ComboFix Log - Interpretation?

Discussion in 'Malware Help (A Specialist Will Reply)' started by rafab1, Dec 13, 2008.

  1. rafab1

    rafab1 Private E-2

    error message: windows cannot find 'C:\program files\internet explorer\iexplorer.exe'

    I ran ComboFix but still the same message. Can someone help in interpreting the log below?: I am going out of my mind trying to get explorer to work:


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\RICHARD RYAN\Local Settings\Temporary Internet Files\CSC2.5U-EN-719-F.sbr.sgn
    c:\documents and settings\RICHARD RYAN\Local Settings\Temporary Internet Files\ENCounterSpyConsumer.2.5.1043.0.exe
    c:\windows\IE4 Error Log.txt

    .
    ((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
    .

    2008-12-13 11:05 . 34,360 c:\windows\system32\drivers\sbapifs.sys
    2008-12-13 10:58 . 2008-12-13 10:58 6,736 --a------ c:\windows\system32\drivers\PROCEXP90.SYS
    2008-12-13 10:08 . 2004-08-04 00:56 116,224 --a------ c:\windows\system32\dllcache\xrxwiadr.dll
    2008-12-13 10:08 . 2001-08-17 22:36 23,040 --a------ c:\windows\system32\dllcache\xrxwbtmp.dll
    2008-12-13 10:06 . 2001-08-17 13:28 771,581 --a------ c:\windows\system32\dllcache\winacisa.sys
    2008-12-13 10:05 . 2001-08-17 13:28 794,654 --a------ c:\windows\system32\dllcache\usr1801.sys
    2008-12-13 10:04 . 2001-08-17 22:36 525,568 --a------ c:\windows\system32\dllcache\tridxp.dll
    2008-12-13 10:03 . 2004-08-04 05:00 571,392 --a------ c:\windows\system32\dllcache\tintlgnt.ime
    2008-12-13 10:02 . 2001-08-17 12:18 285,760 --a------ c:\windows\system32\dllcache\stlnata.sys
    2008-12-13 10:01 . 2004-08-04 05:00 456,704 --a------ c:\windows\system32\dllcache\smtpsvc.dll
    2008-12-13 10:00 . 2001-08-17 22:36 386,560 --a------ c:\windows\system32\dllcache\sgiul50.dll
    2008-12-13 09:59 . 2001-08-17 22:36 495,616 --a------ c:\windows\system32\dllcache\sblfx.dll
    2008-12-13 09:58 . 2001-08-17 13:28 714,762 --a------ c:\windows\system32\dllcache\r2mdmkxx.sys
    2008-12-13 09:57 . 2001-08-17 13:28 899,146 --a------ c:\windows\system32\dllcache\r2mdkxga.sys
    2008-12-13 09:37 . 2004-08-04 05:00 482,304 --a------ c:\windows\system32\dllcache\pintlgnt.ime
    2008-12-13 09:36 . 2001-08-17 14:05 351,616 --a------ c:\windows\system32\dllcache\ovcodek2.sys
    2008-12-13 09:35 . 2004-08-03 22:31 132,695 --a------ c:\windows\system32\dllcache\netwlan5.sys
    2008-12-13 09:34 . 2004-08-04 05:00 1,875,968 --a------ c:\windows\system32\dllcache\msir3jp.lex
    2008-12-13 09:33 . 2001-08-17 13:28 802,683 --a------ c:\windows\system32\dllcache\ltsm.sys
    2008-12-13 09:32 . 2004-08-04 05:00 1,158,818 --a------ c:\windows\system32\dllcache\korwbrkr.lex
    2008-12-13 09:31 . 2004-08-04 05:00 811,064 --a------ c:\windows\system32\dllcache\imjp81k.dll
    2008-12-13 09:30 . 2004-08-04 05:00 13,463,552 --a------ c:\windows\system32\dllcache\hwxjpn.dll
    2008-12-13 09:29 . 2001-08-17 14:56 1,733,120 --a------ c:\windows\system32\dllcache\g400d.dll
    2008-12-13 09:28 . 2001-08-17 12:17 629,952 --a------ c:\windows\system32\dllcache\eqn.sys
    2008-12-13 09:27 . 2001-08-17 12:14 952,007 --a------ c:\windows\system32\dllcache\diwan.sys
    2008-12-13 09:26 . 2001-08-17 22:36 614,429 --a------ c:\windows\system32\dllcache\digiview.exe
    2008-12-13 09:25 . 2004-08-04 05:00 1,677,824 --a------ c:\windows\system32\dllcache\chsbrkr.dll
    2008-12-13 09:24 . 2004-08-04 00:56 1,888,992 --a------ c:\windows\system32\dllcache\ati3duag.dll
    2008-12-13 09:23 . 2001-08-17 13:28 762,780 --a------ c:\windows\system32\dllcache\3cwmcru.sys
    2008-12-13 09:22 . 2004-05-13 00:39 876,653 --a------ c:\windows\system32\dllcache\fp4awel.dll
    2008-12-13 08:14 . 2008-12-13 08:14 16,386,859 --a------ c:\windows\system32\SBSP.dat
    2008-12-12 12:10 . 2008-12-12 12:10 177,664 --a------ c:\program files\KB34896.exe
    2008-12-12 12:10 . 2008-12-12 12:10 172,032 --a------ c:\windows\system32\wrq10982.dll
    2008-12-12 12:10 . 2008-12-12 12:10 172,032 --a------ c:\windows\system32\rq10982.dll
    2008-12-11 21:51 . 2008-12-11 21:51 118 --a------ c:\windows\system32\MRT.INI
    2008-11-29 10:46 . 2008-11-29 10:46 4,183,490 --a------ C:\world yacht with Marc & Jane sunny.JPG
    2008-11-29 10:46 . 2008-11-29 10:46 3,787,530 --a------ C:\rich & marc world yacht.JPG
    2008-11-29 10:45 . 2008-11-29 10:45 3,767,703 --a------ C:\Rich & 2 glasses.JPG
    2008-11-29 10:44 . 2008-11-29 10:44 3,820,856 --a------ C:\whitey under tree 1.JPG
    2008-11-29 10:44 . 2008-11-29 10:44 3,819,779 --a------ C:\whitey under tree 2.JPG
    2008-11-27 21:12 . 2008-11-27 21:12 <DIR> d-------- c:\program files\Common Files\Software Update Utility
    2008-11-27 21:12 . 2008-11-27 21:12 <DIR> d-------- c:\program files\AIM Toolbar
    2008-11-27 21:12 . 2008-11-27 21:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\AIM Toolbar
    2008-11-27 21:11 . 2008-11-27 21:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
    2008-11-25 07:44 . 2008-11-25 07:44 85,504 --a------ c:\program files\KB35864.exe
    2008-11-17 17:23 . 2008-11-17 17:23 176,128 --a------ c:\windows\system32\ws99807.dll
    2008-11-17 17:23 . 2008-11-17 17:23 176,128 --a------ c:\windows\system32\mws99807.dll
    2008-11-17 17:13 . 2008-11-17 18:07 <DIR> d-------- c:\program files\MSVideoPlugin
    2008-11-13 18:05 . 2008-11-13 18:10 <DIR> d-------- c:\windows\system32\scripting
    2008-11-13 18:05 . 2008-11-13 18:10 <DIR> d-------- c:\windows\system32\en
    2008-11-13 18:05 . 2008-11-13 18:10 <DIR> d-------- c:\windows\system32\bits
    2008-11-13 18:05 . 2008-11-13 18:10 <DIR> d-------- c:\windows\l2schemas
    2008-11-13 17:57 . 2007-08-10 19:46 33,656 --a------ c:\windows\system32\sprecovr.exe
    2008-11-13 17:53 . 2008-11-13 17:53 <DIR> d-------- c:\windows\EHome
    2008-11-13 13:37 . 2008-11-13 13:37 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-12-13 16:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
    2008-12-13 13:42 --------- d-----w c:\program files\Spyware Doctor
    2008-12-01 12:35 --------- d-----w c:\program files\Common Files\Symantec Shared
    2008-11-28 02:12 --------- d-----w c:\program files\AIM6
    2008-11-28 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
    2008-11-28 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
    2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-24 11:10 453,632 ----a-w c:\windows\system32\dllcache\mrxsmb.sys
    2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
    2008-10-23 13:01 283,648 ----a-w c:\windows\system32\dllcache\gdi32.dll
    2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
    2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
    2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
    2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
    2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
    2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
    2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
    2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
    2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
    2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
    2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
    2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
    2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
    2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
    2008-10-15 16:57 332,800 ----a-w c:\windows\system32\dllcache\netapi32.dll
    2008-10-15 14:18 18,432 ----a-w c:\windows\system32\dllcache\iedw.exe
    2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
    2008-10-03 10:15 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
    2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
    2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
    2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\dllcache\win32k.sys
    2007-02-11 12:14 88 --sh--r c:\windows\system32\2997DA6DE4.sys
    2007-02-11 12:15 2,516 --sha-w c:\windows\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD8E8AAE-BFAE-342F-812E-3385D911BFCE}]
    2008-12-12 12:10 172032 --a------ c:\windows\system32\wrq10982.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "Spyware Doctor"="c:\program files\Spyware Doctor\swdoctor.exe" [2006-12-11 2115728]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]
    "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-12-14 98304]
    "EPSON Stylus CX5800F Series (Copy 1)"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE" [2005-05-09 98304]
    "SBCSTray"="c:\program files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 698864]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2007-08-24 714608]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "NvMediaCenter"="NvMCTray.dll" [2006-08-23 c:\windows\system32\nvmctray.dll]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-08-15 c:\windows\stsystra.exe]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\MSN Messenger\\msncall.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=

    R0 SBHR;SBHR;c:\windows\system32\drivers\sbhr.sys [2007-11-02 15544]
    R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2007-08-25 149352]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-20 24652]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-13 99376]
    R3 SBAPIFS;SBAPIFS;\??\c:\windows\system32\drivers\sbapifs.sys []
    S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-05-29 23888]

    *Newly Created Service* - SBAPIFS
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-09 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - RICHARD RYAN.job
    - c:\program files\Norton AntiVirus\Navw32.exe [2007-08-26 20:19]
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig
    IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
    .
    .
    ------- File Associations -------
    .
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-12-13 11:05:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\mchInjDrv]
    "ImagePath"="\??\c:\windows\TEMP\mc22.tmp"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(864)
    c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
    c:\program files\common files\logishrd\bluetooth\LBTServ.dll
    c:\program files\Spyware Doctor\Tools\klg.dat

    - - - - - - - > 'lsass.exe'(920)
    c:\program files\Spyware Doctor\Tools\klg.dat

    - - - - - - - > 'explorer.exe'(3004)
    c:\program files\Spyware Doctor\Tools\klg.dat
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\browselc.dll
    c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

    - - - - - - - > 'csrss.exe'(840)
    c:\program files\Spyware Doctor\Tools\klg.dat
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Logitech\SetPoint\SetPoint.exe
    c:\program files\CASIO\Photo Loader\Plauto.exe
    c:\program files\Spyware Doctor\sdhelp.exe
    c:\program files\Microsoft IntelliPoint\dpupdchk.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2008-12-13 11:10:16 - machine was rebooted [RICHARD RYAN]
    ComboFix-quarantined-files.txt 2008-12-13 16:09:49

    Pre-Run: 135,769,862,144 bytes free
    Post-Run: 138,635,653,120 bytes free

    223 --- E O F --- 2008-12-13 13:42:10
     
    rafab1, Dec 13, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geek!

    If you do not have the C:\program files\internet explorer\iexplorer.exe file on your PC then running ComboFix is not going to help you. ComboFix is a specialty malware removal tool and is not going to put Internet Explorer (that is what iexplore.exe is) back on your PC if the file is truly missing. You need to check to see if the file is really missing and if it is, you need to restore a copy from a backup on your PC or possibly use System Restore to get the file back. This is not an issue for the Malware Forum. You should post in the Software Forum for help with this.

    However the below is more than likely a malware BHO:
    So because you do have malware, you need to follow the below instructions anyway.

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    READ & RUN ME FIRST. Malware Removal Guide
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     
    Last edited: Dec 15, 2008
    chaslang, Dec 15, 2008
    #2
  3. rafab1

    rafab1 Private E-2

    Understood. Thanks for the clarification.
    I did, in fact, have to reinstall both windows and i/e 6.0.
     
    rafab1, Dec 16, 2008
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Dec 18, 2008
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds