Author Topic: PROBLEM with ComboFix please help (Read 9800 times)

angie20 · « **on:** January 03, 2008, 03:04:15 PM »

Well, I've just installed it but it just won't start

I'm losing my patience bit by bit. Obviously it is A NO GOOD THING. I'll never do that again(download tools like that)

.

Can someone please tell me how to EXIT IT SAFELY, because it already turned off my Defender, now I
have problems with Windows update

Its warning is that if I close it, my desktop will go blank and God knows what nasty things will happen as well

Please HELP!

bob3160 · « **Reply #1 on:** January 03, 2008, 03:23:55 PM »

ComboFix is a diagnostic tool which looks for certain items on your system.

I noticed you never replied to the answer given to you in your first post

http://forum.avast.com/index.php?topic=32319.msg270064#msg270064

angie20 · « **Reply #2 on:** January 03, 2008, 04:57:48 PM »

Don't be too harsh on me, Bob3160

I'm as unexperienced as you can never imagine

But at least I'm trying so hard to learn every day

You know, I'm thinking of seeking help from a professional right now to come and look at my laptop 'cause whatever I try, I can never be 100% sure...

I tried to FOLLOW the insructions of Tech but actually I have to check ever1 second term in google/wiki before I do sth. For example, I didn't know what Boot scan is

And I'm afraid I might do sth harmful to my PC with the scanty knowledge of mine $:-\$

And this scan is the first step...

The other tools, well, I installed some of them, eg AVG scanner found a tracking cookie(later I searched & found that this cookie is from the company itself

Terminator & AVG Rootkit won't start. Then I'm WORRIED about HijackThis, Secunia, etc, because they are meant for ppl with ADVANCED knowledge. You know what mine is already...

I really wanna try on my own but perhaps it's better to play it safe and have a professional see my PC.

I'll do the Boot scan now though

Angie20

Lisandro · « **Reply #3 on:** January 03, 2008, 05:44:03 PM »

Quote from: angie20 on January 03, 2008, 04:57:48 PM

I didn't know what Boot scan is And I'm afraid I might do sth harmful to my PC with the scanty knowledge of mine $:-\$

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.

If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

angie20 · « **Reply #4 on:** January 04, 2008, 12:57:59 AM »

Thanks for the detailed description, I did the scan before I saw it but I think the problem was with the translation of Boot into my native language, I might change it back to English since the terminology in this area is much closer to me in English ;

The scan didn't detect any infected areas. I'm taking it slowly now, ran AVG Antispyware but all it found were several TrackingCookies. Phew You can't go without them I guess. I've not decided on my next actions but here I can find lots of ideas

I wanna thank every1 who wrote back

angie20

bob3160 · « **Reply #5 on:** January 04, 2008, 01:40:48 AM »

Quote

TrackingCookies. Phew

Sounds like a dirty word but it really isn't anything to get very excited about.

Boot scan:
To put it in it's simplest form, it allows your system to be scanned
before your operating system loads all of it's files.

That way, you can find bad guys before they hide in your system files.

angie20 · « **Reply #6 on:** January 04, 2008, 10:30:37 PM »

Finally my Hijackthis logfile!

Can anyone please have a look at it?

Thanks in advance!

angie20

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13 ч., on 4.1.2008 г.
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Windows\System32\s3trayp.exe
C:\Program Files\VIA\VIAudioi\VistaADeck\HDAudioCPL.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abv.bg/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SMSERIAL] "C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe"
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [HDAudDeck] "C:\Program Files\VIA\VIAudioi\VistaADeck\HDAudioCPL.exe" 1
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-4159687310-3189952592-801293435-1000\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun (User 'vixyfire')
O13 - Gopher Prefix:
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C6CA75D-9AA1-4812-8991-86B06F6EA91B}: NameServer = 84.21.219.11,84.21.219.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{4C6CA75D-9AA1-4812-8991-86B06F6EA91B}: NameServer = 84.21.219.11,84.21.219.12
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: IviRegMgr - InterVideo - c:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe

--
End of file - 3964 bytes

szc · « **Reply #7 on:** January 04, 2008, 10:48:26 PM »

Quick look at your logfile shows this:

O13 - Gopher Prefix:

HiJackThis LogFile Analyzer recommends this:

To be fixed immediately! Such entries should be fixed as a general rule.

Hard_ROCKER · « **Reply #8 on:** January 04, 2008, 11:04:00 PM »

The log is clean, i'm presuming this is your internet service provider ? http://lulin-net.com/

essexboy · « **Reply #9 on:** January 04, 2008, 11:24:29 PM »

Gopher prefix is legitimate on Vista

My system

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:41, on 04/01/2008
Platform: Windows Vista SP1, v.668 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.17052)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Windows\system32\taskeng.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\CaledosLAB\Caledos Automatic Wallpaper Changer\CaledosWallpaper6.exe
D:\Windows\System32\mobsync.exe
D:\Program Files\Internet Explorer\ieuser.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Windows Live\Mail\wlmail.exe
D:\Users\Martin\Downloads\Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateworld.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'Default user')
O4 - Global Startup: Caledos Wallpaper (startup checker).lnk = ?
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2007\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2007\\Wizard.html
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2007\\Parser.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O13 - Gopher Prefix:
O16 - DPF: {71D413D7-38C5-4035-8548-976522CF11D5} (Crucial cpcScan) - http://www.crucial.com/controls/cpcVistaBeta.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - D:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - D:\Windows\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - D:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Cricket 2007 Drivers Auto Removal (pr2agnqb) (pr2agnqb) - Codemasters - D:\Windows\system32\pr2agnqb.exe

--
End of file - 6154 bytes

szc · « **Reply #10 on:** January 05, 2008, 01:23:24 AM »

Yes, you're right... some more about the protocol:

http://en.wikipedia.org/wiki/Gopher_(protocol)

HiJackThis Logfile Analyzer needs to do something about their database I guess.

angie20 · « **Reply #11 on:** January 08, 2008, 11:30:38 PM »

First, I wanna thank everyone who helped me out at my efforts to check my PC so far!!!

I ran Runscanner but is it OK to post sth here? I mean, if there's someone who has experience with it. As a matter of fact, I used the so called Classic mode so I got sth like analysis BUT I didn't try to fix anything. From what I could understand, there were no 'red', hence problematic items.
There were however some files that couldn't be found, is that bad?

Lisandro · « **Reply #12 on:** January 09, 2008, 12:49:24 AM »

Quote from: angie20 on January 08, 2008, 11:30:38 PM

I ran Runscanner but is it OK to post sth here?

You can post it. Although it's better to submit to the automatic analysis by the program itself.

angie20 · « **Reply #13 on:** January 09, 2008, 05:04:42 PM »

I already did as I mentioned, it's normal so to say.
But now I have a bigger problem connected with Avast and I'll start a new topic in the relevant section.
Thanx again for the help!

Author Topic: PROBLEM with ComboFix please help (Read 9800 times)

angie20

PROBLEM with ComboFix please help

bob3160

Re: PROBLEM with ComboFix please help

angie20

Re: PROBLEM with ComboFix please help

Lisandro

Re: PROBLEM with ComboFix please help

angie20

Re: PROBLEM with ComboFix please help

bob3160

Re: PROBLEM with ComboFix please help

angie20

Re: PROBLEM with ComboFix please help

szc

Re: PROBLEM with ComboFix please help

Hard_ROCKER

Re: PROBLEM with ComboFix please help

essexboy

Re: PROBLEM with ComboFix please help

szc

Re: PROBLEM with ComboFix please help

angie20

Re: PROBLEM with ComboFix please help

Lisandro

Re: PROBLEM with ComboFix please help

angie20

Re: PROBLEM with ComboFix please help