1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Combofix for Win32.Sirefef.O

Discussion in 'Virus & Other Malware Removal' started by Mansoor11, Nov 8, 2011.

Thread Status:
Not open for further replies.
  1. Mansoor11

    Mansoor11 Thread Starter

    Joined:
    Nov 8, 2011
    Messages:
    1
    Dear Techguys,

    I've had the most frightening 3 days with the trojan win32.sirefef.o that had hijacked nearly everything related to security and internet on my computer.

    While reading posts in the forum, I found a few almost exactly similar problems and decided to take the risk of running TDSSKiller and Combofix, as was suggested in those posts, because I was already mentally prepared for getting my hard disc formatted.

    The TDSSKiller did show two high-risk threats but was eventually unable to deal with them. Then as a last resort, I downloaded and ran Combofix. It took a long while but I think it has worked - earlier, the windows defender was constantly showing me the presence of the trojan whenever I ran a quick scan. But now it is giving me the message that my computer is running properly. My internet connection was lost and I had to take technical help to reset it. The endless series of admirablesearchsystem.com, marveloussearchsystem.com, spelndidsearchsystem.com...has also vanished from the browser.

    I need your help in knowing how to interpret the Combofix log. Could you please help me with this? I only need to know if I can safely assume that my computer is totally clean now. Is it safe for me to access my email from this machine? Can there still be a danger of identity theft or theft of confidential data? I'd be really grateful for the information. Here is the Combofix log:

    ******************************************************************************

    ComboFix 11-11-08.02 - Bill gates 11/08/2011 20:37:17.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.1978.1313 [GMT 5.5:30]
    Running from: c:\users\Bill gates\Favorites\Desktop\ComboFix.exe
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Windows Searchqu Toolbar
    c:\users\Bill gates\agent.exe
    c:\users\Bill gates\AppData\Local\3145af8c\U
    c:\users\Bill gates\AppData\Local\3145af8c\U\[email protected]
    c:\users\Bill gates\AppData\Local\3145af8c\U\[email protected]
    c:\users\Bill gates\AppData\Local\3145af8c\U\[email protected]
    c:\users\Bill gates\AppData\Local\3145af8c\X
    c:\users\Bill gates\DRTCP021.exe
    c:\windows\$NtUninstallKB24886$
    c:\windows\$NtUninstallKB24886$\2594879772
    c:\windows\$NtUninstallKB24886$\826650508\@
    c:\windows\$NtUninstallKB24886$\826650508\L\vhtmwbun
    c:\windows\$NtUninstallKB24886$\826650508\U\@00000001
    c:\windows\$NtUninstallKB24886$\826650508\U\@000000c0
    c:\windows\$NtUninstallKB24886$\826650508\U\@000000cb
    c:\windows\$NtUninstallKB24886$\826650508\U\@000000cf
    c:\windows\$NtUninstallKB24886$\826650508\U\@80000000
    c:\windows\$NtUninstallKB24886$\826650508\U\@800000c0
    c:\windows\$NtUninstallKB24886$\826650508\U\@800000cb
    c:\windows\$NtUninstallKB24886$\826650508\U\@800000cf
    c:\windows\system32\c_58470.nl_
    c:\windows\system32\c_58470.nls
    c:\windows\system32\drivers\
    .
    Infected copy of c:\windows\system32\drivers\smb.sys was found and disinfected
    Restored copy from - The cat found it :)
    Infected copy of c:\program files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe was found and disinfected
    Restored copy from - c:\program files\PC Tools\PC Tools Security\BDT\
    .
    Infected copy of c:\program files\Google\Update\GoogleUpdate.exe was found and disinfected
    Restored copy from - c:\program files\Google\Update\
    .
    Infected copy of c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe was found and disinfected
    Restored copy from - c:\program files\Hewlett-Packard\Shared\
    .
    c:\program files\Airtel NetXpert\bin\sprtsvc.exe . . . is infected!!
    c:\program files\Airtel NetXpert\bin\sprtsvc.exe . . . was deleted!! You should re-install the program it pertains to
    .
    Infected copy of c:\program files\Airtel NetXpert\bin\tgsrvc.exe was found and disinfected
    Restored copy from - c:\program files\Airtel NetXpert\bin\
    .
    Infected copy of c:\windows\system32\DRIVERS\xaudio.exe was found and disinfected
    Restored copy from - c:\windows\System32\DriverStore\FileRepository\hpqherzm.inf_8705e467\XAudio.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_3145af8c
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-10-08 to 2011-11-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-11-08 14:35 . 2011-11-08 14:35 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-11-07 05:39 . 2008-04-18 02:33 73216 ----a-w- c:\windows\system32\msiexec.exe
    2011-11-07 05:39 . 2008-04-18 02:33 2560 ----a-w- c:\windows\system32\msimsg.dll
    2011-11-07 05:39 . 2008-04-18 05:30 332800 ----a-w- c:\windows\system32\msihnd.dll
    2011-11-07 05:39 . 2008-04-18 05:30 2241536 ----a-w- c:\windows\system32\msi.dll
    2011-11-06 18:26 . 2011-10-25 08:08 767952 ----a-w- c:\windows\BDTSupport.dll
    2011-11-06 18:26 . 2011-09-28 07:44 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys
    2011-11-06 18:26 . 2011-10-25 08:08 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2011-11-06 18:26 . 2011-10-25 08:08 2291664 ----a-w- c:\windows\PCTBDCore.dll
    2011-11-06 18:26 . 2011-10-25 08:08 1681360 ----a-w- c:\windows\PCTBDRes.dll
    2011-11-06 18:26 . 2011-11-06 18:26 -------- d-----w- c:\program files\PC Tools
    2011-11-06 18:12 . 2011-11-07 05:23 -------- d-----w- c:\program files\Common Files\PC Tools
    2011-11-06 18:12 . 2011-10-28 05:32 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
    2011-11-06 18:11 . 2011-11-07 05:20 -------- d-----w- c:\programdata\PC Tools
    2011-11-06 18:11 . 2011-11-06 18:11 -------- d-----w- c:\users\Bill gates\AppData\Roaming\TestApp
    2011-11-06 17:39 . 2011-11-06 20:48 -------- d-----w- c:\program files\Norton PC Checkup
    2011-11-06 15:06 . 2011-11-06 15:06 -------- d-----w- c:\program files\Emsisoft HiJackFree
    2011-11-06 11:48 . 2011-11-06 11:48 -------- d-----w- c:\users\Bill gates\AppData\Local\Mozilla
    2011-11-06 10:59 . 2011-11-06 10:59 -------- d-----w- c:\users\Bill gates\AppData\Roaming\Malwarebytes
    2011-11-06 10:58 . 2011-11-06 10:58 -------- d-----w- c:\programdata\Malwarebytes
