Quote:
Originally Posted by sUBs
Please run ComboFix from safe mode.
|
If fortune ever permits, I will buy you all the beer you can hold. Thank you very much for your patience. I ran ComboFix and it performed pretty much like the bleepingcomputer instructions with a couple of exceptions. I initlally ran it with COMODO totally off and using an administrative id. I clicked on the Combofix icon and it took right off. I got an 'installation failed' message probably from the windows executable not executing. ComboFix continued. It backed up 3 registry entries. Another message received ' you do not appear to be connected to the internet'. I assume the network isn't available in safe mode? Another message ' failed to d/l files' but program continued.
It then went through a series of states and deleted a bunch of dll files etc. It continued running ok until ComboFix rebooted Windows. I assumed at that point that it was done so I entered my user id under the Windows logon screen. This resulted in 16 lines of 'access denied'. Also, my firewall, COMODO turned back on. (I'm not sure how I could have prevented this unless logging on with my id was responsible). I then got a series of error messages such as 'nircmd.com not recognizable as an internal or external command and a couple of other similar errors. Then it wrote the log file which I've pasted here and included as an attachment. I DO want to thank you profusely for your time and patience.
JJ Rooney
ComboFix 08-12-11.05 - James 2008-12-12 17:13:18.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.808 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\winlogon.exe
c:\program files\Microsoft Common
c:\windows\Downloaded Program Files\setup.inf
c:\windows\SNMPAPI.DLL
c:\windows\system32\abzzir.dll
c:\windows\system32\bmnrbrkwnogood.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\GiknTBeg.ini
c:\windows\system32\GiknTBeg.ini2
c:\windows\system32\GiknxTBeg.ini
c:\windows\system32\GiknxTBeg.ini2
c:\windows\system32\hgPoXyxx.ini
c:\windows\system32\hgPoXyxx.ini2
c:\windows\system32\hlhpcqvu.dll
c:\windows\system32\hoiiljvmnogood.dll
c:\windows\system32\konxstwq.dll
c:\windows\system32\lvvoluhw.dll
c:\windows\system32\mybvdbsr.dll
c:\windows\system32\packet.dll
c:\windows\system32\qxjbgy.dll
c:\windows\system32\sjypynnogood.dll
c:\windows\system32\szqldx.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSrsvd.dat
c:\windows\system32\TDSStkdv.log
c:\windows\system32\WanPacket.dll
c:\windows\system32\win32.dll
c:\windows\system32\wlqiwk.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xxyXoPgh.dll
----- BITS: Possible infected sites -----
hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_NPF
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.
2008-12-12 10:34 . 2008-12-12 10:48 <DIR> d-------- C:\32788R22FWJFW.3.tmp
2008-12-11 17:09 . 2008-12-12 10:34 <DIR> d-------- C:\32788R22FWJFW.2.tmp
2008-12-11 17:08 . 2008-12-11 17:09 <DIR> d-------- C:\32788R22FWJFW.1.tmp
2008-12-11 17:06 . 2008-12-11 17:08 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2008-12-11 11:37 . 2008-12-11 11:37 147,192 --a------ c:\windows\system32\guard32.dll
2008-12-11 11:29 . 2008-12-12 17:26 2,148 --a------ c:\windows\system32\wpa.dbl
2008-12-10 14:08 . 2008-12-10 14:08 120 --ahs---- c:\windows\system32\wkrbrnmb.ini
2008-12-10 11:45 . 2008-12-12 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_
2008-12-10 09:26 . 2008-12-10 13:56 <DIR> d-------- c:\program files\AskBarDis
2008-12-10 09:26 . 2008-12-10 09:26 249,592 --a------ c:\windows\system32\cssdll32nogood.dll
2008-12-10 09:25 . 2008-12-10 09:26 <DIR> d-------- c:\program files\COMODO
2008-12-10 09:25 . 2008-12-10 09:25 147,192 --a------ c:\windows\system32\guard32nogood.dll
2008-12-10 09:25 . 2008-12-10 09:25 101,776 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-12-10 09:25 . 2008-12-10 09:25 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-12-10 09:02 . 2008-12-10 09:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-03 17:31 . 2008-12-10 12:54 250 --a------ c:\windows\gmer.ini
2008-12-03 17:00 . 2008-12-03 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-02 18:04 . 2008-12-02 18:04 6,144 --ahs---- c:\windows\system32\Thumbs.db
2008-12-02 13:48 . 2008-12-02 13:48 41,122,448 --a------ C:\docs.ZIP
2008-12-02 13:46 . 2008-12-02 13:46 66,972,789 --a------ C:\spreadsheets.ZIP
2008-12-02 13:38 . 2008-12-11 12:13 <DIR> d-------- C:\Aereon
2008-12-02 11:15 . 2008-12-10 15:57 2,206 --a------ c:\windows\system32\wpanogood.dbl
2008-12-01 11:48 . 2008-12-01 11:48 59,392 --a------ c:\windows\system32\sv¤shost.exe
2008-12-01 11:23 . 2008-12-02 18:04 11,776 --ahs---- c:\windows\Thumbs.db
2008-11-26 16:49 . 2008-11-26 16:49 <DIR> d--h----- c:\program files\Zero G Registry
2008-11-26 16:48 . 2008-11-26 16:48 <DIR> d--h----- c:\documents and settings\John\InstallAnywhere
2008-11-26 11:44 . 2008-12-01 11:41 <DIR> d-------- c:\program files\QUAD Utilities
2008-11-20 18:05 . 2008-11-20 18:05 <DIR> d-------- c:\program files\NPR_Radio
2008-11-20 18:05 . 2008-11-20 18:05 <DIR> d-------- c:\program files\Conduit
2008-11-20 12:04 . 2008-11-20 12:04 <DIR> d-------- c:\windows\system32\Adobe
2008-11-19 11:05 . 2008-11-19 11:05 <DIR> d-------- c:\documents and settings\John\Application Data\Macrovision
2008-11-19 11:05 . 2008-11-19 11:05 <DIR> d-------- c:\documents and settings\John\Application Data\Business Objects
2008-11-19 10:57 . 2008-11-19 10:57 <DIR> d-------- c:\program files\Business Objects
2008-11-19 10:57 . 2008-11-19 10:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2008-11-13 18:21 . 2008-11-13 18:21 14,336 --ahs---- C:\Thumbs.db
2008-11-12 14:29 . 2008-11-12 14:29 <DIR> d-------- c:\documents and settings\John\Application Data\Nvu
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 21:53 --------- d-----w c:\documents and settings\John\Application Data\Canon
2008-12-10 16:46 --------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2008-12-10 14:14 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-10 14:02 --------- d-----w c:\program files\Symantec
2008-12-10 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-03 15:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 22:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 22:47 --------- d-----w c:\documents and settings\John\Application Data\PC Tools
2008-12-02 20:33 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-02 19:58 --------- d-----w c:\program files\Text2PDF v1.5
2008-12-02 19:57 --------- d-----w c:\program files\Opera
2008-12-02 19:37 --------- d-----w c:\program files\FileMaker
2008-12-02 19:35 --------- d-----w c:\program files\Canon
2008-12-02 19:33 --------- d-----w c:\program files\Acro Software
2008-12-02 16:46 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-02 16:45 --------- d-----w c:\program files\SDM
2008-12-02 16:45 --------- d-----w c:\program files\MSNStockQuote
2008-12-02 16:45 --------- d-----w c:\program files\Money Manager Ex
2008-12-02 16:45 --------- d-----w c:\program files\Modem On Hold
2008-12-02 16:45 --------- d-----w c:\program files\DivX
2008-12-02 16:45 --------- d-----w c:\program files\ASAP Utilities
2008-12-02 14:44 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-07 16:33 --------- d-----w c:\documents and settings\John\Application Data\SpywareBot
2008-11-07 16:33 --------- d-----w c:\documents and settings\John\Application Data\AdwareAlert
2008-11-07 15:45 --------- d-----w c:\program files\Lavasoft
2008-11-07 15:45 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-06 16:23 --------- d-----w c:\program files\System Explorer
2008-11-06 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\SystemExplorer
2008-11-06 15:45 --------- d-----w c:\program files\Common Files\Adobe
2008-11-05 16:25 --------- d-----w c:\program files\directx
2008-10-31 21:33 253,139 ----a-w c:\windows\PDFCreator_Toolbar_Uninstaller_4093.exe
2008-10-31 21:33 --------- d-----w c:\program files\PDFCreator Toolbar
2008-10-31 21:30 --------- d-----w c:\documents and settings\John\Application Data\EssentialPIM
2008-10-29 21:12 --------- d-----w c:\documents and settings\John\Application Data\Move Networks
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-02-07 22:34 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-09-13 15:36 498 ----a-w c:\program files\Setup.log
2007-08-03 15:23 1,308,216 ----a-w c:\documents and settings\johnrooney\HiJackThis_v2.exe
2006-10-16 23:12 167,936 ----a-w c:\documents and settings\johnrooney\StartupList.exe
2008-09-11 17:03 177,289,248 --sha-w c:\windows\system32\drivers\fidbox.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2C96FF5-E7BD-4FC5-9B71-1D3BD0B6BF82}"= "c:\program files\NPR_Radio\tbNPR_.dll" [2008-09-15 1784856]
[HKEY_CLASSES_ROOT\clsid\{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTEMON.EXE"="/h" [X]
"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-25 429568]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-08-16 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-12-10 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-12-10 1797880]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2007-08-23 152952]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=3 (0x3)
"GBPoll"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"WinDefend"=2 (0x2)
"iPod Service"=3 (0x3)
"aawservice"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"igfxpers"=c:\windows\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\pvsw\\bin\\w3dbsmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-12-10 101776]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-12-10 31504]
S1 is-LBCUQdrv;is-LBCUQdrv;c:\windows\system32\drivers\33125180.sys []
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2006-08-10 8192]
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys []
S3 RFKEBZTKRMSCW;RFKEBZTKRMSCW;c:\docume~1\John\LOCALS~1\Temp\RFKEBZTKRMSCW.exe [2008-12-01 375680]
S4 is-LBCUQ;is-LBCUQ;"c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-LBCUQ\is-LBCUQ.exe" -r []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
2008-11-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []
2008-11-28 c:\windows\Tasks\Ace Optimizer Maintenance.job
- c:\program files\Ace Utilities\au.exe []
2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -
BHO-{135257FB-11BE-41BC-97F4-354D58F4605A} - c:\windows\system32\xxyXoPgh.dll
BHO-{475D5825-3965-40F7-AF10-0F9C5BDFD691} - (no file)
BHO-{e495c978-0753-4f59-a0fe-b76a75d0b9a3} - (no file)
Notify-yayabYqQ - yayabYqQ.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comodo.com/search/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: {76C90D90-3D80-4431-B12C-DB5B1C6C24AD} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\fxk1j1fi.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10587&gct=&gc=1&q=
FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\fxk1j1fi.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3096)
c:\program files\Browser Mouse\Browser Mouse\1.0\MOUSEDLL.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [624]
??\c:\windows\system32\csrss.exe [688]
??\c:\windows\system32\winlogon.exe [712]
c:\windows\system32\services.exe [756]
c:\windows\system32\lsass.exe [768]
c:\windows\system32\svchost.exe [924]
c:\windows\system32\svchost.exe [988]
c:\windows\System32\svchost.exe [1084]
c:\windows\system32\svchost.exe [1148]
c:\windows\system32\svchost.exe [1284]
c:\windows\system32\LEXBCES.EXE [1356]
c:\windows\system32\spoolsv.exe [1388]
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [1520]
c:\windows\System32\svchost.exe [1632]
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [1656]
c:\windows\System32\svchost.exe [1696]
c:\windows\system32\srvany.exe [1776]
c:\pvsw\bin\w3dbsmgr.exe [1788]
c:\windows\System32\svchost.exe [1796]
c:\windows\system32\svchost.exe [1924]
c:\program files\Windows Media Player\WMPNetwk.exe [560]
c:\windows\System32\alg.exe [2508]
c:\windows\system32\CF3023.exe [3584]
c:\program files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe [3748]
c:\windows\system32\hkcmd.exe [3764]
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe [3856]
c:\program files\COMODO\SafeSurf\cssurf.exe [3872]
c:\program files\Symantec\LiveUpdate\ALuNotify.exe [3960]
c:\windows\system32\wuauclt.exe [1936]
c:\windows\system32\msiexec.exe [196]
c:\windows\system32\wbem\wmiprvse.exe [2896]
c:\windows\system32\wuauclt.exe [3304]
c:\windows\explorer.exe [3096]
c:\combofix\catchme.cfexe [3484]
.
**************************************************************************
.
Completion time: 2008-12-12 17:31:59 - machine was rebooted [John]
ComboFix-quarantined-files.txt 2008-12-12 22:31:42
Pre-Run: 52,038,922,240 bytes free
Post-Run: 51,069,366,272 bytes free
293 --- E O F --- 2008-12-12 22:31:01