Thread: Need help getting started
View Single Post
Old 11-09-2008, 04:54 PM   #7 (permalink)
vinnie1543
Registered User
 
Join Date: Oct 2008
Posts: 10
OS: XP Home


Re: Need help getting started
When I first went to run combofix it got to the point where is said it was generating report and then hung up there. I'm not sure what exactly happened but I re-ran it and here are the results (I'll put the latest hijack this results in a different post.):

ComboFix 08-11-04.02 - Owner 2008-11-04 21:10:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.916 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Other People\Cookies\butodix.inf
c:\documents and settings\Other People\Cookies\yhymojur.vbs
c:\documents and settings\Other People\Start Menu\Programs\AntiSpywareXP2009
c:\documents and settings\Other People\Start Menu\Programs\AntiSpywareXP2009\AntiSpywareXP2009.lnk
c:\documents and settings\Other People\Start Menu\Programs\AntiSpywareXP2009\Uninstall.lnk
c:\documents and settings\Owner\Cookies\fycuhuh.inf
c:\program files\AntiSpywareXP2009
c:\program files\AntiSpywareXP2009\AntiSpywareXP2009.cfg
c:\program files\AntiSpywareXP2009\AntiSpywareXP2009.exe
c:\program files\AntiSpywareXP2009\data\daily.cvd
c:\program files\AntiSpywareXP2009\htmlayout.dll
c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\AntiSpywareXP2009\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\AntiSpywareXP2009\pthreadVC2.dll
c:\program files\AntiSpywareXP2009\Uninstall.exe
c:\program files\Internet Explorer\msimg32.dll
C:\resycled
c:\windows\brastk.exe
c:\windows\system32\_desktop.ini
c:\windows\system32\brastk.exe
c:\windows\system32\cpmsky-uninst.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\drivers\_desktop.ini
c:\windows\system32\drivers\TDSSifqw.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\TDSSarjc.dll
c:\windows\system32\TDSSghim.dll
c:\windows\system32\TDSSklfy.dll
c:\windows\system32\TDSSlonv.dat
c:\windows\system32\TDSSlxhc.dll
c:\windows\system32\TDSSnjpt.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSntbr.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSoiwg.dll
c:\windows\system32\TDSSvubg.log
c:\windows\system32\TDSSwrln.dll
c:\windows\system32\wini108015.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Service_TDSSSERV.SYS)
-------\Legacy_TDSSSERV.SYS)
-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-10-05 to 2008-11-05 )))))))))))))))))))))))))))))))
.

2008-11-03 21:18 . 2008-11-03 21:41 <DIR> d-------- C:\rsit
2008-11-03 21:18 . 2008-11-03 21:18 <DIR> d-------- c:\program files\trend micro
2008-10-26 18:09 . 2008-10-26 18:09 19,380 --a------ c:\windows\fugenit.reg
2008-10-26 18:09 . 2008-10-26 18:09 19,349 --a------ c:\documents and settings\All Users\Application Data\isoluwav.bin
2008-10-26 18:09 . 2008-10-26 18:09 18,904 --a------ c:\windows\enys.bin
2008-10-26 18:09 . 2008-10-26 18:09 18,887 --a------ c:\program files\Common Files\ififezoxo.sys
2008-10-26 18:09 . 2008-10-26 18:09 18,203 --a------ c:\windows\kulybiqi.pif
2008-10-26 18:09 . 2008-10-26 18:09 17,625 --a------ c:\program files\Common Files\pesykacu.exe
2008-10-26 18:09 . 2008-10-26 18:09 17,110 --a------ c:\windows\ymym.bat
2008-10-26 18:09 . 2008-10-26 18:09 16,138 --a------ c:\windows\kozizoha._dl
2008-10-26 18:09 . 2008-10-26 18:09 15,369 --a------ c:\windows\system32\dywumap.com
2008-10-26 18:09 . 2008-10-26 18:09 14,491 --a------ c:\windows\system32\nolukywoje.pif
2008-10-26 18:09 . 2008-10-26 18:09 14,388 --a------ c:\windows\system32\muribud.scr
2008-10-26 18:09 . 2008-10-26 18:09 14,254 --a------ c:\windows\akifonuh.com
2008-10-26 18:09 . 2008-10-26 18:09 14,014 --a------ c:\windows\codutaruq.vbs
2008-10-26 18:09 . 2008-10-26 18:09 10,138 --a------ c:\windows\ytegico.scr
2008-10-26 13:43 . 2008-10-26 20:25 <DIR> d-------- c:\program files\Enigma Software Group
2008-10-26 08:16 . 2008-10-26 08:16 <DIR> d-------- c:\program files\Common Files\Download Manager
2008-10-25 20:57 . 2008-11-03 20:46 <DIR> d-------- c:\documents and settings\Other People\Incomplete
2008-10-25 11:15 . 2008-10-25 11:15 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2008-10-25 10:53 . 2008-10-25 10:53 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-25 10:52 . 2008-10-25 11:23 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-25 10:32 . 2008-10-25 10:32 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-10-24 21:35 . 2008-10-24 21:35 <DIR> d-------- c:\program files\filehippo.com
2008-10-24 16:08 . 2008-10-15 11:34 337,408 --a------ c:\windows\system32\SET1E.tmp
2008-10-24 16:08 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-24 16:06 . 2008-10-24 16:06 19,968 --a------ c:\windows\system32\nalymi.lib
2008-10-24 16:06 . 2008-10-24 16:06 18,479 --a------ c:\documents and settings\All Users\Application Data\ramyxy.bin
2008-10-24 16:06 . 2008-10-24 16:06 17,853 --a------ c:\windows\qidybylo.bin
2008-10-24 16:06 . 2008-10-24 16:06 17,190 --a------ c:\windows\system32\fivacevo.lib
2008-10-24 16:06 . 2008-10-24 16:06 15,624 --a------ c:\windows\agaloxyl.reg
2008-10-24 16:06 . 2008-10-24 16:06 14,784 --a------ c:\program files\Common Files\cylulimy.bin
2008-10-24 16:06 . 2008-10-24 16:06 14,364 --a------ c:\windows\vipyxewubi._sy
2008-10-24 16:06 . 2008-10-24 16:06 12,899 --a------ c:\windows\izegip.bin
2008-10-24 16:06 . 2008-10-24 16:06 11,954 --a------ c:\windows\ziveqy.bin
2008-10-14 15:26 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-10-14 15:26 . 2008-09-08 05:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-10-14 15:25 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 15:25 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 15:25 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 15:25 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-11 13:46 . 2008-10-11 13:48 587 --a------ c:\windows\system32\runrefog.lnk
2008-10-08 22:54 . 2008-10-08 22:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Viewpoint
2008-10-07 05:12 . 2006-07-05 06:56 113,065 --a------ c:\windows\system32\msjava32.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-05 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-03 21:57 --------- d-----w c:\documents and settings\Other People\Application Data\Apple Computer
2008-10-30 19:22 --------- d-----w c:\documents and settings\Owner\Application Data\spam drive copy
2008-10-26 23:09 18,841 ----a-w c:\program files\Common Files\gyfijydo.db
2008-10-26 13:37 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-24 21:06 11,028 ----a-w c:\program files\Common Files\cadimi._sy
2008-10-23 20:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-23 20:13 --------- d-----w c:\program files\Philips
2008-10-23 20:06 --------- d-----w c:\program files\Atari
2008-10-23 20:03 --------- d-----w c:\program files\Red Storm Entertainment
2008-10-23 20:03 --------- d-----w c:\program files\GameSpy Arcade
2008-10-23 19:56 --------- d-----w c:\program files\Sierra
2008-10-23 18:26 --------- d-----w c:\program files\eMachineShop
2008-10-20 20:37 30 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2008-09-24 23:43 --------- d-----w c:\program files\Acoustic Labs Audio Editor (Demo)
2008-09-23 22:20 --------- d-----w c:\program files\MSECache
2008-09-23 21:22 --------- d-----w c:\program files\Ascentive
2008-09-23 21:20 --------- d-----w c:\documents and settings\All Users\Application Data\SKL
2008-09-23 21:17 --------- d-----w c:\program files\Common Files\Sony Shared
2008-09-23 07:00 --------- d-----w c:\program files\MSXML 4.0
2008-09-22 14:36 --------- d-----w c:\program files\HP PhotoSmart Printers
2008-09-22 00:59 --------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2008-09-22 00:58 --------- d-----w c:\documents and settings\Owner\Application Data\acccore
2008-09-22 00:57 --------- d-----w c:\program files\Viewpoint
2008-09-22 00:57 --------- d-----w c:\program files\AIM6
2008-09-22 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-09-22 00:57 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-09-22 00:56 --------- d-----w c:\program files\Common Files\AOL
2008-09-22 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-26 17:57 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-06-11 16:37 374 ----a-w c:\documents and settings\Owner\Application Data\internaldb6334.dat
2007-06-10 23:24 538 ----a-w c:\documents and settings\Owner\Application Data\internaldb8467.dat
2007-06-10 23:24 18,432 ----a-w c:\documents and settings\Owner\Application Data\internaldb41.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2008-02-13 684032]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-19 266497]
"DXM6Patch_9904"="c:\windows\p_9904.exe" [1999-07-27 946448]
"QuickTime Task"="c:\my documents\QTTask.exe" [2008-05-27 413696]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
RollerCoaster Tycoon 3 Registration.lnk.disabled [2008-03-08 1478]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.MJPG"= m3jpeg32.dll
"vidc.dmb1"= m3jpeg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sierra On-Line\\SIGSPat.exe"=
"c:\\Program Files\\Comcast Rhapsody\\rhapsody.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Atari\\RollerCoaster Tycoon 3 Platinum\\RCT3plus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\WarCommander\\WarCommander.exe"=
"c:\\Program Files\\Red Storm Entertainment\\Force 21\\Force21.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDCNDIS5.sys [2006-08-17 19072]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2006-08-17 20608]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\Ndisprot.sys [2008-10-25 27904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73722e53-03de-11dd-82cb-0008a11ee0ee}]
\Shell\AutoRun\command - E:\RCAMemoryMgr.exe
\Shell\Manage your videos\command - E:\RCAMemoryMgr.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
HKU-Default-Run-brastk - c:\windows\system32\brastk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3ou6t0z9.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.verizon.net/central/vzc.portal
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-04 21:12:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-04 21:14:21
ComboFix-quarantined-files.txt 2008-11-05 02:14:15

Pre-Run: 53,382,979,584 bytes free
Post-Run: 53,370,261,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

244 --- E O F --- 2008-10-15 07:04:43
vinnie1543 is offline