1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Combofix report Possible Infection?

Discussion in 'Malware and Virus Removal Archive' started by brobin, 2009/09/08.

  1. 2009/09/08
    brobin

    brobin Inactive Thread Starter

    Joined:
    2009/09/04
    Messages:
    21
    Likes Received:
    0
    I had another thread for my laptop which did have several infections. The desktop was connected to the same network and seemed slow after the laptop infection. I did run combofix and was wondering if anyone can view this report and see if there are any infections listed. Combifix updated to a new version and I had to start it twice so the report may show first start on scan then I had to restart the computer and run this again. I also uninstalled AVG before running second time.

    ComboFix 09-09-07.03 - Bonnie 09/07/2009 21:14.2.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.595 [GMT -7:00]
    Running from: c:\documents and settings\Bonnie\Desktop\ComboFix.exe
    FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\Bonnie\Front Yard .jpg
    c:\recycler\S-1-5-21-11457409-3420883336-2810106368-500
    c:\recycler\S-1-5-21-1590580893-40798335-178600853-500
    c:\recycler\S-1-5-21-3462389463-4017558345-1778031126-500
    c:\recycler\S-1-5-21-4148369516-415066616-1619009671-500
    c:\windows\COUPON~1.OCX
    c:\windows\CouponPrinter.ocx
    c:\windows\Installer\15f6475.msp
    c:\windows\Installer\195ef.msp
    c:\windows\Installer\29d512.msp
    c:\windows\Installer\29d551.msp
    c:\windows\Installer\bc4b9c.msp
    c:\windows\kb913800.exe
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_R_SERVER
    -------\Service_r_server


    ((((((((((((((((((((((((( Files Created from 2009-08-08 to 2009-09-08 )))))))))))))))))))))))))))))))
    .

    2009-09-08 03:17 . 2009-09-08 03:17 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
    2009-09-04 19:28 . 2009-09-04 19:28 -------- d--h--w- C:\$AVG8.VAULT$
    2009-09-04 17:35 . 2009-09-04 17:37 -------- d-----w- C:\usb stick
    2009-09-04 05:40 . 2009-09-04 05:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
    2009-09-04 05:39 . 2009-09-04 05:39 -------- d-----w- c:\program files\AVG
    2009-09-04 05:39 . 2009-09-08 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
    2009-09-04 05:36 . 2009-09-04 05:36 -------- d-----w- c:\documents and settings\Bonnie\Application Data\AVG8
    2009-08-16 20:42 . 2009-08-16 20:42 -------- d-----w- c:\documents and settings\Bonnie\Application Data\CoxFastConnect20
    2009-08-13 03:41 . 2009-08-13 03:41 -------- d-----w- c:\program files\NETGEAR GA311 Adapter
    2009-08-13 03:40 . 2009-08-13 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\{B7A015B7-4802-4678-8CEC-700380BA9AFD}

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-09-08 03:16 . 2008-10-08 22:18 -------- d-----w- c:\program files\LogMeIn
    2009-09-08 03:16 . 2008-10-08 22:18 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
    2009-09-08 03:15 . 2008-10-08 22:18 28984 ----a-w- c:\windows\system32\LMIport.dll
    2009-09-08 03:15 . 2008-10-08 22:18 87352 ----a-w- c:\windows\system32\LMIinit.dll
    2009-09-08 03:15 . 2007-11-16 01:46 11552 ----a-w- c:\windows\system32\lmimirr2.dll
    2009-09-08 03:15 . 2007-11-16 01:46 25248 ----a-w- c:\windows\system32\lmimirr.dll
    2009-09-04 05:48 . 2007-02-21 22:11 114 ----a-w- C:\sccfg.sys
    2009-09-03 05:59 . 2009-01-28 20:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-09 19:58 . 2006-03-11 02:28 320 ----a-w- c:\documents and settings\Bonnie\Application Data\wklnhst.dat
    2009-08-05 23:53 . 2009-08-05 23:52 -------- d-----w- c:\program files\Nero
    2009-08-05 23:52 . 2009-08-05 23:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
    2009-08-05 23:52 . 2009-08-05 23:52 -------- d-----w- c:\program files\Common Files\Nero
    2009-08-05 20:41 . 2005-01-10 01:26 67936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-08-03 20:36 . 2009-01-28 20:44 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-03 20:36 . 2009-01-28 20:44 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-07-20 23:59 . 2009-07-20 23:59 -------- d-----w- c:\program files\EZ Fonts
    2008-05-23 23:23 . 2008-02-28 19:43 168 --sha-r- c:\windows\system32\123FBDEACB.sys
    2008-05-23 23:23 . 2008-02-28 19:43 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
    "LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-08-03 63048]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-12-25 270336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2009-09-08 03:15 87352 ----a-w- c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2003-10-31 19:01 8704 ----a-w- c:\windows\system32\PCANotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @= "Service "

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
    backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
    backup=c:\windows\pss\BigFix.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "MskService "=2 (0x2)
    "Retrospect Helper "=2 (0x2)
    "RetroLauncher "=2 (0x2)
    "PrismXL "=2 (0x2)
    "AdobeActiveFileMonitor4.0 "=2 (0x2)
    "r_server "=2 (0x2)
    "FastUserSwitchingCompatibility "=3 (0x3)
    "WebrootSpySweeperService "=2 (0x2)

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "UpdatesDisableNotify "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe "=
    "c:\\Program Files\\Dantz\\Retrospect 7.0\\Retrospect.exe "=
    "c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe "=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe "=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe "=
    "c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe "=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
    "c:\\Program Files\\LogMeIn\\x86\\LogMeIn.exe "=
    "c:\\WINDOWS\\system32\\mmc.exe "=
    "c:\\WINDOWS\\system32\\fxsclnt.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP "= 3389:TCP:mad:xpsp2res.dll,-22009

    R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [8/9/2008 2:42 PM 29808]
    R2 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [12/25/2003 7:53 PM 8440]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/3/2007 3:09 PM 12856]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/8/2008 3:18 PM 47640]
    R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [12/25/2003 7:53 PM 11237]
    S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
    S3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys --> c:\windows\system32\DRIVERS\avgfwdx.sys [?]
    S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2/12/2006 5:47 PM 16194]
    S3 NETGEAR_WG311T_SERVICE;NETGEAR WG311T Wireless Adapter Service;c:\windows\system32\drivers\wg311tn5.sys [2/12/2006 5:47 PM 395840]
    S3 NetgearGA311;NETGEAR GA311 Gigabit Adapter Driver;c:\windows\system32\drivers\G311N6.sys [12/28/2008 11:47 AM 70144]
    S4 LMIRfsClientNP;LMIRfsClientNP; [x]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    HPService REG_MULTI_SZ HPSLPSVC
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-28 c:\windows\Tasks\wrSpySweeperFullSweep.job
    - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-25 23:04]

    2009-08-28 c:\windows\Tasks\wrSpySweeperFullSweep.job
    - c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2006-08-25 23:04]
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    Notify-avgrsstarter - avgrsstx.dll
    SafeBoot-svcWRSSSDK


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uSearch Page = hxxp://www.google.com
    uDefault_Search_URL = hxxp://www.google.com/ie
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: &Search
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
    Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\progra~1\CoreFTP\pftpns.dll
    DPF: {01010200-5E80-11D8-9E86-0007E96C65AE} - hxxps://ra.qwest.com/sdccommon/download/tgctlins.cab
    DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} - hxxps://install.cox.net/CoxSelfInstall//CoxSelfInstallAx10.ocx
    FF - ProfilePath - c:\documents and settings\Bonnie\Application Data\Mozilla\Firefox\Profiles\tqj3ri6r.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
    FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-09-07 21:46
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    @Denied: (A 2) (Everyone)
    @= "FlashBroker "
    "LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101 "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    "Enabled "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    @= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe "

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    @Denied: (A 2) (Everyone)
    @= "IFlashBroker3 "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    @= "{00020424-0000-0000-C000-000000000046} "

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
    @= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
    "Version "= "1.0 "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1016)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll

    - - - - - - - > 'lsass.exe'(1072)
    c:\windows\system32\relog_ap.dll

    - - - - - - - > 'explorer.exe'(2356)
    c:\windows\system32\LMIRfsClientNP.dll
    .
    Completion time: 2009-09-08 22:02
    ComboFix-quarantined-files.txt 2009-09-08 05:01

    Pre-Run: 115,601,920,000 bytes free
    Post-Run: 115,564,343,296 bytes free

    231 --- E O F --- 2009-04-16 02:36
     
    brobin,
    #1
  2. 2009/09/08
    Admin.

    Admin. Administrator Administrator Staff

    Joined:
    2001/12/30
    Messages:
    6,687
    Likes Received:
    107
    Hi,

    Read this post as indicated at the top of this forum & follow the instructions.
     
    Admin.,
    #2


  3. to hide this advert.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...