Find your solution!

mopoy · 12-Oct-2009, 10:56 PM #1

I think I have the Conflicker Worm and have done numerous anti-virus scans along with spyware and adware scans but can't seem to shake this thing that has its grips on my computer. I read about ComboFix on multiple tech sites so I downloaded the how-to guide and the application and ran it exactly as the guide said to and now I don't know what to do next.

HEEEELLLLLPPPPPP!!!!!!!!! Please thanks here is my ComboFix log

ComboFix 09-10-12.02 - rnchi316 10/12/2009 19:14.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1234 [GMT -7:00]
Running from: c:\documents and settings\rnchi316\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091012-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\system32\Cache
c:\windows\system32\drivers\etc\lmhosts

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_NWCWORKSTATION
-------\Service_Iprip
-------\Service_NWCWorkstation

((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-12 23:21 . 2009-10-12 23:21 -------- d-----w- c:\windows\system32\Lang
2009-10-12 18:37 . 2009-10-12 18:37 -------- d-----w- c:\windows\system32\RTCOM
2009-10-12 18:37 . 2008-04-14 12:41 4096 -c--a-w- c:\windows\system32\dllcache\ksuser.dll
2009-10-12 18:37 . 2008-04-14 12:41 4096 ----a-w- c:\windows\system32\ksuser.dll
2009-10-12 18:37 . 2008-04-14 07:49 146048 -c--a-w- c:\windows\system32\dllcache\portcls.sys
2009-10-12 18:37 . 2008-04-14 07:49 146048 ----a-w- c:\windows\system32\drivers\portcls.sys
2009-10-12 18:37 . 2008-04-14 07:15 60160 -c--a-w- c:\windows\system32\dllcache\drmk.sys
2009-10-12 18:37 . 2008-04-14 07:15 60160 ----a-w- c:\windows\system32\drivers\drmk.sys
2009-10-12 18:37 . 2009-10-12 22:44 -------- d-----w- c:\windows\LastGood.Tmp
2009-10-12 18:36 . 2009-10-12 18:36 -------- d-----w- c:\documents and settings\LocalService\Application Data\PeerNetworking
2009-10-12 18:35 . 2004-11-02 15:58 163840 ----a-w- c:\windows\system32\igfxres.dll
2009-10-12 18:01 . 2008-04-14 12:42 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2009-10-12 16:45 . 2009-10-12 16:45 -------- d-----w- c:\documents and settings\rnchi316\Local Settings\Application Data\Yahoo
2009-10-12 16:43 . 2009-10-12 17:03 -------- d-----w- c:\documents and settings\rnchi316\Local Settings\Application Data\Yahoo!
2009-10-12 16:43 . 2009-10-12 18:01 -------- d-----w- c:\windows\ServicePackFiles
2009-10-12 16:18 . 2008-06-13 11:05 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-10-12 16:18 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-10-12 16:18 . 2009-05-21 18:46 268288 -c----w- c:\windows\system32\dllcache\httpext.dll
2009-10-12 16:14 . 2008-05-08 14:02 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-10-12 16:14 . 2008-10-24 11:21 455296 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-12 16:14 . 2008-12-11 10:57 333952 -c----w- c:\windows\system32\dllcache\srv.sys
2009-10-12 16:14 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-12 16:13 . 2008-04-11 19:04 691712 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-10-12 16:12 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-12 16:12 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-12 16:12 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-12 16:12 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-12 16:12 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-12 16:12 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-12 16:12 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-12 16:12 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-12 16:12 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-12 16:12 . 2009-02-06 11:08 2189056 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-10-12 16:12 . 2009-02-06 11:06 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-10-12 16:12 . 2009-02-06 10:32 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-10-12 16:11 . 2008-10-15 16:34 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-10-12 16:10 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-12 16:10 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-12 16:06 . 2007-08-11 03:46 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-12 16:06 . 2009-10-12 18:08 -------- d--h--w- c:\windows\$hf_mig$
2009-10-12 15:42 . 2008-12-16 12:30 354304 -c----w- c:\windows\system32\dllcache\winhttp.dll
2009-10-12 15:16 . 2009-10-12 15:23 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-12 14:46 . 2009-10-12 15:16 -------- d-----w- c:\documents and settings\rnchi316\Application Data\Apple Computer
2009-10-12 14:46 . 2009-05-18 21:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-12 14:46 . 2008-04-17 20:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-12 14:45 . 2009-10-12 14:45 -------- d-----w- c:\program files\iPod
2009-10-12 14:45 . 2009-10-12 14:46 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-12 14:45 . 2009-10-12 14:46 -------- d-----w- c:\program files\iTunes
2009-10-12 14:45 . 2009-10-12 14:45 -------- d-----w- c:\program files\Bonjour
2009-10-12 14:44 . 2009-10-12 14:45 -------- d-----w- c:\program files\QuickTime
2009-10-12 14:44 . 2009-10-12 14:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-10-12 14:44 . 2009-10-12 14:44 -------- d-----w- c:\documents and settings\rnchi316\Local Settings\Application Data\Apple
2009-10-12 14:44 . 2009-10-12 14:44 -------- d-----w- c:\program files\Apple Software Update
2009-10-12 14:44 . 2009-10-12 14:46 -------- dc----w- c:\windows\system32\DRVSTORE
2009-10-12 14:43 . 2009-10-12 14:45 -------- d-----w- c:\program files\Common Files\Apple
2009-10-12 14:43 . 2009-10-12 14:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-12 14:42 . 2009-10-12 15:16 -------- d-----w- c:\documents and settings\rnchi316\Local Settings\Application Data\Apple Computer
2009-10-12 14:16 . 2009-10-12 14:16 0 ----a-w- c:\windows\nsreg.dat
2009-10-12 14:16 . 2009-10-12 14:16 -------- d-----w- c:\documents and settings\rnchi316\Local Settings\Application Data\Mozilla
2009-10-12 14:10 . 2009-10-12 14:10 -------- d-s---w- c:\documents and settings\rnchi316\UserData
2009-10-12 14:08 . 2009-10-12 14:08 -------- d-----w- c:\program files\Intel
2009-10-12 14:08 . 2009-10-12 14:08 -------- d-----w- C:\Intel10.3
2009-10-12 13:30 . 2009-10-12 13:30 -------- d-----w- c:\documents and settings\rnchi316\WINDOWS
2009-10-12 13:30 . 1998-10-29 23:45 306688 ----a-w- c:\windows\IsUninst.exe
2009-10-12 13:15 . 2008-04-14 12:42 10752 ----a-w- c:\windows\system32\smtpapi.dll
2009-10-12 12:21 . 2009-10-12 12:21 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-12 12:08 . 2009-10-12 12:21 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-12 12:08 . 2009-10-12 12:08 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-13 02:08 . 2009-10-12 11:20 13104 ----a-w- c:\documents and settings\rnchi316\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 23:39 . 2009-10-12 16:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-12 16:43 . 2009-10-12 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-12 16:43 . 2009-10-12 16:41 -------- d-----w- c:\program files\Yahoo!
2009-10-12 16:43 . 2009-10-12 16:43 -------- d-----w- c:\documents and settings\rnchi316\Application Data\Yahoo!
2009-08-05 09:01 . 2004-08-03 12:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 04:37 . 2004-08-03 12:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:37 . 2001-08-23 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-07-17 19:01 . 2004-08-03 12:56 58880 ----a-w- c:\windows\system32\atl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-09-25 5145912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-02 126976]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-09-21 86016]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-09-21 2807808]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/12/2009 8:28 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/12/2009 8:28 AM 20560]
R2 NwSapAgent;SAP Agent;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 5:56 AM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
c:\windows\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\rnchi316\Application Data\Mozilla\Firefox\Profiles\fwwun1qw.default\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-IgfxTray - c:\windows\system32\igfxtray.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 19:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-10-13 19:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 02:25

Pre-Run: 23,793,348,608 bytes free
Post-Run: 24,746,201,088 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

207 --- E O F --- 2009-10-12 16:50

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for: