Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Combo Fix

    Hochgeladen von

    Matthew Ferguson
    103 Ansichten5 Seiten

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Verfügbare Formate

    TXT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    103 Ansichten5 Seiten

    Combo Fix

    Hochgeladen von

    Matthew Ferguson

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Als TXT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 5

    ComboFix 13-09-13.03 - beer 09/14/2013 7:05.1.

    2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.874.66.1033.18.3071.2467 [GMT 7:00
    ]
    Running from: c:\documents and settings\beer\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))
    )))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\beer\Application Data\LocalLow
    c:\documents and settings\beer\Application Data\LocalLow\PlayNC\LicenseVersion.i
    ni
    c:\documents and settings\beer\Application Data\LocalLow\PlayNC\NCLauncherInfo.d
    at
    c:\documents and settings\beer\Application Data\LocalLow\PlayNC\NCSetupMng.exe
    c:\documents and settings\beer\Application Data\LocalLow\PlayNC\unicows.dll
    c:\documents and settings\beer\Local Settings\Application Data\Google\Chrome\Use
    r Data\Default\Preferences
    c:\program files\Toolbar
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-08-14 to 2013-09-14 )))))))
    ))))))))))))))))))))))))
    .
    .
    2013-09-06 01:17 . 2013-09-06 01:17
    -------d-----wc:\windo
    ws\Logs
    2013-09-06 01:16 . 2013-09-06 01:16
    -------d-----wC:\Drago
    nfly
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))
    )))))))))))))))))))))))))))))))
    .
    .
    .
    ------- Sigcheck ------Note: Unsigned files aren't necessarily malware.
    .
    [-] 2011-01-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] .
    . c:\windows\system32\drivers\tcpip.sys
    .
    .
    c:\windows\System32\wscntfy.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))
    )))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellicon
    overlayidentifiers\IDM Shell Extension]
    @="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
    [HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
    2010-12-23 14:09
    67168 ----a-wc:\program files\Internet Downlo
    ad Manager\IDMShellExt.dll

    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GarenaPlus"="c:\program files\Garena Plus\GarenaMessenger.exe" [2013-09-05 9846
    576]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2010-12-30 19972712]
    "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-09-07 43608]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-02-10 15494464]
    "NvMediaCenter"="NvMCTray.dll" [2012-02-10 108352]
    "nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-02-10 1634112]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    [2012-07-27 98304]
    "GarenaCIG"="c:\documents and settings\All Users\Application Data\GarenaCIG\3.0.
    865\GarenaCIG.exe" [2013-04-21 989936]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="ctfmon.exe" [2008-04-14 15360]
    "IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2011-01-11 33013
    76]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2009-03-07 128512]
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoResolveTrack"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    .
    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer
    ]
    "ForceClassicControlPanel"= 1 (0x1)
    "NoResolveTrack"= 1 (0x1)
    "NoRecentDocsNetHood"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
    \DfLogon]
    2010-05-20 15:01
    65536 ----a-wc:\windows\system32\LogonDll.dll
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute
    REG_MULTI_SZ
    autocheck autochk /k:C /k:D *
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders
    schannel.dll, credssp.dll, digest.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFa
    ultCheck]
    c:\windows\system32\dumprep 0 -k [X]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid
    Configurer]
    2010-09-07 10:40
    1976920 ----a-wc:\windows\system32\xRaidSetup.e
    xe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe AR
    M]
    2010-11-10 05:49
    932288 ----a-wc:\program files\Common Files\Ad
    obe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Re
    ader Speed Launcher]

    2011-01-30 15:45
    35736 ----a-wc:\program files\Adobe\Reader 10
    .0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google U
    pdate]
    2011-12-02 22:56
    136176 ----atwc:\documents and settings\beer\L
    ocal Settings\Application Data\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2013-06-21 02:58
    19875432
    ----a-rc:\program files\Skype\P
    hone\Skype.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Authoriz
    edApplications\List]
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\SmartNetClient.Exe"=
    "c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
    "c:\\Program Files\\HitsPlay\\PointBlank\\PointBlank.exe"=
    "c:\winner\BornToFire\cxPatchClient.exe"= c:\winner\BornToFire\cxPatchClient.exe
    *:Enabled:BornToFire
    "c:\\GarenaDownload\\Games\\pbth\\PointBlank_GarenaPlus_Installer.exe"=
    "c:\\Program Files\\GarenaPBTH\\GameData\\Apps\\PBTH\\PointBlank.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Program Files\\Garena Plus\\ggdllhost.exe"=
    .
    R0 DeepFrz;DeepFrz;c:\windows\system32\drivers\DeepFrz.sys [20/5/2553 22:04 1532
    40]
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [19/6/2554 15:14 420920]
    R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [19/6/2554 15:09 96600]
    R2 DFServ;DFServ;c:\program files\Faronics\Deep Freeze\Install C-0\DFServ.exe [2
    0/5/2553 21:55 1073664]
    R2 GarenaCIG;Garena Cafe Service;c:\documents and settings\All Users\Application
    Data\GarenaCIG\3.0.865\GarenaCIG.exe [21/4/2556 7:35 989936]
    R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system3
    2\drivers\AtihdXP3.sys [31/8/2555 18:32 103040]
    R3 tap0901-tcgnw-x86;TAP-Win32 Adapter V9 (TCGNetwork);c:\windows\system32\drive
    rs\tap0901-tcgnw-x86.sys [17/6/2554 20:08 26624]
    S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Appli
    cation Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [14/8/2556 11:10 32
    91008]
    S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [21/6/25
    56 9:53 162408]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [19/6/2554 15:20 1691
    480]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows
    \system32\drivers\EagleXNt.sys [?]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service -> c:\windows\system32\GameMon.des -service [?]
    S3 vtany;vtany;\??\c:\windows\vtany.sys --> c:\windows\vtany.sys [?]
    S3 xhunter1;xhunter1;\??\c:\windows\xhunter1.sys --> c:\windows\xhunter1.sys [?]
    S3 xsherlock;xsherlock;c:\windows\system32\xsherlock.xem [23/8/2555 6:37 662112]

    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-308236825-180
    1674531-1003Core.job
    - c:\documents and settings\beer\Local Settings\Application Data\Google\Update\G
    oogleUpdate.exe [2011-12-02 22:56]
    .
    2013-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-308236825-180
    1674531-1003UA.job
    - c:\documents and settings\beer\Local Settings\Application Data\Google\Update\G
    oogleUpdate.exe [2011-12-02 22:56]
    .
    .
    ------- Supplementary Scan ------.
    uDefault_Search_URL = hxxp://www.google.com/
    IE: IDM - c:\program files\Internet Download Manager\IEGet
    IE: FLV IDM - c:\program files\Internet Download Manager\IEGetVL.htm
    IE: IDM - c:\program files\Internet Download Manager\IEExt.htm
    TCP: DhcpNameServer = 192.168.1.1
    DPF: {27AD4028-716B-4383-B8FA-A94C6CFCEC37} - hxxp://btr.gg.in.th/Spec1/ActiveX/
    WZOBCmnCtrl.cab
    DPF: {8E82893F-7ED1-4811-A247-580DCC0E2629} - hxxp://sf-web.gg.in.th/activex/Sta
    rterSFTDE.cab
    DPF: {FA73B1B9-D6F0-4420-AEB4-B3C973B2A115} - hxxp://update.hitsplay.com:8080/Un
    iUpdTool/system/NCLauncher.cab
    .
    - - - - ORPHANS REMOVED - - - .
    HKLM-Run-TaskTray - (no file)
    AddRemove-PlayNCLauncher - c:\documents and settings\beer\Application Data\Local
    Low\PlayNC\NCSetupMng.exe
    AddRemove-XSHOT [2.1.6.392] - c:\progra~1\Kingsoft\UNWISE.EXE
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http:/
    /www.gmer.net
    Rootkit scan 2013-09-14 07:09
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\xsherlock]
    "ImagePath"="c:\windows\system32\xsherlock.xem"

    .
    --------------------- LOCKED REGISTRY KEYS --------------------.
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC
    }]
    @Denied: (Full) (Everyone)
    "scansk"=hex(0):b1,d9,69,75,f7,22,e2,fe,95,80,9f,7c,37,51,06,30,5c,1b,e7,f5,36,
    ba,b2,fc,f6,88,fb,06,42,22,17,13,84,58,8e,1a,72,9f,fb,5d,00,00,00,00,00,00,\
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ab6db133-4a2a-404a-a402-ea6b9f5c510d
    }]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes --------------------.
    - - - - - - - > 'winlogon.exe'(956)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\atiadlxx.dll
    c:\windows\system32\LogonDll.dll
    .
    Completion time: 2013-09-14 07:10:38
    ComboFix-quarantined-files.txt 2013-09-14 00:10
    .
    Pre-Run: 7,584,612,352 bytes free
    Post-Run: 11,768,008,704 bytes free
    .
    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional"
    /noexecute=optin /fastdetect
    .
    - - End Of File - - 8A328451A7BEDA7F0B96E6C9F1F1121B
    8F558EB6672622401DA993E1E865C861

    Das könnte Ihnen auch gefallen