hi to everybody here
this is my first post on your website
actually this is my fist post in my life about this kind of issue.
it's a combofix log file. I just run the combofix on my PC today because NOD32 find out some rootkit trojan inside the working memory and I google for that log from NOD and find out that only combofix can help me about it. and it really helped! which is great.
but I want to be sure if I need to do anything else or my PC is fine now.
That's why I'm here with me combofix log file:
Code:
ComboFix 09-06-20.02 - Bilosta 06/21/2009 16:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1742 [GMT 3:00]
Running from: c:\documents and settings\Bilosta\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\drivers\SKYNETxnbmolwb.sys
c:\windows\system32\SKYNETbqpqqmkj.dat
c:\windows\system32\SKYNETlclfkawe.dll
c:\windows\system32\SKYNETvmpqagtt.dat
c:\windows\system32\SKYNETyueempdv.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_SKYNETornmbciq
((((((((((((((((((((((((( Files Created from 2009-05-21 to 2009-06-21 )))))))))))))))))))))))))))))))
.
2009-06-21 11:53 . 2009-06-21 11:53 -------- d-----w- c:\documents and settings\Kurucity\Application Data\ESET
2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\program files\ESET
2009-06-21 11:52 . 2009-06-21 11:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-21 11:50 . 2009-06-21 11:50 -------- d-----w- c:\program files\InstallShield Installation Information
2009-06-21 11:34 . 2009-06-21 11:34 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\GHISLER
2009-06-21 11:28 . 2009-06-21 11:28 0 ----a-w- c:\windows\nsreg.dat
2009-06-21 11:28 . 2009-06-21 11:28 -------- d-----w- c:\documents and settings\Kurucity\Local Settings\Application Data\Mozilla
2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\IECompatCache
2009-06-21 11:26 . 2009-06-21 11:26 -------- d-sh--w- c:\documents and settings\Kurucity\PrivacIE
2009-06-21 11:23 . 2009-06-21 11:27 -------- d-----w- C:\totalcmd
2009-06-21 11:23 . 2009-06-21 11:23 -------- d-----w- c:\documents and settings\Kurucity\Application Data\GHISLER
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\UC.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\RAR.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKZIP.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\PKUNZIP.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\NOCLOSE.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\LHA.PIF
2009-06-21 11:23 . 2009-06-11 04:50 545 ----a-w- c:\windows\ARJ.PIF
2009-06-21 11:22 . 2008-04-13 21:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-06-21 11:22 . 2008-04-13 21:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-21 07:03 . 2009-06-21 07:03 -------- d-----w- c:\program files\microsoft frontpage
2009-06-21 07:00 . 2009-06-21 07:00 84760 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\MSBuild
2009-06-21 07:00 . 2009-06-21 07:00 -------- d-----w- c:\program files\Reference Assemblies
2009-06-21 06:57 . 2009-06-21 06:56 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-21 06:55 . 2009-06-21 06:55 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-21 06:51 . 2009-06-21 06:51 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-06-21 06:50 . 2009-06-21 06:50 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Microsoft
2009-06-21 06:49 . 2009-06-21 06:49 -------- d-----w- c:\program files\Windows Live
2009-06-21 06:48 . 2009-06-21 06:48 -------- d-----w- c:\program files\MSXML 4.0
2009-06-21 06:47 . 2009-06-21 06:47 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-14 12:49 . 2009-05-14 12:49 55768 ----a-w- c:\windows\system32\drivers\epfwtdi.sys
2009-05-14 12:49 . 2009-05-14 12:49 33096 ----a-w- c:\windows\system32\drivers\epfwndis.sys
2009-05-14 12:49 . 2009-05-14 12:49 133000 ----a-w- c:\windows\system32\drivers\epfw.sys
2009-05-14 12:47 . 2009-05-14 12:47 107256 ----a-w- c:\windows\system32\drivers\ehdrv.sys
2009-05-14 12:41 . 2009-05-14 12:41 114472 ----a-w- c:\windows\system32\drivers\eamon.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DWPersistentQueuedReporting"="c:\program files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE" [2007-02-26 437160]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
.
Contents of the 'Scheduled Tasks' folder
2009-06-21 c:\windows\Tasks\User_Feed_Synchronization-{B5FB382B-BCBD-4300-8133-B432938347A2}.job
- c:\windows\system32\msfeedssync.exe [2008-04-14 03:31]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://linklol.com/homepage/
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-21 16:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-06-21 16:03
ComboFix-quarantined-files.txt 2009-06-21 13:03
Pre-Run: 70,562,025,472 bytes free
Post-Run: 70,638,682,112 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
162
Thanks in advance for any answer!
Best,
Jozsef