    2011-11-06 10:58 . 2011-11-08 14:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-11-06 10:51 . 2011-11-06 10:51 -------- d-----w- c:\program files\Trend Micro
    2011-11-06 07:26 . 2011-11-06 07:26 -------- d-----w- c:\users\Bill gates\AppData\Local\SupportSoft
    2011-11-06 07:26 . 2011-11-06 07:26 -------- d-----w- c:\programdata\SupportSoft
    2011-11-06 06:10 . 2011-11-06 07:08 -------- d-----w- c:\users\Bill gates\AppData\Roaming\IObit
    2011-11-06 06:10 . 2011-11-06 06:10 -------- d-----w- c:\program files\IObit
    2011-11-05 16:48 . 2011-11-05 16:48 -------- d-sh--w- c:\windows\system32\%APPDATA%
    2011-11-05 16:02 . 2011-10-17 20:58 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{381FB97F-024F-4DA0-B121-3BFB328A369B}\mpengine.dll
    2011-11-05 15:25 . 2011-11-05 15:25 -------- d-----w- c:\users\Bill gates\AppData\Roaming\F-Secure
    2011-11-05 14:31 . 2011-11-05 14:31 -------- d-----w- c:\programdata\boost_interprocess
    2011-11-05 14:20 . 2011-11-08 15:16 -------- d-sh--w- c:\users\Bill gates\AppData\Local\3145af8c
    2011-11-05 13:24 . 2011-11-06 07:43 -------- d-----w- c:\users\Bill gates\AppData\Local\jZip
    2011-11-05 13:24 . 2011-11-05 13:24 -------- d-----w- c:\program files\jZip
    2011-11-03 17:35 . 2011-11-06 08:26 -------- d-----w- c:\users\Bill gates\AppData\Roaming\NCH Software
    2011-11-03 14:22 . 2006-11-10 09:35 18688 ----a-w- c:\windows\system32\drivers\afc.sys
    2011-11-03 14:17 . 2002-01-20 02:03 131072 ----a-w- c:\windows\system\SP5X_32.DLL
    2011-11-02 17:05 . 2011-11-05 16:32 25248 ----a-w- c:\windows\system32\drivers\AmgHips.sys
    2011-10-29 18:25 . 2011-11-03 17:35 -------- d-----w- c:\programdata\NCH Software
    2011-10-29 04:52 . 2011-10-29 04:52 -------- d-----w- c:\windows\CheckSur
    2011-10-27 17:57 . 2010-09-06 16:24 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2011-10-27 17:57 . 2010-09-06 16:23 17920 ----a-w- c:\windows\system32\netevent.dll
    2011-10-27 17:57 . 2009-08-24 12:16 378368 ----a-w- c:\windows\system32\winhttp.dll
    2011-10-27 17:41 . 2008-06-26 03:29 801280 ----a-w- c:\windows\system32\NaturalLanguage6.dll
    2011-10-27 17:41 . 2008-06-26 01:45 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
    2011-10-27 17:41 . 2008-06-26 01:45 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
    2011-10-27 17:31 . 2011-10-27 17:31 -------- d-----w- C:\AI_RecycleBin
    2011-10-27 17:27 . 2011-10-27 17:27 -------- d-----w- c:\users\Bill gates\AppData\Roaming\RegistryKeys
    2011-10-27 16:59 . 2011-10-27 16:59 -------- d-----w- c:\users\Bill gates\AppData\Roaming\com.w3i.FlipToast
    2011-10-27 16:58 . 2011-10-27 16:58 -------- d-----w- c:\program files\Free Offers from Freeze.com
    2011-10-27 16:58 . 2011-10-27 17:30 -------- d-----w- c:\program files\fliptoast
    2011-10-27 16:57 . 2011-10-27 17:31 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
    2011-10-27 16:56 . 2011-10-27 17:44 -------- d-----w- c:\program files\PC Speed Maximizer
    2011-10-25 18:38 . 2011-05-24 13:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-10-24 14:21 . 2010-04-07 15:40 572592 ----a-w- c:\windows\system32\msvcp50.dll
    2011-10-24 14:20 . 2011-11-05 16:56 -------- d-----w- c:\program files\airtel pc secure
    2011-10-24 14:20 . 2011-11-05 14:57 -------- d-----w- c:\programdata\fssg
    2011-10-24 14:18 . 2011-11-05 16:51 -------- d-----w- c:\programdata\f-secure
    2011-10-23 14:52 . 2011-10-23 14:52 -------- d-----w- c:\program files\Common Files\Java
    2011-10-23 12:56 . 2011-11-06 07:27 -------- d-----w- c:\program files\Common Files\SupportSoft
    2011-10-23 12:56 . 2011-11-06 07:26 -------- d-----w- c:\program files\Airtel NetXpert
    2011-10-23 12:54 . 2011-10-02 23:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-10-23 12:54 . 2011-10-23 14:52 -------- d-----w- c:\program files\Java
    2011-10-17 07:03 . 2011-10-20 18:40 -------- d-----w- c:\users\Bill gates\AppData\Roaming\Sammsoft
    2011-10-16 13:56 . 2009-11-08 05:25 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2011-10-16 13:56 . 2009-11-08 05:25 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2011-10-16 13:56 . 2009-11-08 05:25 297808 ----a-w- c:\windows\system32\mscoree.dll
    2011-10-16 13:56 . 2009-11-08 05:25 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2011-10-16 13:56 . 2009-11-08 05:25 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2011-10-16 12:41 . 2008-06-20 01:14 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
    2011-10-16 12:41 . 2008-06-20 01:14 97800 ----a-w- c:\windows\system32\infocardapi.dll
    2011-10-16 12:41 . 2008-06-20 01:14 37384 ----a-w- c:\windows\system32\infocardcpl.cpl
    2011-10-16 12:41 . 2008-06-20 01:14 11264 ----a-w- c:\windows\system32\icardres.dll
    2011-10-16 12:41 . 2008-06-20 01:14 622080 ----a-w- c:\windows\system32\icardagt.exe
    2011-10-16 12:41 . 2008-06-20 01:14 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
    2011-10-16 12:31 . 2008-07-27 18:03 158720 ----a-w- c:\windows\system32\mscorier.dll
    2011-10-16 12:31 . 2008-07-27 18:03 83968 ----a-w- c:\windows\system32\mscories.dll
    2011-10-16 06:57 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-16 06:57 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-16 06:57 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
    2011-10-16 06:57 . 2010-05-27 19:16 81920 ----a-w- c:\windows\system32\iccvid.dll
    2011-10-16 06:45 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
    2011-10-16 06:45 . 2010-06-16 15:12 72704 ----a-w- c:\windows\system32\fontsub.dll
    2011-10-16 06:45 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-10-16 06:45 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
    2011-10-16 06:45 . 2008-06-19 03:31 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
    2011-10-16 06:45 . 2010-09-10 16:35 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2011-10-16 06:45 . 2010-09-10 16:37 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2011-10-16 06:45 . 2010-12-28 14:57 409600 ----a-w- c:\windows\system32\odbc32.dll
    2011-10-16 06:45 . 2010-12-28 14:56 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-10-16 06:45 . 2010-12-28 14:56 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-10-16 06:44 . 2010-12-28 14:56 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-10-16 06:44 . 2010-12-28 14:56 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-10-16 06:44 . 2010-12-28 14:56 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-10-16 06:44 . 2009-08-14 16:29 104960 ----a-w- c:\windows\system32\netiohlp.dll
    2011-10-16 06:44 . 2009-08-14 14:16 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
    2011-10-16 06:44 . 2009-08-14 14:16 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
    2011-10-16 06:44 . 2009-08-14 14:16 19968 ----a-w- c:\windows\system32\ARP.EXE
    2011-10-16 06:44 . 2009-08-14 14:16 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
    2011-10-16 06:44 . 2009-08-14 14:16 10240 ----a-w- c:\windows\system32\finger.exe
    2011-10-16 06:44 . 2009-08-14 14:16 17920 ----a-w- c:\windows\system32\ROUTE.EXE
    2011-10-16 06:44 . 2009-08-14 14:16 11264 ----a-w- c:\windows\system32\MRINFO.EXE
    2011-10-16 06:43 . 2009-09-10 17:30 213504 ----a-w- c:\windows\system32\msv1_0.dll
    2011-10-16 06:43 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
    2011-10-16 06:43 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
    2011-10-16 06:42 . 2008-06-26 03:29 303616 ----a-w- c:\windows\system32\wmpeffects.dll
    2011-10-16 06:42 . 2011-04-29 12:49 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
    2011-10-16 06:42 . 2011-04-29 12:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2011-10-16 06:37 . 2010-08-31 15:41 954752 ----a-w- c:\windows\system32\mfc40.dll
    2011-10-16 06:37 . 2010-08-31 15:41 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2011-10-16 06:37 . 2010-06-18 16:43 36352 ----a-w- c:\windows\system32\rtutils.dll
    2011-10-16 06:36 . 2009-09-10 15:21 1418752 ----a-w- c:\program files\Windows Media Player\setup_wm.exe
    2011-10-16 06:36 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
    2011-10-16 06:34 . 2010-04-16 16:10 501760 ----a-w- c:\windows\system32\usp10.dll
    2011-10-16 06:34 . 2010-10-12 13:52 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
    2011-10-16 06:34 . 2010-10-12 13:52 515584 ----a-w- c:\program files\Windows Mail\wab.exe
    2011-10-16 06:34 . 2010-10-12 15:48 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
    2011-10-16 06:26 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
    2011-10-16 06:26 . 2009-07-11 19:32 513024 ----a-w- c:\windows\system32\wlansvc.dll
    2011-10-16 06:26 . 2009-07-11 19:32 302592 ----a-w- c:\windows\system32\wlansec.dll
    2011-10-16 06:26 . 2009-07-11 19:32 293376 ----a-w- c:\windows\system32\wlanmsm.dll
    2011-10-16 06:26 . 2009-07-11 19:29 127488 ----a-w- c:\windows\system32\L2SecHC.dll
    2011-10-16 06:26 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
    2011-10-16 06:26 . 2011-04-14 14:24 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
    2011-10-15 21:50 . 2008-04-30 05:36 454656 ----a-w- c:\program files\Common Files\System\msadc\msadce.dll
    2011-10-15 21:35 . 2010-02-20 23:39 24064 ----a-w- c:\windows\system32\nshhttp.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-08 14:31 . 2008-01-21 02:25 184320 ----a-w- c:\windows\system32\drivers\netbt.sys
    2011-09-29 07:09 . 2011-11-06 11:48 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [7] 2009-07-10 . 1E3FDB80E40A3CE645F229DFBDFB7694 . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18287_none_cce0e39c1d282219\shsvcs.dll
    [7] 2009-07-10 . 94285A002D2826D2FD1C0806455136E9 . 245760 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16883_none_caf6a3ce20052bcc\shsvcs.dll
    [7] 2009-07-10 . 6898575E052CE7CB1CB87622EF187CDA . 245760 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.21081_none_cb7e18273924cc2a\shsvcs.dll
    [7] 2009-07-10 . 6669714ACE90E9BB4E8C1D550C67B160 . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.22467_none_cd80222536358728\shsvcs.dll
    [7] 2009-07-10 . F0942394F642F5CE3D9A86474FA293FA . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.22169_none_cf6894a1335a0efa\shsvcs.dll
    [7] 2009-07-10 . C7230FBEE14437716701C15BE02C27B8 . 247808 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18063_none_ced8f61a1a41d726\shsvcs.dll
    [7] 2009-04-11 . C818C44C201898399BF999BB6B35D4E3 . 247296 . . [6.0.6000.16386] . . c:\windows\SoftwareDistribution\Download\bcfed137e95e2bc1b83ef80262a82b16\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18005_none_cf1bd6361a0f622e\shsvcs.dll
    [-] 2006-11-10 . 921D359C1168867B515C219ACCED9609 . 245248 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
    [-] 2006-11-10 . 921D359C1168867B515C219ACCED9609 . 245248 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\shsvcs.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "netxpert"="c:\program files\Airtel NetXpert\bin\sprtcmd.exe" [2010-05-10 206120]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http://www.avg.com/ww.special-unins...1fe4-b0d4f81a8999f5981f04537c5ec8468fd5234593" [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
    R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [x]
    R2 sprtsvc_netxpert;SupportSoft Sprocket Service (netxpert);c:\program files\Airtel NetXpert\bin\sprtsvc.exe [x]
    R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\Drivers\PCTBD.sys [2011-09-28 56840]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 AmgHips;AmgHips;c:\windows\system32\Drivers\AmgHips.sys [2011-11-05 25248]
    S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [2011-11-08 542672]
    S2 tgsrvc_netxpert;SupportSoft Repair Service (netxpert);c:\program files\Airtel NetXpert\bin\tgsrvc.exe [2011-11-08 185640]
    S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-30 112128]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-11-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-340964973-678269918-3303960693-1000Core.job
    - c:\users\Bill gates\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-11 14:33]
    .
    2011-11-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-340964973-678269918-3303960693-1000UA.job
    - c:\users\Bill gates\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-11 14:33]
    .
    2011-11-08 c:\windows\Tasks\User_Feed_Synchronization-{0D69AD46-DD8E-445B-8DF3-C055D8206A92}.job
    - c:\windows\system32\msfeedssync.exe [2008-01-21 02:25]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.in/
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
    TCP: Interfaces\{8EF00F45-E934-420E-B2F6-324AF75D0BCE}: NameServer = 59.179.243.70,203.94.243.70
    FF - ProfilePath - c:\users\Bill gates\AppData\Roaming\Mozilla\Firefox\Profiles\n5ggmbk1.default\
    FF - prefs.js: browser.search.selectedEngine - Search Defender
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
    HKLM-Run-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    SafeBoot-36752470.sys
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-11-08 20:51
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    c:\windows\TEMP\TMP00000008F754D14B59A3D958 524288 bytes
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\WLANExt.exe
    c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
    .
    **************************************************************************
    .
    Completion time: 2011-11-08 20:55:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-11-08 15:25
    .
    Pre-Run: 21,511,729,152 bytes free
    Post-Run: 21,682,405,376 bytes free
    .
    - - End Of File - - D647079BEEF0A6723E882FC6E72580BC

    ***************************************************************************

    Thanking you in advance for your help,
    Sincerely,
    Mansoor Nazeer
    New Delhi
    India
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Combofix Win32 Sirefef
  1. Olddog20
    Replies:
    0
    Views:
    383
  2. Sumfeg
    Replies:
    0
    Views:
    1,257
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1025989

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice