combofix help

Question

nydeggercarl 0 Newbie Poster

15 Years Ago

i ran combofix and internet does not work.
sys. restore not work
ie7 not work
need help to undo combofix changes and get me back where i started

thanks

windows-virus

2 Contributors
13 Replies
399 Views
19 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by jholland1964

All 13 Replies

jholland1964 650 Posting Expert

15 Years Ago

Who told you to run combofix? ComboFix is not a general purpose cleaning tool and should not be as such. ComboFix should only be used when asked by someone experienced in the use of this tool. Using this tool without supervision can cause problems with your computer, as you have now found.
Did you try rebooting your computer? What operating system do you have? Why did you run combofix?
How do you connect to the internet?

You also have two threads started with this same problem.
http://www.daniweb.com/forums/thread163773.html
You should stick with this one now. I know it can be frustrating to wait for an answer but everyone volunteers here and normally folks get an answer as quickly as possible. Everyone also has to take into account that the volunteers are from all over the world and time zones can make a difference when waiting for replies.

jholland1964 650 Posting Expert

15 Years Ago

How are you connected to the internet?
You can try this:
You can try this and see if your internet connection is repaired:
*Click on the Start button.
* Click on the Settings menu option.
* Click on the Control Panel option.
* When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
# You will now see a list of available network connections. Find the correct one and Right Click and then click on the Repair menu option.
Do you have the log created by combofix? Did you install the Recovery Console with combofix?

jholland1964 650 Posting Expert

15 Years Ago

Do you have your XP CD?

jholland1964 650 Posting Expert

15 Years Ago

You would need that disk I believe to run the Recovery Console.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

nydeggercarl 0 Newbie Poster · Answer 1 · 2008-12-23T21:30:07+00:00

found combofix and ran without help bad mistake
i am running windows xp.
pc will boot up nd come on i have no internet no ie7 explorer and sys restore does not have any restore points.
is there any way to undo all or most changes from combofix

nydeggercarl 0 Newbie Poster · Answer 2 · 2008-12-23T21:58:04+00:00

How are you connected to the internet?
You can try this:
You can try this and see if your internet connection is repaired:
*Click on the Start button.
* Click on the Settings menu option.
* Click on the Control Panel option.
* When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
# You will now see a list of available network connections. Find the correct one and Right Click and then click on the Repair menu option.
Do you have the log created by combofix? Did you install the Recovery Console with combofix?

i am currently not connected to internet i'm on another pc
when i go to control panel network connection is empty.
i have combo fix log .
did not install recovery console with combofix already had it installed

nydeggercarl 0 Newbie Poster · Answer 3 · 2008-12-23T22:04:59+00:00

nydeggercarl 0 Newbie Poster

15 Years Ago

Do you have your XP CD?

no do not have that with me

nydeggercarl 0 Newbie Poster · Answer 4 · 2008-12-23T22:12:49+00:00

You would need that disk I believe to run the Recovery Console.

i already had recovery console installed and i can get to it
do i need to send you combofix.txt file

looking at hijack this log just about everything for windows is listed as unknown owner

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 5 · 2008-12-23T22:49:41+00:00

jholland1964 650 Posting Expert

15 Years Ago

I would like to see some logs yes, AND why did you run these tools?

nydeggercarl 0 Newbie Poster · Answer 6 · 2008-12-23T22:59:15+00:00

nydeggercarl 0 Newbie Poster

15 Years Ago

ie7 would redirect to msn when tryng to go to windows update
would try to remove what i thought was wrong in hijackthis but they would keep returning

ComboFix.txt (26.83 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

ComboFix 08-12-21.04 - carl nydegger 2008-12-22  9:04:24.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1022.774 [GMT -6:00]
Running from: c:\documents and settings\carl nydegger\Desktop\ComboFix.exe
.
	/wow section not completed

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\agpbrdg5.sys
c:\windows\system32\armdvc.sys
c:\windows\system32\armrfc.sys
c:\windows\system32\arprmdg0.dll
c:\windows\system32\arprmdg5.sys
c:\windows\system32\asplg.sys
c:\windows\system32\asusrx20.dll
c:\windows\system32\asusrx25.sys
c:\windows\system32\ati2kaag.dll
c:\windows\system32\ati2ksag.sys
c:\windows\system32\ati2paag.dll
c:\windows\system32\ati2psag.sys
c:\windows\system32\atiddaxx.dll
c:\windows\system32\atiddbxx.sys
c:\windows\system32\atixdaxx.dll
c:\windows\system32\atixdbxx.dll
c:\windows\system32\atixdbxx.sys
c:\windows\system32\avload32.dll
c:\windows\system32\avpe32.dll
c:\windows\system32\avpe64.sys
c:\windows\system32\axdebugl.dll
c:\windows\system32\axdebugld.sys
c:\windows\system32\bt848rom.dll
c:\windows\system32\cdrwsys.dll
c:\windows\system32\cdscsix3.dll
c:\windows\system32\cdscsix3r.sys
c:\windows\system32\clbdll.dll
c:\windows\system32\clbdll.old
c:\windows\system32\clbinit.dll
c:\windows\system32\core3.sys
c:\windows\system32\cpudev.sys
c:\windows\system32\cryptmd5.dll
c:\windows\system32\CsdDriver.sys
c:\windows\system32\datcom.dll
c:\windows\system32\ddirectxt.sys
c:\windows\system32\ddirectz.dll
c:\windows\system32\ddram.sys
c:\windows\system32\DefLib.sys
c:\windows\system32\dersrvc.sys
c:\windows\system32\digeste.dll
c:\windows\system32\directout.sys
c:\windows\system32\directprt.sys
c:\windows\system32\directpt.dll
c:\windows\system32\directut.dll
c:\windows\system32\divxps.dll
c:\windows\system32\dll.dll
c:\windows\system32\docent0.dll
c:\windows\system32\docent2.dll
c:\windows\system32\docentd.sys
c:\windows\system32\drivers\clbdriver.sys
c:\windows\system32\drivers\ctl_w32.sys
c:\windows\system32\drivers\grande48.sys
c:\windows\system32\drivers\lojlig.sys
c:\windows\system32\drivers\mgcscrd.sys
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\drivers\msliksurserv.sys
c:\windows\system32\drivers\msqpdxmqltoiqt.sys
c:\windows\system32\drivers\msqpdxserv.sys
c:\windows\system32\drivers\msvtch.sys
c:\windows\system32\drivers\ntndis.exe
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\drivers\parport32.sys
c:\windows\system32\drivers\qandr.sys
c:\windows\system32\drivers\resdr32.sys
c:\windows\system32\drivers\reveal32.sys
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\SROUTE.SYS
c:\windows\system32\drivers\ss.sys
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\symavc32.sys
c:\windows\system32\drivers\tdlserv.sys
c:\windows\system32\drivers\TPLinks.sys
c:\windows\system32\drivers\wsnpoem.sys
c:\windows\system32\dvd4free.dll
c:\windows\system32\dvdkernl.sys
c:\windows\system32\dx9sr.sys
c:\windows\system32\emldvc.dll
c:\windows\system32\eps32sys.sys
c:\windows\system32\epsn2sys.sys
c:\windows\system32\epsonsys.sys
c:\windows\system32\estsprt.sys
c:\windows\system32\extfpu.dll
c:\windows\system32\extxerox.dll
c:\windows\system32\fanxctrl.dll
c:\windows\system32\fanxctrld.sys
c:\windows\system32\flashdrv3.sys
c:\windows\system32\flashdrvr.dll
c:\windows\system32\fpuext.sys
c:\windows\system32\gatexkey.dll
c:\windows\system32\gatwxkey.dll
c:\windows\system32\gdiw2k.sys
c:\windows\system32\gdiwxp.dll
c:\windows\system32\gdow2k.sys
c:\windows\system32\gdwxp3.dll
c:\windows\system32\gzipmod.dll
c:\windows\system32\hinet.dll
c:\windows\system32\hpprintdrv.sys
c:\windows\system32\hpprintx.dll
c:\windows\system32\hrpdcf.bin
c:\windows\system32\ideusr50.dll
c:\windows\system32\ies4dll.dll
c:\windows\system32\ies4service.sys
c:\windows\system32\iesdl4l.dll
c:\windows\system32\iesprt.sys
c:\windows\system32\iesservice4.sys
c:\windows\system32\ipudpb2.sys
c:\windows\system32\irptp.sys
c:\windows\system32\k53lock.sys
c:\windows\system32\ke7dnl.sys
c:\windows\system32\kednld.sys
c:\windows\system32\KernelDrv.exe
c:\windows\system32\kernelw.sys
c:\windows\system32\kernelwind32.exe
c:\windows\system32\klite.sys
c:\windows\system32\ksapgh.dll
c:\windows\system32\ksl48.bin
c:\windows\system32\kwave.sys
c:\windows\system32\l33t.dat
c:\windows\system32\l33t.exe
c:\windows\system32\lgn1216a.dll
c:\windows\system32\linksrv0.dll
c:\windows\system32\linksrvd.sys
c:\windows\system32\logon032.dll
c:\windows\system32\logon16x.dll
c:\windows\system32\lsd_f3.dll
c:\windows\system32\m32lock.sys
c:\windows\system32\mcfCC4.dll
c:\windows\system32\mcfdrv.sys
c:\windows\system32\mcfG7A.dll
c:\windows\system32\mckwave.dll
c:\windows\system32\mcrwave.dll
c:\windows\system32\mdfpro.dll
c:\windows\system32\mdhash.dll
c:\windows\system32\mdhsh.sys
c:\windows\system32\mfstcpip.sys
c:\windows\system32\mi5035a0.dll
c:\windows\system32\mi5035a5.sys
c:\windows\system32\mm77lgn.sys
c:\windows\system32\mmccrd.sys
c:\windows\system32\mmcdll.dll
c:\windows\system32\mmlogon.sys
c:\windows\system32\mmxeroxk.dll
c:\windows\system32\msdom2.dll
c:\windows\system32\msftcpip.sys
c:\windows\system32\msliksurcredo.dll
c:\windows\system32\msliksurdns.dll
c:\windows\system32\MSplg7.dll
c:\windows\system32\msqpdxmtvdhrxm.dll
c:\windows\system32\msrdr2.sys
c:\windows\system32\msudp4.sys
c:\windows\system32\msvcrl.dll
c:\windows\system32\mswsaf.sys
c:\windows\system32\mswsag.sys
c:\windows\system32\mt49hub.dll
c:\windows\system32\nclaby.sys
c:\windows\system32\nclabydll.dll
c:\windows\system32\nested.sys
c:\windows\system32\netwrp.dll
c:\windows\system32\nkcfg.sys
c:\windows\system32\nkunpack.dll
c:\windows\system32\nmk4.dat
c:\windows\system32\nodantivir.sys
c:\windows\system32\ntio256.sys
c:\windows\system32\ntos.exe
c:\windows\system32\nucdrv.sys
c:\windows\system32\nucdrvdll.dll
c:\windows\system32\nuclab.sys
c:\windows\system32\nuclabdll.dll
c:\windows\system32\obbf115.dll
c:\windows\system32\obbf117.sys
c:\windows\system32\obbn13rt.sys
c:\windows\system32\obbn13t.dll
c:\windows\system32\ocketx113.sys
c:\windows\system32\oembios.exe
c:\windows\system32\openglss.dll
c:\windows\system32\openglssd.sys
c:\windows\system32\openglwx.dll
c:\windows\system32\openglwxd.sys
c:\windows\system32\p76xxsks.sys
c:\windows\system32\p79bsksb.sys
c:\windows\system32\p81eskse.sys
c:\windows\system32\PagingSYS.sys
c:\windows\system32\pasksa.dll
c:\windows\system32\pcixm.sys
c:\windows\system32\pcixmm.dll
c:\windows\system32\powerxt.dll
c:\windows\system32\priarsz.dll
c:\windows\system32\printpn2.dll
c:\windows\system32\printpnp.dll
c:\windows\system32\protector.exe
c:\windows\system32\prt21sks.sys
c:\windows\system32\prt47sys.sys
c:\windows\system32\prtsks.dll
c:\windows\system32\prw76sks.sys
c:\windows\system32\prwsks.dll
c:\windows\system32\psksds.dll
c:\windows\system32\qhdtvv.dll
c:\windows\system32\qo.dll
c:\windows\system32\qo.sys
c:\windows\system32\ramvxt.sys
c:\windows\system32\rdrVR2.dll
c:\windows\system32\rege2usb.dll
c:\windows\system32\regepsrvc.sys
c:\windows\system32\rkskt.sys
c:\windows\system32\rksocket.dll
c:\windows\system32\rlx51dom.dll
c:\windows\system32\rlx66dob.sys
c:\windows\system32\rotw.sys
c:\windows\system32\routew.dll
c:\windows\system32\rsdapi.dll
c:\windows\system32\satad640.dll
c:\windows\system32\satad645.sys
c:\windows\system32\satau320.dll
c:\windows\system32\satau325.sys
c:\windows\system32\satdll.dll
c:\windows\system32\satmmc.dll
c:\windows\system32\scsi2usb.dll
c:\windows\system32\scsipsrvc.sys
c:\windows\system32\scsiusr4.dll
c:\windows\system32\sdcard98.dll
c:\windows\system32\sdcardX2.sys
c:\windows\system32\se500mdm.dll
c:\windows\system32\se500mdmd.sys
c:\windows\system32\se633mxx.dll
c:\windows\system32\se633mxxd.sys
c:\windows\system32\senekapop.dll
c:\windows\system32\sks2drvr.sys
c:\windows\system32\sksdll.dll
c:\windows\system32\socket573.sys
c:\windows\system32\spndt.sys
c:\windows\system32\ssipod1.sys
c:\windows\system32\syncm.sys
c:\windows\system32\syslink.dll
c:\windows\system32\sysprint.dll
c:\windows\system32\tcpG4T.dll
c:\windows\system32\tcpGDC.dll
c:\windows\system32\tcpwrk.dll
c:\windows\system32\tdlbop.dll
c:\windows\system32\tdlsoui.flag
c:\windows\system32\twext.exe
c:\windows\system32\vbagz.sys
c:\windows\system32\vlansys.sys
c:\windows\system32\vmdesched.sys
c:\windows\system32\vxdgfx.sys
c:\windows\system32\vxtnav.dll
c:\windows\system32\vxvgfv.sys
c:\windows\system32\wartamd.sys
c:\windows\system32\wartamll.dll
c:\windows\system32\waxw2k.dll
c:\windows\system32\wincom32.sys
c:\windows\system32\winprint.dll
c:\windows\system32\wndtx1.dll
c:\windows\system32\wnlogon.sys
c:\windows\system32\wnlogow.sys
c:\windows\system32\wrapk.sys
c:\windows\system32\wrapkm.dll
c:\windows\system32\wrmdrv.sys
c:\windows\system32\wsmsag.dll
c:\windows\system32\wsmsag.sys
c:\windows\system32\wsmsge.dll
c:\windows\system32\wsnpoem.exe
c:\windows\system32\xartcd5.dll
c:\windows\system32\xartcd7.sys
c:\windows\system32\xatcore.dll
c:\windows\system32\xcdkernl.sys
c:\windows\system32\xcdmfree.dll
c:\windows\system32\xkeyshd.sys
c:\windows\system32\xkeyshll.dll
c:\windows\system32\xprot.sys
c:\windows\system32\yvbb01.dll
c:\windows\system32\yvbb01.sys
c:\windows\system32\yvbb02.sys
c:\windows\system32\yvpp01.dll
c:\windows\system32\yvpp02.sys
c:\windows\system32\zopenssl.dll
c:\windows\system32\zopenssld.sys
c:\windows\Temp\tmp3.tmp
.
---- Previous Run -------
.
c:\windows\system32\drivers\msqpdxmqltoiqt.sys
c:\windows\system32\msqpdxmtvdhrxm.dll
c:\windows\Temp\tmp3.tmp

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSQPDXSERV.SYS


(((((((((((((((((((((((((   Files Created from 2008-11-22 to 2008-12-22  )))))))))))))))))))))))))))))))
.

2008-12-22 08:59 . 2008-12-18 06:17	<DIR>	d--------	C:\32788R22FWJFW
2008-12-22 05:17 .

highjackthis1.txt (14.52 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:46 AM, on 12/23/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\PaperMaster Pro 7.0\J2GDllCmd.exe
C:\Program Files\PaperMaster Pro 7.0\J2GTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\system32\BhoDshop.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O2 - BHO: bho2gr Class - {F1FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\Lightning Download\LD_Catch.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Secure Online Account Numbers] C:\PROGRA~1\Discover\SOAN\SOAN.exe /dontopenmycards
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1935655697-2025429265-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-21-1935655697-2025429265-839522115-1003 Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE (User '?')
O4 - S-1-5-21-1935655697-2025429265-839522115-1003 Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe (User '?')
O4 - S-1-5-21-1935655697-2025429265-839522115-1003 Startup: PaperMaster Live Menu 7.0.lnk = C:\Program Files\PaperMaster Pro 7.0\J2GDllCmd.exe (User '?')
O4 - S-1-5-21-1935655697-2025429265-839522115-1003 Startup: PaperMaster Tray Menu 7.0.lnk = C:\Program Files\PaperMaster Pro 7.0\J2GTray.exe (User '?')
O4 - S-1-5-21-1935655697-2025429265-839522115-1003 Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Treo 650\PdaNet.exe (User '?')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PaperMaster Live Menu 7.0.lnk = C:\Program Files\PaperMaster Pro 7.0\J2GDllCmd.exe
O4 - Startup: PaperMaster Tray Menu 7.0.lnk = C:\Program Files\PaperMaster Pro 7.0\J2GTray.exe
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Treo 650\PdaNet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Secure Online Account Numbers - {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - C:\PROGRA~1\Discover\SOAN\SOAN.exe
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/activedata/nprdtinf.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-cbcda28eb21fbd34.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O23 - Service: a-squared Free Service (a2free) - Unknown owner - C:\Program Files\a-squared Free\a2service.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Application Management (AppMgmt) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Windows Audio (AudioSrv) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Cryptographic Services (CryptSvc) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DCOM Server Process Launcher (DcomLaunch) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Wired AutoConfig (Dot3svc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Extensible Authentication Protocol Service (EapHost) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: Error Reporting Service (ERSvc) - Unknown owner - C:\WINDOWS\System32\svchost.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINDOWS\system32\svchost.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Un

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 7 · 2008-12-24T00:24:29+00:00

Looking through both logs it is evident to me that severe damage has been done to the key system files of the computer. But not actually by combofix.
Though I stress again to ALL who may be reading this, combofix should NEVER be run without the first instruction to do so by a helper working with you on a forum such as this one. Combofix will NEVER or should NEVER be recommended as a "usual course of action" but ONLY in Specific and Special Circumstances. Never use this tool on your own. Never use and OLD copy of combofix, it is updated frequently. Once combofix has been used on a machine it then should be REMOVED following the instructions given by the person helping you.

The files removed by combofix IN THIS PARTICULAR CASE, and EACH CASE IS DIFFERENT, were all related to the Haxgen Trojan, also the Goldun.Fam rootkit, Haxdoor rootkit. and many others. Very dangerous infections. Goldun.Fam is a family of Trojan horse programs that steals users' information entered for authentication on e-gold online web forms. The Haxdoor rootkit has spying capabilities and according to reports, it has been used to steal bank-related information, logins and passwords for online bank accounts, and other personal information.
You also had the Backdoor.Win32.SdBot which is a worm and IRC backdoor Trojan for the Windows platform.

W32/Rbot-DPG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Rbot-DPG includes functionality to access the internet and communicate with a remote server via HTTP.
While it may SEEM the computer is not online, don't take a chance, UNPLUG the internet cord from the computer immediately.

Go through that list of removed files in the combofix log and each and every one was connected to one of these infections noted above. Where were they All located? In System32. You've got to have System32 working in order for your computer to run properly, so with all of these files infected it obviously wasn't. Virtually the entire System32 was affected and INFECTED.
Yes, the problems you have now are "somewhat" because of the removals by combofix, BUT they were removed because really your entire System32 was totally infected by these invaders and it did what it was designed to do, remove serious infections. I doubt that anything could have fixed this.

I MUST say something here I rarely say, the best thing for you to do is wipe the drive and reinstall.
Your system was severely compromised BEFORE you ran combofix.

Please also take note of KEY Phrases in the description of all of these trojans, worms and rootkits noted above:
steals users' information, steals bank-related information, logins and passwords for online bank accounts, and other information.

Before you do ANYTHING with the computer itself you need to call ALL of the companies you have done business with online, credit card companies , banks, insurance companies, EVERYBODY YOU HAVE DONE ONLINE BUSINESS WITH IN RECENT MONTHS. You need to talk to a real person, don't do it via email, explain what has happened and let them know what has happened. You very possibly will have to change credit card numbers, bank account numbers, anything important. This really is even much worse than if somebody had stolen your wallet from your pocket with all your important information in it, because once this information is obtained online then it is USED online, the thief doesn't have to go from store to store or bank to bank on foot, he does it from the comfort of his own computer desk and much faster.

I cannot tell exactly from the combofix log what it was that may have brought these things onto the computer though the Trojan.Flush.M Trojan came onto the computer on November 22nd, it seems to have been the only one created on that date and what it does is that it impacts network traffic with Address Resolution Protocol (ARP) requests and lowers security settings. The only ones I see right before are Auslogics, (excellent programs so I would likely rule this out). I don't know these others, Evernote, SwordSearcher 4 and Discover. Then there were a large number of installs on December 2nd all of which seem to have to do with a mobile phone.
Don't know if this helps you track down where these infections may have come from but I thought it might help once you get your system up and running again.
I am sorry to say, but total reformat and reload is my best advice.
Judy

nydeggercarl 0 Newbie Poster · Answer 8 · 2008-12-24T06:52:02+00:00

Looking through both logs it is evident to me that severe damage has been done to the key system files of the computer. But not actually by combofix.
Though I stress again to ALL who may be reading this, combofix should NEVER be run without the first instruction to do so by a helper working with you on a forum such as this one. Combofix will NEVER or should NEVER be recommended as a "usual course of action" but ONLY in Specific and Special Circumstances. Never use this tool on your own. Never use and OLD copy of combofix, it is updated frequently. Once combofix has been used on a machine it then should be REMOVED following the instructions given by the person helping you.
The files removed by combofix IN THIS PARTICULAR CASE, and EACH CASE IS DIFFERENT, were all related to the Haxgen Trojan, also the Goldun.Fam rootkit, Haxdoor rootkit. and many others. Very dangerous infections. Goldun.Fam is a family of Trojan horse programs that steals users' information entered for authentication on e-gold online web forms. The Haxdoor rootkit has spying capabilities and according to reports, it has been used to steal bank-related information, logins and passwords for online bank accounts, and other personal information.
You also had the Backdoor.Win32.SdBot which is a worm and IRC backdoor Trojan for the Windows platform.
W32/Rbot-DPG runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Rbot-DPG includes functionality to access the internet and communicate with a remote server via HTTP.
While it may SEEM the computer is not online, don't take a chance, UNPLUG the internet cord from the computer immediately.

Go through that list of removed files in the combofix log and each and every one was connected to one of these infections noted above. Where were they All located? In System32. You've got to have System32 working in order for your computer to run properly, so with all of these files infected it obviously wasn't. Virtually the entire System32 was affected and INFECTED.
Yes, the problems you have now are "somewhat" because of the removals by combofix, BUT they were removed because really your entire System32 was totally infected by these invaders and it did what it was designed to do, remove serious infections. I doubt that anything could have fixed this.
I MUST say something here I rarely say, the best thing for you to do is wipe the drive and reinstall.
Your system was severely compromised BEFORE you ran combofix.

Please also take note of KEY Phrases in the description of all of these trojans, worms and rootkits noted above:
steals users' information, steals bank-related information, logins and passwords for online bank accounts, and other information.

Before you do ANYTHING with the computer itself you need to call ALL of the companies you have done business with online, credit card companies , banks, insurance companies, EVERYBODY YOU HAVE DONE ONLINE BUSINESS WITH IN RECENT MONTHS. You need to talk to a real person, don't do it via email, explain what has happened and let them know what has happened. You very possibly will have to change credit card numbers, bank account numbers, anything important. This really is even much worse than if somebody had stolen your wallet from your pocket with all your important information in it, because once this information is obtained online then it is USED online, the thief doesn't have to go from store to store or bank to bank on foot, he does it from the comfort of his own computer desk and much faster.
I cannot tell exactly from the combofix log what it was that may have brought these things onto the computer though the Trojan.Flush.M Trojan came onto the computer on November 22nd, it seems to have been the only one created on that date and what it does is that it impacts network traffic with Address Resolution Protocol (ARP) requests and lowers security settings. The only ones I see right before are Auslogics, (excellent programs so I would likely rule this out). I don't know these others, Evernote, SwordSearcher 4 and Discover. Then there were a large number of installs on December 2nd all of which seem to have to do with a mobile phone.
Don't know if this helps you track down where these infections may have come from but I thought it might help once you get your system up and running again.
I am sorry to say, but total reformat and reload is my best advice.
Judy

thank you very much for all of your help in this matter
will format and reinstall.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 9 · 2008-12-24T07:14:32+00:00

Sorry I couldn't give some better advice but just think it would save you the headache of trying to fix each and every part of the os. Easier to do it all in one step.
Judy

combofix help

Recommended Answers Collapse Answers

All 13 Replies

Recommended Answers