Tech Support Forum banner
Status
Not open for further replies.
1 - 1 of 1 Posts

·
Registered
Joined
·
1 Posts
Discussion Starter · #1 ·
Below is a log from my combofix scan - I have infections in .ddl files - how do I get them 'resolved'?

ComboFix 09-11-29.02 - Administrator 11/29/2009 18:08.1.1 - x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.255.154 [GMT -5:00]
Running from: c:\windows\TEMP\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ac3_0010.exe
C:\mte3ndi6odoxng.exe
c:\progra~1\COMMON~1\{28301~1
c:\progra~1\COMMON~1\{38301~1
c:\program files\deskbar
c:\program files\deskbar\inst.bat
c:\program files\internet optimizer
C:\rdfx4.exe
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\nem220.dll
c:\windows\smdat32a.sys
c:\windows\smdat32m.sys
c:\windows\start.exe
c:\windows\system32\clrviddc.dll
c:\windows\uninst2.htm
c:\windows\unist1.htm
c:\windows\Web\default.htt

c:\windows\system32\qmgr.dll . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-21 20:28 . 2009-11-21 20:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2009-11-08 23:25 . 2009-11-28 13:04 -------- d-----w- c:\program files\Mozilla Firefox 3.6 Beta 1
2009-11-08 23:17 . 2009-11-08 23:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2009-11-08 23:15 . 2009-11-08 23:15 -------- d-----w- c:\program files\ClamWin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-29 23:05 . 2009-11-29 23:05 16384 ----atw- c:\windows\system32\Perflib_Perfdata_24c.dat
2009-11-08 22:45 . 2004-06-16 18:58 -------- d---a-w- c:\program files\Common Files\Symantec Shared
2009-11-08 22:44 . 2009-01-04 23:56 -------- d-----w- c:\program files\Symantec
2009-11-08 22:28 . 2009-01-04 23:56 -------- d-----w- c:\windows\All Users\Application Data\Symantec
2009-09-22 19:16 . 2009-09-22 19:16 16384 ----atw- c:\windows\system32\Perflib_Perfdata_420.dat
2009-09-04 19:13 . 2009-09-04 19:13 16384 ----atw- c:\windows\system32\Perflib_Perfdata_3c0.dat
2009-01-04 17:39 . 2004-05-26 20:02 21952 -c-h--w- c:\program files\folder.htt
2008-12-22 19:59 . 2004-05-27 22:35 300 -c--a-w- c:\program files\Windows Explorer.lnk
.

------- Sigcheck -------

[-] 2002-12-06 15:20 . BE72F78A3E141441C20B3DD02EC1D838 . 77760 . . [5.4.1103.4] . . c:\windows\SYSTEM32\QMGR.DLL


[-] 2002-11-27 00:03 . 36678803A8030EE9A771935CFC1848BD . 52224 . . [9.0.1.56] . . c:\windows\SYSTEM32\mspmsnsv.dll

c:\windows\System32\wuauclt.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
1999-12-07 12:00 2352400 ----a-w- c:\windows\SYSTEM32\shell32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-09-04 6856704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClamWin"="c:\program files\ClamWin\bin\ClamTray.exe" [2009-11-03 86016]
"Synchronization Manager"="mobsync.exe" - c:\windows\SYSTEM32\mobsync.exe [1999-12-07 111376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [1999-12-07 186640]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"RHSI SHS"="c:\program files\Rogers\SelfHealing\SHS.exe" /background
"Update Manager"="c:\program files\Rogers\Update Manager\UpdateManager.exe" /background
"SHS"="c:\program files\ROGERS\SELFHEALING\SHS.exe" /autofix
"msnmsgr"="c:\program files\MSN MESSENGER\MSNMSGR.EXE" /background
"MyWebSearch Email Plugin"=c:\progra~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS MASTER\MONITOR.EXE -NoStart

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"IrMon"=IrMon.exe
"AtiPTA"=Atiptaxx.exe
"Ati2cwxx"=Ati2cwxx.exe
"msnappau"="c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
"P2P NETWORKING"=c:\windows\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
"KAZAA"=c:\program files\Kazaa\kazaa.exe /SYSTRAY
"OM_Monitor"=c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
"My Web Search Bar"=rundll32 c:\progra~1\MYWEBS~1\BAR\1.BIN\MWSBAR.DLL,S
"MyWebSearch Email Plugin"=c:\progra~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
"iRiver Updater"=\Updater.exe
"QuickTime Task"="c:\windows\system32\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"ATIPOLAB"=ati2evxx.exe
"KB891711"=c:\windows\SYSTEM\KB891711\KB891711.EXE
"KB918547"=c:\windows\SYSTEM\KB918547\KB918547.EXE

S3 el656cd5;3Com Megahertz Global 10/100 LAN + 56K Modem CardBus PC Card;c:\windows\system32\DRIVERS\el656cd5.sys [2000-02-11 91136]
S3 EL656WD;EL656WD3Com Winmodem;c:\windows\system32\DRIVERS\EL656WD.sys [2000-05-17 728848]
S3 maestro;ESS Maestro Audio Driver (WDM);c:\windows\system32\drivers\es198xdl.sys [2002-06-20 414400]

.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mLocal Page = c:\windows\SYSTEM\blank.htm
IE: &Google Search - c:\program files\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
IE: &Translate English Word - c:\program files\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
IE: Backward Links - c:\program files\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
IE: Similar Pages - c:\program files\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
IE: Translate Page into English - c:\program files\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\um5962pu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\windows\SYSTEM\Macromed\Flash\NPSWF32.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox 3.6 Beta 1\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 18:19
Windows 5.0.2195 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(224)
c:\windows\system32\rsabase.dll
.
Completion time: 2009-11-29 18:24
ComboFix-quarantined-files.txt 2009-11-29 23:24

Pre-Run: 8,920,202,240 bytes free
Post-Run: 9,227,356,672 bytes free

- - End Of File - - 64FAB486D3EFDEE0F4F82DA81B559675
 
1 - 1 of 1 Posts
Status
Not open for further replies.
Top