Member Avatar for newdawg

Okay. My neighbor got into trouble. First, with some kind of infection (he thinks) and then by calling me after he ran ComboFix (he wanted me to 'tell him what it means')! So, I am going to ask here for help. Attached is his CF Log and if some can help me with it I'll help him. O, and don't worry... he won't be running CF again without first asking for assistance online. ;)

ComboFix 11-03-19.04 - NunYerBiz 03/20/2011  15:10:57.1.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2558.2302 [GMT -4:00]
Running from: c:\documents and settings\NunYerBiz\Desktop\Combo-Fix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *Enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\ntuser.pol
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-20 to 2011-03-20  )))))))))))))))))))))))))))))))
.
.
2011-03-20 03:48 . 2011-03-20 05:06	--------	d-----w-	C:\woof
2011-03-18 17:42 . 2011-03-18 17:43	--------	d-----w-	C:\Converted Audio Files
2011-03-18 16:37 . 2004-12-09 16:27	57576	----a-w-	C:\WindowsXP-KB890546-x86-Symbols-ENU.exe
2011-03-18 15:46 . 2011-03-18 15:46	--------	d-----r-	C:\Sandbox
2011-03-18 14:50 . 2011-03-18 14:50	--------	d-----w-	C:\0f2895acf8c89ebbceeb39b607b84306
2011-03-18 05:32 . 2011-03-18 05:33	--------	d-----w-	C:\TCP Optimizer Backup
2011-03-15 04:05 . 2011-03-20 07:14	--------	d-----w-	C:\BurnFiles
2011-03-15 03:26 . 2011-03-18 15:11	--------	d-----w-	C:\MyStuff
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-04 22:48 . 2004-08-10 11:00	456192	----a-w-	c:\windows\system32\encdec.dll
2011-02-04 22:48 . 2004-08-10 11:00	291840	----a-w-	c:\windows\system32\sbe.dll
2011-02-02 13:31 . 2011-02-02 13:31	499712	----a-w-	c:\windows\system32\msvcp71.dll
2011-02-02 13:31 . 2011-02-02 13:31	348160	----a-w-	c:\windows\system32\msvcr71.dll
2011-01-21 14:44 . 2004-08-10 11:00	439296	----a-w-	c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 11:00	290048	----a-w-	c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 11:00	1854976	----a-w-	c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-10 11:00	301568	----a-w-	c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2006-03-04 03:33	916480	----a-w-	c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2004-08-10 11:00	43520	----a-w-	c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2004-08-10 11:00	1469440	------w-	c:\windows\system32\inetcpl.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04	122512	----a-w-	c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/14/2011 7:20 PM 371544]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/14/2011 7:20 PM 301528]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/14/2011 7:20 PM 19544]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [3/17/2011 4:15 PM 22504]
S3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [3/18/2011 1:26 PM 131664]
S3 TotRec8;Total Recorder WDM audio filter driver;c:\windows\system32\drivers\TotRec8.sys [3/18/2011 1:27 PM 91728]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PARPORT
.
.
------- Supplementary Scan -------
.
IE: &Download by Arles Download Manager - c:\documents and settings\NunYerBiz\Local Settings\Application Data\Ariel Download Manager\DownloadManager.htm
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-EfficientPIM - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-20 15:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
   bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
   bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
   bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
   bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
Completion time: 2011-03-20  15:16:34
ComboFix-quarantined-files.txt  2011-03-20 19:16
.
Pre-Run: 135,011,123,200 bytes free
Post-Run: 134,979,936,256 bytes free
.
- - End Of File - - ECC2083177CAB676FEEC50FE196E8120
  • 2 Contributors
  • 2 Replies
  • 116 Views
  • 11 Hours Discussion Span
  • Latest Post Latest Post by jholland1964
Member Avatar for newdawg

Okay. My neighbor got into trouble. First, with some kind of infection (he thinks) and then by calling me after he ran ComboFix (he wanted me to 'tell him what it means')! So, I am going to ask here for help. Attached is his CF Log and if some can help me with it I'll help him. O, and don't worry... he won't be running CF again without first asking for assistance online. ;)

And the other thing - he just told me that he couldn't get CF to run for several tries (error that it was corrupted or it just hung) but finally 'got it going' in Safe Mode. (Sorry for the quotes... not really funny but frustrating).

Member Avatar for jholland1964

Who told him to use combofix? Multiple OTHER tools would have to be run before anyone would tell him to run combofix. It should NEVER be run as a matter of course as it is for use only for specific types of infections, Using it without supervision by the helper on a forum who requested is never advised. No helper would request it without first seeing all OTHER logs from all the other tools run.

Also, we do not open attached files here. All logs must be copy/pasted.

The only steps we will begin with are those found in our Read Me Sticky.

Once those steps are completed then post back here with the requested logs and they must be copy/pasted or we will not read them.
http://www.daniweb.com/hardware-and-software/microsoft-windows/viruses-spyware-and-other-nasties/threads/134865

Edited by jholland1964 because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.