Combofix log

Discussion in 'Malware Help (A Specialist Will Reply)' started by thundercats7, May 2, 2013.

  1. thundercats7

    thundercats7 Private E-2

    I recently downloaded Adobe Reader, and guess what snuck in? Sweetpacks, which was anything but sweet. I attempted to follow the instuctions of previous posts from those who received help from this website. The last thing I was going to do was Combofix, which is now finished. Will someone take a look at my log for me?
     
    thundercats7, May 2, 2013
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please read ALL of this message including the notes before doing anything. Note if you cannot save things in C:\ then just save them to your Desktop. Make sure that you have disable UAC and rebooted first if you are running Windows Vista or Windows 7.

    Please follow the instructions in the below link:

    READ & RUN ME FIRST. Malware Removal Guide


    and attach the requested logs when you finish these instructions.

    • **** If something does not run, write down the info to explain to us later but keep on going. ****
    • Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.



    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
    4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:


    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
    TimW, May 2, 2013
    #2
  3. thundercats7

    thundercats7 Private E-2

    Hi Tim,
    I appreciate you taking the time to help. I went through previous posts, and followed the instructions. I have no more problems whatsoever. It was a long process, but the previous instructions I found here, worked like a charm. I didn't need to do Combofix, but I wanted to doublecheck my work. I turned off my antivirus, and ran Combofix following the instructions. If policy states that the entire process of removing a virus like Sweetpacks, must include both a moderator and myself from the very beginning, then I understand if your unable to read my Combofix log. You guys have to protect yourselves, which makes perfect sense. If you are able to review my Combofix log, I would appreciate it.
     
    thundercats7, May 2, 2013
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just go ahead and attach it.
     
    TimW, May 3, 2013
    #4
  5. thundercats7

    thundercats7 Private E-2

    I appreciate it Tim. The log is below.

    ComboFix 13-05-01.03 - Tiffany 05/02/2013 11:14:50.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1433 [GMT -4:00]
    Running from: c:\documents and settings\Tiffany\Desktop\ComboFix.exe
    AV: AVG AntiVirus Free Edition 2013 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\Cache
    c:\windows\system32\SET5A.tmp
    c:\windows\system32\SET5E.tmp
    c:\windows\system32\SET66.tmp
    c:\windows\system32\SET6F.tmp
    c:\windows\system32\SET71.tmp
    c:\windows\system32\SET74.tmp
    c:\windows\system32\URTTemp
    c:\windows\system32\URTTemp\fusion.dll
    c:\windows\system32\URTTemp\mscoree.dll
    c:\windows\system32\URTTemp\mscoree.dll.local
    c:\windows\system32\URTTemp\mscorsn.dll
    c:\windows\system32\URTTemp\mscorwks.dll
    c:\windows\system32\URTTemp\msvcr71.dll
    c:\windows\system32\URTTemp\regtlib.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-04-02 to 2013-05-02 )))))))))))))))))))))))))))))))
    .
    .
    2013-05-01 03:13 . 2013-05-01 03:13 -------- d-----w- C:\JRT
    2013-04-28 20:51 . 2013-05-01 13:19 -------- d-----w- C:\Jts
    2013-04-28 19:46 . 2013-04-28 19:46 -------- d-----w- C:\Genesis
    2013-04-27 21:36 . 2013-04-27 21:37 -------- d-----w- C:\71a4ed12c6783bd016e5
    2013-04-27 14:23 . 2013-04-27 14:23 -------- d-----w- C:\$AVG
    2013-04-27 13:46 . 2013-04-27 13:46 -------- d-----w- C:\NVIDIA
    2013-04-27 07:11 . 2013-04-27 07:12 -------- d-----w- C:\Inetpub
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-03-08 08:36 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
    2013-03-07 01:32 . 2006-02-28 12:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-03-07 00:50 . 2004-08-03 22:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-03-02 02:06 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2013-03-02 02:06 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2013-03-02 02:06 . 2006-02-28 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2013-03-02 01:25 . 2006-02-28 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
    2013-03-02 01:08 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2013-03-01 17:32 . 2013-03-01 17:32 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
    2013-02-27 06:40 . 2013-02-27 06:40 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
    2013-02-14 10:52 . 2013-02-14 10:52 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2013-02-12 00:32 . 2006-02-28 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
    2013-02-08 11:37 . 2013-02-08 11:37 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2013-02-08 11:37 . 2013-02-08 11:37 245048 ----a-w- c:\windows\system32\drivers\avglogx.sys
    2013-02-08 11:37 . 2013-02-08 11:37 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys
    2013-02-08 11:37 . 2013-02-08 11:37 170808 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2013-02-08 11:37 . 2013-02-08 11:37 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
    2013-04-10 06:58 . 2013-04-27 08:03 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvMediaCenter"="NvMCTray.dll" [2013-01-31 108832]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2013-01-31 15517472]
    "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
    "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-03-14 4394032]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    AdFender.lnk - c:\program files\AdFender\AdFender.exe [2012-6-20 2772112]
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2013\avgrsx.exe /sync /restart
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CodecPackUpdateChecker.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk
    backup=c:\windows\pss\CodecPackUpdateChecker.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VTAgentReboot.exe]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VTAgentReboot.exe
    backup=c:\windows\pss\VTAgentReboot.exeCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
    2006-08-03 00:17 9134080 ----a-w- c:\program files\Intel Audio Studio\IntelAudioStudio.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
    2008-04-14 12:41 177152 ----a-w- c:\windows\system32\mqrt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2013-01-31 09:02 15517472 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2013-01-31 11:22 1982312 ----a-w- c:\program files\NVIDIA Corporation\nview\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2013-03-12 11:32 253816 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2013-04-28 00:37 295512 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "avast! Antivirus"=2 (0x2)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Marvell\\61xx\\Apache2\\bin\\Apache.exe"=
    "c:\\WINDOWS\\system32\\mqsvc.exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
    "c:\\Program Files\\AVG\\AVG2013\\avgnsx.exe"=
    "c:\\Program Files\\AVG\\AVG2013\\avgdiagex.exe"=
    "c:\\Program Files\\AVG\\AVG2013\\avgmfapx.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Documents and Settings\\Joshua\\Application Data\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\AdFender\\AdFender.exe"=
    .
    R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2/8/2013 7:37 AM 60216]
    R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2/8/2013 7:37 AM 245048]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2/8/2013 7:37 AM 39224]
    R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [8/30/2006 3:43 AM 70784]
    R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2/27/2013 2:40 AM 208184]
    R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [3/1/2013 1:32 PM 22328]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2/8/2013 7:37 AM 170808]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2/14/2013 6:52 AM 182072]
    R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2013\avgwdsvc.exe [2/19/2013 7:02 AM 282624]
    R2 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\61xx\svc\mvraidsvc.exe [8/9/2006 11:46 PM 114688]
    R2 MRUWebService;MRU Web Service;c:\program files\Marvell\61xx\Apache2\bin\Apache.exe [4/29/2006 5:47 AM 20541]
    R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [3/6/2013 5:21 AM 39056]
    R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\drivers\dc3d.sys [4/29/2013 10:41 AM 45288]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2013\avgidsagent.exe [2/28/2013 2:42 AM 4937264]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 1:08 PM 11336]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-04-28 c:\windows\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-854245398-343818398-839522115-1003.job
    - c:\program files\RealNetworks\RealDownloader\recordingmanager.exe [2013-03-06 09:23]
    .
    2013-05-02 c:\windows\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-854245398-343818398-839522115-1003.job
    - c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 09:21]
    .
    2013-05-02 c:\windows\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-854245398-343818398-839522115-1003.job
    - c:\program files\RealNetworks\RealDownloader\realupgrade.exe [2013-03-06 09:21]
    .
    2013-05-02 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-854245398-343818398-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 18:36]
    .
    2013-05-01 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-854245398-343818398-839522115-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2013-03-06 18:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    mStart Page = hxxp://www.google.com
    TCP: DhcpNameServer = 65.32.5.111 65.32.5.112
    FF - ProfilePath - c:\documents and settings\Joshua\Application Data\Mozilla\Firefox\Profiles\xav9wvmc.default\
    FF - prefs.js: browser.search.defaulturl -
    FF - prefs.js: browser.search.selectedEngine - Bing
    FF - prefs.js: browser.startup.homepage - google.com
    FF - ExtSQL: 2013-04-27 17:55; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-SigmatelSysTrayApp - sttray.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2013-05-02 11:18
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2013-05-02 11:20:51
    ComboFix-quarantined-files.txt 2013-05-02 15:20
    .
    Pre-Run: 433,530,941,440 bytes free
    Post-Run: 435,804,614,656 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    .
    - - End Of File - - FE474E6551C1D8909E335CD3F5926A82
     
    thundercats7, May 3, 2013
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I asked you to attach it, not post it inline.

    It removed some items, so what issues are you having now, if any?
     
    TimW, May 3, 2013
    #6
  7. thundercats7

    thundercats7 Private E-2

    I'm not having any problems anymore. I just wanted someone to review my Combofix log, in case it had any items that needed to be taken care of above and beyond what Combofix corrected.
     
    thundercats7, May 3, 2013
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I can't say for certain without looking at logs after doing the Read and Run First instructions.
     
    TimW, May 4, 2013
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds