Have No Clue What to Do... Please Help

**stevehoward** · 02-22-2008, 08:49 PM

I downloaded peek...zip and made combofix a zip and was able to extract both to the desktop.

I will post the results of combofix when it is done

then if needed will run peekaboo

**PhilliePhan** · 02-22-2008, 08:52 PM

Originally Posted by stevehoward

I downloaded peek...zip and made combofix a zip and was able to extract both to the desktop.

I will post the results of combofix when it is done

then if needed will run peekaboo

May as well run them both, if you can. PeekabooXP will give me a few things ComboFix won't.

And, my gut feeling is that this is NOT a malware problem, so I'd want to have a look at those other areas anyway....

PP

**stevehoward** · 02-22-2008, 09:06 PM

fyi while i am runnig the peekaboo... the two errors that i am getting are and lsass.exe and a rpc error message for the windows nt blah blah blah

**PhilliePhan** · 02-22-2008, 09:17 PM

Originally Posted by stevehoward

fyi while i am runnig the peekaboo... the two errors that i am getting are and lsass.exe and a rpc error message for the windows nt blah blah blah

Could be a myriad of reasons for those errors - we'd need the complete error messages/code and even then it'd be a PITA to sort the problem out. Gotta love Windows!

-- I'm cutting out for a bit (heck, it's Friday night after all

)
I - or Judy - will check back as time permits over the weekend. We'll have a look at the logs and see where they take us....

PP

**stevehoward** · 02-22-2008, 09:18 PM

here is the combofix log

ComboFix 08-02-23 - Steve 2008-02-22 20:46:52.1 - NTFSx86
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-22 20:31 . 2008-02-22 20:33 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\U3
2008-02-22 18:54 . 2008-02-22 19:42 <DIR> d-------- C:\hijackthis
2008-02-22 18:27 . 2008-02-22 18:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-22 18:27 . 2008-02-22 18:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-22 18:20 . 2008-02-22 18:20 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Grisoft
2008-02-22 18:19 . 2008-02-22 18:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Grisoft
2008-02-22 18:19 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-16 21:26 . 2008-02-16 21:26 <DIR> d-------- C:\Program Files\Google
2008-02-16 20:58 . 2008-02-22 19:59 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2008-02-15 22:17 . 2004-08-12 09:10 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-02-15 22:15 . 2004-08-12 09:05 456,704 --a--c--- C:\WINDOWS\system32\dllcache\smtpsvc.dll
2008-02-15 22:14 . 2004-08-12 08:58 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-02-15 22:13 . 2004-08-12 08:58 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-02-15 22:12 . 2004-08-12 08:58 811,064 --a--c--- C:\WINDOWS\system32\dllcache\imjp81k.dll
2008-02-15 22:11 . 2004-08-12 08:58 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-15 22:10 . 2004-08-12 08:58 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-15 22:09 . 2004-08-12 08:55 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2008-02-15 22:08 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-02-15 22:07 . 2003-03-24 16:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-02-15 22:07 . 2003-03-24 16:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\admin.exe
2008-02-15 22:01 . 2004-08-12 08:58 16,384 --a--c--- C:\WINDOWS\system32\dllcache\isignup.exe
2008-02-15 22:01 . 2008-02-15 22:01 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-15 22:01 . 2008-02-15 22:01 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-15 22:01 . 2008-02-15 22:01 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-15 22:01 . 2008-02-15 22:01 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-15 22:01 . 2008-02-15 22:01 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-15 21:35 . 2004-08-12 09:02 1,086,058 -ra------ C:\WINDOWS\SETD5.tmp
2008-02-15 21:35 . 2004-08-12 09:06 1,042,903 -ra------ C:\WINDOWS\SETD2.tmp
2008-02-15 16:00 . 2008-02-15 16:00 <DIR> d-------- C:\WINDOWS\dell
2008-02-15 16:00 . 2008-02-22 17:04 536,285,184 --a------ C:\WINDOWS\MEMORY.DMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2006-09-13 11:31 86,176 ----a-w C:\Documents and Settings\Steve\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

"C:\WINDOWS\system32\svchost.exe"
----a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2004-08-12 14:06:49 C:\WINDOWS\system32\dllcache\svchost.exe

"C:\WINDOWS\system32\user32.dll"
----a-w 577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
----a-w 578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
----a-w 577,024 2004-08-12 14:08:06 C:\WINDOWS\system32\user32.dll
-c--a-w 577,024 2004-08-12 14:08:06 C:\WINDOWS\system32\dllcache\user32.dll

"C:\WINDOWS\system32\ws2_32.dll"
----a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\ws2_32.dll
-c--a-w 82,944 2004-08-12 14:10:27 C:\WINDOWS\system32\dllcache\ws2_32.dll

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,896 2004-09-29 18

41 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
----a-w 657,920 2005-01-27 17:08:42 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
----a-w 657,920 2005-03-10 07:43:23 C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
----a-w 660,480 2005-09-02 23:53:41 C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
----a-w 659,456 2005-07-03 02:09:33 C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
----a-w 661,504 2005-10-21 03:38:08 C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
----a-w 666,112 2007-10-11 05:57:41 C:\WINDOWS\SoftwareDistribution\Download\fa5824322 2bcfe35e5467668df396003\sp2qfe\wininet.dll
----a-w 656,384 2004-08-12 14:09:30 C:\WINDOWS\system32\wininet.dll
-c--a-w 656,384 2004-08-12 14:09:30 C:\WINDOWS\system32\dllcache\wininet.dll

"C:\WINDOWS\system32\drivers\tcpip.sys"
----a-w 359,936 2005-05-25 19:07:12 C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
----a-w 360,448 2006-01-13 17:07:08 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
----a-w 360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
-c--a-w 359,040 2004-08-12 14:07:09 C:\WINDOWS\system32\dllcache\tcpip.sys
----a-w 359,040 2004-08-12 14:07:09 C:\WINDOWS\system32\drivers\tcpip.sys

"C:\WINDOWS\system32\winlogon.exe"
----a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\winlogon.exe
-c--a-w 502,272 2004-08-12 14:09:30 C:\WINDOWS\system32\dllcache\winlogon.exe

"C:\WINDOWS\system32\drivers\ndis.sys"
-c--a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\dllcache\ndis.sys
----a-w 182,912 2004-08-12 14:01:38 C:\WINDOWS\system32\drivers\ndis.sys

"C:\WINDOWS\system32\drivers\ip6fw.sys"
-c--a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\dllcache\ip6fw.sys
----a-w 29,056 2004-08-12 13:58:08 C:\WINDOWS\system32\drivers\ip6fw.sys

"C:\WINDOWS\system32\ntkrnlpa.exe"
----a-w 2,056,832 2005-03-02 00:36:40 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
----a-w 2,059,392 2006-12-19 16:12:16 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
----a-w 2,059,392 2007-02-28 09:15:56 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
----a-w 2,015,232 2004-08-12 14:06:15 C:\WINDOWS\system32\ntkrnlpa.exe

"C:\WINDOWS\system32\ntoskrnl.exe"
----a-w 2,179,456 2005-03-02 01:04:22 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
----a-w 2,182,016 2006-12-19 16:51:12 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
----a-w 2,182,144 2007-02-28 09:55:14 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
----a-w 2,148,352 2004-08-12 14:02:38 C:\WINDOWS\system32\ntoskrnl.exe

"C:\WINDOWS\explorer.exe"
----a-w 1,032,192 2004-08-12 13:57:20 C:\WINDOWS\explorer.exe
----a-w 1,033,216 2007-06-13 11:26:03 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
-c--a-w 1,032,192 2004-08-12 13:57:20 C:\WINDOWS\system32\dllcache\explorer.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-19 18:34 3084288]
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 18:25 101080]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-08-19 00:44 4554752]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpda te.exe" [2005-08-26 14:26 212992]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent .exe" [2005-09-22 18:29 303104]
"nwiz"="nwiz.exe" [2004-08-19 00:44 921600 C:\WINDOWS\system32\nwiz.exe]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 11:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 02:52 36975]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-14 01:23 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-14 15:35 536576]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 12:43 53248]
"DadApp"="C:\Program Files\Dell\AccessDirect\dadapp.exe" [2004-03-04 12:36 211828]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 20:44 610304]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdl r.exe" [2005-07-08 18:18 151552]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-21 09:59 98304]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 11:49 163840]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-11-16 01:05 127035]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-10-08 08:49 53248]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2004-10-08 08:49 131072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-03-14 14:47 180269]
"MPSExe"="c:\PROGRA~1\mcafee.com\mps\mscifapp. exe" [2005-07-26 13:49 294912]
"MPFExe"="C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray. exe" [2005-08-18 16:52 999424]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 21:02 53248]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\\system32\\sessmgr.exe:@xpsp2res.dll,-22019
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"D:\\Setup.exe"=
"C:\\Program Files\\Dell Inc\\Dell Picture Studio v3.0\\launch.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
************************************************** ************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 20:50:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2008-02-22 20:53:10
.
2007-12-15 22:11:19 --- E O F ---

**stevehoward** · 02-22-2008, 09:19 PM

**PhilliePhan** · 02-22-2008, 09:53 PM

Hi Steve,

This is just a quick look before I run:
I don't see much in your ComboFix log. No obvious malware jumping out at me.
-- Any luck with the PeekabooXP log? I'd definitely like to see that given the combofx results....

Looks like you had a problem about a week ago (crash?).
2008-02-15 16:00 . 2008-02-22 17:04 536,285,184 --a------ C:\WINDOWS\MEMORY.DMP

Also, can you tell me what is in these?
C:\WINDOWS\SETD5.tmp
C:\WINDOWS\SETD2.tmp
Looks like you installed something then?

Your windows firewall is disabled - This is OK if you are running a different one...

I am heading out the door - Back Saturday afternoon.
In lieu of a malware cause, you might want to use msconfig and turn off startups one by one and see if you can find a culprit there....

G'Night

PP

Thread: Have No Clue What to Do... Please Help

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions