsoft Network Inspection System or Microsoft Antimalware
wlcrasvc.exe - Windows Live Mesh Remote Desktop Service or Live Mesh Remote Desktop
hitmanpro37.sys - Hitman Pro
gapaengine.dll - part of Microsoft Network Inspection System
chrmstp.exe - Google Chrome
sftvsa.exe - Microsoft Application Virtualization Virtual Service Agent or Application Virtualization Service Agent
saskutil64.sys - SUPERAntiSpyware
ppcrlconfig600.dll - seems to be an essential system or application file
hpcee.exe - HP - stands for Customer Experience Enhancement

aadih  I really appreciate your help but I have to say I'm a little nervous about your analysis...I've never had to look up files for a diagnosis of the ComboFix Log.  These could be legit files but are they in the right location???

If you don't know how to read or run fixes with ComboFix can you send this to someone who can, such as Sudeep??  Otherwise I think I should request attention or send it over to BleepingComputers.

Let me know...again I appreciate your help and assistance.
Mags

From what I know (from using combofix, not a professional in it) I believe it's clean.

I am sure people with greater expertize will weigh in and help you.

Meanwhile, please re-scan with MBAM.

Thanks...will do.
Again, I appreciate your assistance and expertise.
Mags

In the past, I have used ComboFix without assistance (before there were any warnings not to do so) so continued using it after warnings also and have been able to clean the PC each time without any problems (I do make a restore point before, just in case, but never had to use it).

I have seen ComboFix delete the infected programs (as you can see two programs deleted in your case) and have been helpful in removing some tough infections. I use it only a last resort, however.

But, I am not a professional ComboFix helper.  There are ComboFix-experts in this forum, however; and I do believe they'll hesitate not to offer any help -- if needed -- in less than a "New York Minute."

Good luck.

MagsMcKinley14--
FWIW--gathernetworkinfo.vbs does not seem to be a virus or malware.
http://windows7forums.com/windows-7-support/5649-gathernetworkinfo-vbs.html

http://www.boostbyreason.com/resource-sha1-628b6b4bf3cc7f77578cf3ccfcc587dbf9ec7e07-gathernetworkinfo-vbs.aspx   Do not run Boost.

In any event I would cancel the Scheduled Task to run it.

And in answer to your original question, the bleeping computer people offer to read your ComboFix log.  They also provide a list of other sites that do this near the end of
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Now look what you've done...just kidding!!

I went to BleepingComputer as suggested and just signed up for their Malware Removal Training Program!  I am so excited!!

Maybe when I graduate I'll apply to be an Expert with Experts Exchange!!  You have all been such a help to me!

In the meantime if anyone would be willing to read the ComboFix Log here on Experts Exchange I would greatly appreciate it since I was told by aadih to go ahead and run it.

If not I will jump over to a suggested forum to have them read it...it would just be helpful to me to have someone with EE read it since I have already posted all my logs.

Let me know.

Thanks,
Mags

MagsMcKinley14--Yes, we would be honored to have you join the ranks of E-E Experts.  Here is the Antivirus Support home page.
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/

Going back to your original post, I am looking at all the things you did.  At what point in time did you run ComboFix?

Hi jcimarron
Very last scan...today I ran full MBAM scan as requested - no threats.  Have not done clean up yet...waiting for an all clear!!
Mags

PS  Thanks for your encouragement!!

I believe your PC is clean.  

Let's know, however, if you find anything to the contrary.

MagsMcKinley14--While no expert, I agree with aadih .  That is why I asked when you ran ComboFix.  I suspect you had gotten rid of the baddies before then from running all the other scans.

Mags
did you run any crack for any software recently?

Hi Mohammed,
Sorry if I don't know the lingo...what do you mean by "run any crack for any software recently?"  Thanks for chiming in!

I will do cleanup tomorrow unless anyone thinks otherwise.
Thanks,
Mags

I think you had a trojan or something like that by looking at your combofix log. the registry seems to had Iflashbroker which is mostly reported as a part of trojan/hacking tool or virus.. Probably it's a left over since you ran combofix.
Try to check your registry if it's still there. create a restore point and backup the registry before you go on and delete it.

Check malwarebytes.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"

Thanks...I'll take a look.

Mohammed I found [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] but was denied deleting it.  IFlashBroker5 was part of it...was that the only part I should have attempted to delete or the entire registry entry?
Thanks,
Mags

Right click on the key and change permissions (to everyone).  Then delete the entire key.

Also delete {6AE38AE0-750C-11E1-B0C4-0800200C9A66} from HCR/CLSID if it exists there.

[Caution: Make a restore point before making any registry changes.]

I believe you can delete it in safe mode if the permission changing as Aadih mentioned didn't work.

But before deleting the key make sure you export it. just as a backup procedure.

Thanks...I already backed it up...I will start her computer in Safe Mode tomorrow and try.
Mags

Okay...went into safe mode and still got the message "Cannot delete - Error while deleting key.  I believe I have Permissions set correctly to allow.  Do I?


Also what is ANONYMOUS LOGON?  CREATOR OWNER??

Just curious...I have a similar entry on my computer with the Data being IFlashBroker4.  Should I be concerned??  I do not believe I have had any malware on this computer.

I have the same key as well but I don't have anonymous. from what I can tell this reg key is there by default and it belongs to the registry to some kind of COM interface which provides windows with services.

Microsoft provided a very brief explanation about it here
http://msdn.microsoft.com/en-us/library/ee487925.aspx

This link provide good and comprehensive and by reading part of it I can tell that it might be a trojan which has loaded a service on the PC.

http://www.codeproject.com/Articles/1265/COM-IDs-Registry-keys-in-a-nutshell


I'm not sure how much are you familiar with Windows Services but looking at the services console you could probably tell if you have any weird services running there? This might explain why you can't delete the reg key.

If you would like to continue further with this, please follow the steps in the below Link and provide your logs here to investigate.

http://forums.malwarebytes.org/index.php?showtopic=115198

And here is how to remove a "weird" service:

< http://antivirus.about.com/od/securitytips/ht/how-to-delete-windows-service.htm >

Hi moh10ly ANONYMOUS LOGON and CREATOR OWNER seem to be associated only with the registry entry we are trying to delete.

I glanced at services but do not know them well enough to know if something is incorrect.

I followed your Malwarebytes link and since I have already run ComboFix and RogueKiller I have run OTL and am attaching the logs.  I did not run the scan with custom settings since it seemed specific to their issues and not mine.  I only customize things when specifically asked...let me know.

{6AE38AE0-750C-11E1-B0C4-0800200C9A66}  was not included in HCR/CLSID
Thank you,
Mags
OTL.Txt
Extras.Txt

Hello...is anyone available to read the OTL logs?
Should I be concerned about ANONYMOUS LOGON and CREATOR OWNER swhich seem to be associated only with the registry entry we are trying to delete - [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]?
Thanks a million!
Mags

Mags,

This is the first I've seen this question.  I am definitely not a combofix logs reader.  But have you run chameleon (from MBAM) in safemode with networking?

Follow the instructions on the following page (even though they are not for the specific problem you are having)

http://forums.malwarebytes.org/index.php?showtopic=125373

Good luck!

SRV - [2010/10/12 11:59:12 | 000,206,072 | ---- | M] (WildTangent, Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe -- (GamesAppService)

Wild Tangent is something that I don't like. But I see that it is part of the HP suite of products.

I'd be tempted to do a  (from an elevated command prompt)
sc delete GamesAppService
and delete the WildTangent Games folder
But that is just me.. Wild Tangent has a bad reputation.  Same with removng ASK.com from the search providers.

Are you still having the msconfig problem?



Also what is ANONYMOUS LOGON?  CREATOR OWNER??
Just curious...I have a similar entry on my computer with the Data being IFlashBroker4.  Should I be concerned??  I do not believe I have had any malware on this computer.

No don't be concerned about these security entries they are a  normal local account.

I am of the same mind when it comes to WildTangent.  If you can get it off the machine the owner will be better off.  Also get rid of any BHOs (like ask.com toolbar) that the user does not use.

Thanks for the suggestions...I will set up a time to access her computer.  

They like to play solitaire and some other games that came with the computer will deleting GamesAppService and the WildTangent Games folder cause an issue with that?  If never worked with these.

I suggest deleting WildTangent anyway and have them get the games elsewhere.  I don't see if you said this was a Windows 7 machine (sorry if I missed that), but if so, WildTangent is not needed for the games that come with win7.  As for GamesAppService - I have no idea.  Is this an OEM model (sounds like it)?  If so, getting rid of the OEM add ons is a must.

I'm not sure where to start.
I clean up lots of computers (almost all of them successfully).  Rarely, if ever, do I have to resort to reading logs.  That's more an exercise in inefficiency if you don't know how or what to do with the results.
But, on rare occasion, I've manually removed things that were reported by some tools.
Rarely do I resort to reinstalling Windows (under 5% of cases).

In a small number of cases one can find out what the parasite is and can find a reputable removal tool that's targeted to that parasite.  
There are some peripheral fixit tools that rather fall into this category that restore Start menus, desktop icons, etc.

I would suggest that NO scanner can find everything.  So, keep a bunch of good ones available.

You might do things in this orderr:

CCleaner / cleaner to get rid of temporary files where parasistes often lurk.

Malwarebytes.  If a Quick Scan reveals nothing then you might be done.
If a Quick Scan reveals anything then a Full Scan is indicated.
And, as above, it may mean nothing has been solved.
I'm much more comfortable when it finds and removes things.

HiJack This! is good for generaly cleanup.  I don't know that I've every actually pinpointed a parasite with it.  But, I've become rather skilled in being very aggressive in removing things without breaking anything.  I don't view it as very important to this discussion.

SuperAntispyware.

Trojan Remover.

RogueKiller from Tigzy I've been using more often and believe it to be pretty effective.  It appears you haven't run this and I would suggest it.

I will use Combofix wihout advice or special scripts when I'm feeling adventurous and a bit stymied.  After all, if one is going to be faced with reinstalling Windows as a next step, then what's to lose?  It's never broken anything anyway that I know of.

When you *think* the computer is clean then you want to ask: "Is it?"
- Does Internet Explorer get you to Windows Updates?  This is often blocked by parasites.
- Do browsers go where they're supposed to go directly without any redirection?  (Sometimes it takes patience here to uncover strange behavior).
- Does anything else strange continue to happen?
I can't say I'm 100% satisfied with these "tests" but it's the best I know to do and it seems to be effective.  I don't get callbacks.

I have found that the ESET online scanner will find things that others don't.  So, when I'm "nervous" about the state of cleanup, I will use it.

Then, in the end, uninstall the tools and installl a good program to protect the computer, update it (no, a new install does not necessarily also update the signatures, etc.).  Run a full scan with it.  Since Norton was disabled, I'd remove it and install something else to avoid damaged Norton elements.

CCleaner registry cleaner to clean up in the end.

In my experience, infected computers result from:
- out-of-date protection programs!!  Some people just don't get that they have to be current.  This includes using old versions of the programs even if they are "fully" updated (re: signatures, etc.).
- User habits.  Adventurous users cause more problems than anything else on computers that are "protected".  No protection is perfect.
- There are plenty of guides on safe / safer practices.
- In some cases, using Parental Controls or the equivalent that is password protected FROM the User is necessary for longevity of cleanliness.

Although fmarshall makes some very good points.  Some things though you need to be very careful of.  For instance, CCleaner is an excellent tool. but is dangerous to use if you don't know what is hitting the computer.  Some of the more recent (past 18 months) malware moves necessary system files and user documents to the temp directory, so running CCleaner using defaults might cause even more damage.  You should definitely check out and completely read this article:

http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html

Also, Most of my extensive collection of tools are portable - they run from a stick which is write protected.  This is important since sometimes you are going to try and recover a file and you don't want to overwrite it with a new install.  Also some malware won't let you install new software.

I have found that SuperAntiSpyware tends to miss more than MBAM.  And Chameleon from MBAM is a combination of Roguekiller and MBAM like a dynamic duo.  I have yet to come up against a problem that can't be beat with Chameleon and a few other tools , depending on the type of infection.

Fmarshall is correct about protecting the computer from the user.  There is very little you can do if the user starts clicking links in their email.

tzucker thanks for the info...I think I will try it on one of my machines first.

fmarshall thank you for your info...I follow most of the same procedures you have listed...I think you are right about ComboFix so I appreciate that.

I do have one question for you in regards to running CCleaner first.  I use to do that all the time but then read in several places it should only be done once you believe the computer is clean.  I'm not sure where I read that, just now tried to look it up and couldn't find it.  I would appreciate your input on running CCleaner at the beginning of the cleanup process.

Thanks,
Mags

As I said, I would definitely no run it first.  I too would be interested in fmarshall's reasoning - I'm always open to new ideas.

The other approach would be to delete the temp files.  If you're concerned about that then maybe not.  Historically, the temp files have held parasites.

I very much appreciate the sites that provide help.  But having been rejected as a trainee, I'm a bit put off.
I have NO idea what they are doing except at a very high level - i.e. "here, run this script" isn't very informative.
It can take days and days to get satisfaction and one must have access to the infected computer all the while.  Often this isn't practical.
So I feel compelled to do it myself.

Fmarshall,

I too was put off by Majorgeeks when I inquired about doing exactly what I do here, there.  That's alright, in that I like the format better here.  Do it yourself is generally the best way to go about things, as long as you are informed, which doesn't seem to be a problem in this instance.

Most users and technicians really have very little idea of the best way to go about getting rid of the newest variants.

A little reading on their part can go a long way.  I'm generally the go-to person in my institution when it comes to windows infections, fortunately or unfortunately.  This means I spend a lot of time do virtually the same thing over and over again.  I've gotten pretty good at it and I now have a standing policy - if their computing environment/computer does not meet my requirements, I won't even touch their machine.

Although it has changed somewhat, my policy is still pretty much what you see here.

Hey Sudeep thanks for chipping in...I installed EmsisoftEmergencyKit and have used it effectively on several computers...it was recommended to me by an expert here on EE.  Still need for concern??  Thanks for taking a look at the ComboFix log.

I will be on my clients computer tomorrow and post you up.

Hi Sudeep, I applied the fix, attached is the log.  The unusual thing is now when she opens up Windows Live mail she can see her mail but there is no message in the body of the email.  I do not have a system restore point to go back to.  Please advise.
Mags
06262013-143648.log

Sudeep since I didn't hear back I simply updated WLM and deleted and readded her email account.  She is good to go unless you see something in the log I sent.
Thanks,
Margaret

Thanks...will do...I will let you know when finished!
Thanks,
Mags

Finished...not sure what happened to Windows Live Mail but I got it working.

Thanks Sudeep for reading the logs...I'm not sure what happened to WLM but all seems to be resolved.