by Baz
over 1 year ago

Open the file by double clicking on it (combofix.txt)

Then click on edit->select all in the notepad window that opened the combofix log, and then edit->copy to copy the contents of the file.

Then create a new reply here and in the reply box right click and select the "paste" option.
by jake2
over 1 year ago

Did the file upload properly?
by jake2
over 1 year ago

ComboFix 09-01-17.02 – Owner 2009-01-17 20:22:46.1 – NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.61 [GMT -6:00]
Running from: c:\docume~1\Owner\LOCALS~1\Temp\Rar$EX05.375\CombFix.exe
AV: AVG Anti-Virus Free On-access scanning enabled (Outdated)

  • Created a new restore point
    .
    [color=purple]The following files were disabled during the run:[/color]
    c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Cookies\hpothb07.dat
c:\documents and settings\Owner\Cookies\hpothb07.tif
C:\SMARTDRV.PIF

.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-16 21:35 . 2009-01-16 21:35 <DIR> d—h——- C:\$AVG8.VAULT$
2009-01-16 18:35 . 2009-01-16 18:35 <DIR> d———— c:\windows\system32\drivers\Avg
2009-01-16 18:35 . 2009-01-16 18:35 <DIR> d———— c:\program files\AVG
2009-01-16 18:35 . 2009-01-17 20:35 <DIR> d———— c:\documents and settings\All Users\Application Data\avg8
2009-01-16 18:35 . 2009-01-16 18:35 97,928 —a——— c:\windows\system32\drivers\avgldx86.sys
2009-01-16 18:35 . 2009-01-16 18:35 76,040 —a——— c:\windows\system32\drivers\avgtdix.sys
2009-01-16 18:35 . 2009-01-16 18:35 10,520 —a——— c:\windows\system32\avgrsstx.dll
2009-01-16 13:19 . 2009-01-16 13:19 <DIR> d———— c:\program files\Malwarebytes’ Anti-Malware
2009-01-16 13:19 . 2009-01-16 13:19 <DIR> d———— c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-16 13:19 . 2009-01-16 13:19 <DIR> d———— c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 13:19 . 2009-01-14 16:11 38,496 —a——— c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 13:19 . 2009-01-14 16:11 15,504 —a——— c:\windows\system32\drivers\mbam.sys
2009-01-09 13:50 . 2009-01-09 13:49 73,728 —a——— c:\windows\system32\javacpl.cpl
2009-01-09 13:49 . 2009-01-15 14:19 <DIR> d———— c:\program files\Java
2009-01-06 12:15 . 2009-01-06 12:15 <DIR> d———— c:\program files\Sun
2009-01-06 12:01 . 2009-01-06 12:01 <DIR> d———— C:\TEMP
2009-01-06 12:00 . 2009-01-06 12:00 <DIR> d———— C:\Sun
2009-01-02 22:15 . 2009-01-02 22:15 <DIR> d———— c:\windows\Profiles
2009-01-02 22:15 . 2009-01-02 22:15 <DIR> d———— c:\documents and settings\Owner\Application Data\InterTrust
2008-12-23 16:03 . 2008-12-23 16:03 <DIR> d———— c:\program files\Common Files\Adobe AIR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 03:18 ————- d—h—w c:\program files\InstallShield Installation Information
2009-01-07 14:09 ————- d——-w c:\documents and settings\Owner\Application Data\spweng
2009-01-03 04:15 ————- d——-w c:\program files\Common Files\Adobe
2008-12-23 23:28 ————- d——-w c:\program files\Microsoft Works
2008-12-23 23:22 ————- d——-w c:\program files\Microsoft Picture It! 2002
2008-12-15 22:30 ————- d——-w c:\documents and settings\Owner\Application Data\ArcSoft
2008-12-15 22:25 ————- d——-w c:\documents and settings\All Users\Application Data\ArcSoft
2008-12-15 22:23 ————- d——-w c:\program files\Common Files\ArcSoft
2008-12-15 22:23 ————- d——-w c:\program files\ArcSoft
2008-12-15 22:14 ————- d——-w c:\program files\OVT
2008-12-09 02:04 54,632 -c—a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2002-04-18 11:03 1,569 ——a-w c:\program files\2KHDD.BAT
2004-08-04 07:56 165,840 —sha-r c:\windows\system32\iwebcsf.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPYKILLER"="c:\program files\Anonymizer\sk\SpyWareKiller.exe" [2004-02-12 110592]
"ANONYMIZER_SPYWAREKILLER"="c:\program files\Anonymizer\sk\spywarekiller.exe" [2004-02-12 110592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 09:33 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-10 114688]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-16 1261336]
"SMSERIAL"="sm56hlpr.exe" [2003-10-07 c:\windows\sm56hlpr.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk – c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2007-02-28 147456]
hpoddt01.exe.lnk – c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2007-02-28 28672]
Install Pending Files.LNK – c:\program files\SIFXINST\SIFXINST.EXE [2003-06-13 569344]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:198.200.173.74/255.255.255.255,198.200.173.139/255.255.255.255:Enabled:Streamer
"443:TCP"= 443:TCP:204.58.27.34/255.255.255.255,204.58.27.43/255.255.255.255,204.58.27.51/255.255.255.255,204.58.27.60/255.255.255.255:Enabled:streamer
"6822:TCP"= 6822:TCP:ddcjej

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 97928]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-16 76040]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-07-31 580992]
S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys <del>-> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]
S3 PCDRDRV;Pcdr CPU Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys -</del>> c:\windows\system32\drivers\PCDRDRV.sys [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-16 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 231704]
S4 ykahj;Network Helper;c:\windows\system32\svchost.exe -k netsvcs [1979-12-31 14336]

<hr /> Other Services/Drivers In Memory <del>-</del>

NewlyCreatedNMSCFG

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost – NetSvcs
ykahj
.
Contents of the ‘Scheduled Tasks’ folder

2005-01-02 c:\windows\Tasks\SpyWareKiller.job
- c:\program files\Anonymizer\sk\SpyWareKiller.exe [2004-02-12 12:31]
.
- – - – ORPHANS REMOVED – - – -

HKCU-Run-Microsoft Works Update Detection – c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-Yahoo! Pager – c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
HKCU-Run-MsnMsgr – c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-PRIVANAL – (no file)
HKLM-Run-MCUpdateExe – c:\progra~1\mcafee.com\agent\mcupdate.exe
HKLM-Run-MCAgentExe – c:\progra~1\mcafee.com\agent\mcagent.exe
HKLM-Run-Ink Monitor – c:\program files\EPSON\Ink Monitor\InkMonitor.exe
HKLM-Run-IncredimailDownloader – c:\windows\DOWNLO~1\imloader.exe
HKLM-RunOnce-DELDIR0.EXE – c:\docume~1\Owner\LOCALS~1\Temp\DELDIR0.EXE
MSConfigStartUp-avast! – c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

.
<del>-</del>—— Supplementary Scan <del>-</del>——
.
uStart Page = hxxp://www.mycopper.net/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
Trusted Zone: *.ameritrade.com
Trusted Zone: .www.ameritrade.com
Trusted Zone: *.streamer.com
Trusted Zone: *.tdameritrade.com
Trusted Zone: www.tdameritrade.com
TCP: {FD0DC44B-CEEB-4A84-9FB6-CF09BDB89E67} = 66.6.176.10 66.6.191.10
FF – ProfilePath – c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fnkep8fo.default\
FF – component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.

<hr />

catchme 0.3.1367 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 20:37:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
DELDIR0.EXE = "c:\docume~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "c:\program files\McAfee\McAfee Shared Components\Guardian\"?? ????|??H?l|q|???|??$? ??|???|x|??q|?o?w`????|h?,?Q|?? ?m|p???????????v?C?:?\?P?r?o?g?r?a?m? ?F?i?l?e?s?\?M?c?A?f?e?e?\?M?c?e?e? ?S?h?a?r?e?d? ?C?o?m?p?o?n?e?n? ?\?G?u?a?r?d?i?a?n?\???p?p????|p|??m|??x?~y?wT????

scanning hidden files …

scan completed successfully
hidden files: 0

<hr />

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ykahj]
"ServiceDll"="c:\windows\system32\iwebcsf.dll"
.
<del>-</del>————————— LOCKED REGISTRY KEYS <del>-</del>—————————

[HKEY_USERS\S-1-5-21-1417001333-484061587-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
<del>-</del>——————————- Other Running Processes <del>-</del>——————————-
.
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\system32\NMSSvc.Exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-01-17 20:40:02 – machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 02:39:47

Pre-Run: 73,930,811,904 bytes free
Post-Run: 74,315,341,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

174 —- E O F —- 2008-08-20 18:28:02
by jake2
over 1 year ago

Baz, did you have any luck with the file I sent? Yesterday, I lost my modem and it wouldnt reload froam a restoration disk. I had to restore to an earlier date. Will this affect the scan results? I still cant get onto any security sites.
by jake2
over 1 year ago

Since I have no replies, I zeroed the hard drive and have reloaded most. The problem is now gone. Thanks.
About Contact Us Terms & Conditions Privacy Policy Copyright