Tech Support Forum - View Single Post

delongboy · 11-11-2008, 11:06 AM

Here are the combofix results. It did shut down CTFLoader while it was running which caused an error.

ComboFix 08-11-10.01 - kshereba 2008-11-11 12:53:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.424 [GMT -5:00]
Running from: c:\documents and settings\kpenrose\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\__c0017D31.dat
c:\windows\system32\__c004E90D.dat
c:\windows\system32\__c00F9A3C.dat

.
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.

2008-11-11 08:51 . 2008-11-11 08:51 250 --a------ c:\windows\gmer.ini
2008-11-11 08:11 . 2008-11-11 08:11 <DIR> d-------- c:\program files\Trend Micro
2008-10-30 12:56 . 2008-10-30 12:59 <DIR> d-------- c:\documents and settings\kpenrose\Application Data\.purple
2008-10-29 09:49 . 2008-10-29 09:49 <DIR> d-------- c:\program files\Lavasoft
2008-10-29 09:49 . 2008-10-29 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-29 09:24 . 2008-11-11 08:46 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-10-29 09:24 . 2008-11-11 08:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-29 08:33 . 2008-10-29 08:33 <DIR> d-------- c:\program files\Alwil Software
2008-10-24 10:02 . 2008-10-24 13:21 <DIR> d-------- c:\program files\EditPlus 2
2008-10-24 08:49 . 2008-10-24 08:49 754 --a------ c:\windows\WORDPAD.INI
2008-10-21 13:53 . 2008-10-21 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-21 13:05 . 2008-10-21 13:57 <DIR> d-------- c:\documents and settings\kpenrose\Application Data\GetRightToGo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 17:56 --------- d-----w c:\documents and settings\kpenrose\Application Data\OpenOffice.org2
2008-11-11 13:58 --------- d-----w c:\program files\Mozilla Thunderbird
2008-11-10 14:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-10 14:38 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-09-18 16:48 --------- d-----w c:\program files\View22
2008-09-16 18:10 --------- d-----w c:\program files\MSECache
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 c:\windows\stsystra.exe]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\kpenrose\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-04-10 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=

R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2007-05-23 3456]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
Notify-__c004E90D - c:\windows\system32\__c004E90D.dat

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\kpenrose\Application Data\Mozilla\Firefox\Profiles\vgi9k061.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 12:57:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\OpenOffice.org 2.4\program\soffice.exe
c:\program files\OpenOffice.org 2.4\program\soffice.bin
c:\program files\AIM6\aolsoftware.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\windows\system32\wbem\wmiadap.exe
c:\windows\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-11-11 13:00:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-11 18:00:50

Pre-Run: 108,174,725,120 bytes free
Post-Run: 108,558,331,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

120 --- E O F --- 2008-10-24 17:12:15

11-11-2008, 11:06 AM	#3 (permalink)
delongboy Registered User Join Date: Nov 2008 Posts: 4 OS: xp pro	Re: Constant Pop ups Here are the combofix results. It did shut down CTFLoader while it was running which caused an error. ComboFix 08-11-10.01 - kshereba 2008-11-11 12:53:17.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.424 [GMT -5:00] Running from: c:\documents and settings\kpenrose\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\__c0017D31.dat c:\windows\system32\__c004E90D.dat c:\windows\system32\__c00F9A3C.dat . ((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 ))))))))))))))))))))))))))))))) . 2008-11-11 08:51 . 2008-11-11 08:51 250 --a------ c:\windows\gmer.ini 2008-11-11 08:11 . 2008-11-11 08:11 <DIR> d-------- c:\program files\Trend Micro 2008-10-30 12:56 . 2008-10-30 12:59 <DIR> d-------- c:\documents and settings\kpenrose\Application Data\.purple 2008-10-29 09:49 . 2008-10-29 09:49 <DIR> d-------- c:\program files\Lavasoft 2008-10-29 09:49 . 2008-10-29 09:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft 2008-10-29 09:24 . 2008-11-11 08:46 <DIR> d-------- c:\program files\Spybot - Search & Destroy 2008-10-29 09:24 . 2008-11-11 08:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-10-29 08:33 . 2008-10-29 08:33 <DIR> d-------- c:\program files\Alwil Software 2008-10-24 10:02 . 2008-10-24 13:21 <DIR> d-------- c:\program files\EditPlus 2 2008-10-24 08:49 . 2008-10-24 08:49 754 --a------ c:\windows\WORDPAD.INI 2008-10-21 13:53 . 2008-10-21 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help 2008-10-21 13:05 . 2008-10-21 13:57 <DIR> d-------- c:\documents and settings\kpenrose\Application Data\GetRightToGo . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-11 17:56 --------- d-----w c:\documents and settings\kpenrose\Application Data\OpenOffice.org2 2008-11-11 13:58 --------- d-----w c:\program files\Mozilla Thunderbird 2008-11-10 14:38 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-11-10 14:38 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2008-09-18 16:48 --------- d-----w c:\program files\View22 2008-09-16 18:10 --------- d-----w c:\program files\MSECache . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-25 50528] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-09 2183168] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "SigmatelSysTrayApp"="stsystra.exe" [2007-04-23 c:\windows\stsystra.exe] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216] c:\documents and settings\kpenrose\Start Menu\Programs\Startup\ OpenOffice.org 2.4.lnk - c:\program files\OpenOffice.org 2.4\program\quickstart.exe [2008-01-21 393216] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-04-10 50688] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"= "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= R0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2007-05-23 3456] R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-07-19 78416] R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560] . - - - - ORPHANS REMOVED - - - - HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe Notify-__c004E90D - c:\windows\system32\__c004E90D.dat . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\kpenrose\Application Data\Mozilla\Firefox\Profiles\vgi9k061.default\ . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-11 12:57:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe c:\program files\ATI Technologies\ATI.ACE\CLI.exe c:\program files\OpenOffice.org 2.4\program\soffice.exe c:\program files\OpenOffice.org 2.4\program\soffice.bin c:\program files\AIM6\aolsoftware.exe c:\program files\ATI Technologies\ATI.ACE\CLI.exe c:\windows\system32\wbem\wmiadap.exe c:\windows\system32\verclsid.exe . ************************************************************************ . Completion time: 2008-11-11 13:00:55 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-11 18:00:50 Pre-Run: 108,174,725,120 bytes free Post-Run: 108,558,331,904 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 120 --- E O F --- 2008-10-24 17:12:15