BleepingComputer.com: Unknown problem!

what is inside the folder?



Gringo

In folder C:\ComboFix\HE-IL\ there are files:

ATTRIB.cfxxe.mui
CF7728.cfxxe.mui
CMD.cfxxe.mui
CSCRIPT.cfxxe.mui
PING.cfxxe.mui
REGT.cfxxe.mui
ROUTE.cfxxe.mui

Hello

Sorry for the delays, Now this is what we want you to do

1. Delete the combofix that you have now on your desktop

2. download and save TO YOUR DESKTOP an updated combofix.

Link 1
Link 2
Link 3

3. I want you to run combofix but I want you to start it this way

go to Start > Run > copy and paste the following into the run box

"%userprofile%\desktop\combofix.exe" /F3M

4. when you get the report please ATTACH the report to this thread (do not post it)

Gringo

I have made all as you asked...
But has received the same result (only it worked more quickly without steps):

In the beginning of its work there again is a message:
"The system cannot find message text for message number 0x8 in the message file for System".
And after end of its work does not remain logfile - there is no Combofix.txt...

Hello Alex, I'm sUBs. Apologies for it is I who made this stupid program with the cat icon, which is giving you so much grief

Could you do me this favor? Please zip the entire folder - C:\ComboFix.

The zipped file is rather large but could you upload it to me at this website:

http://www.thespykiller.co.uk/index.php?board=1.0

Just press new topic.
Make the subject: ( Files for sUBs )
Fill in a short message & upload the file
You needn't to be a member to upload, anybody can upload the files
You shall not be able to view the files that have been uploaded as they only show to the authorized users who can download them. I shall be able to collect the file from there.

I have made as you asked:
http://thespykiller.co.uk/index.php?topic=9438.0


Your program with the Lion icon just fine!
Many thanks to you for it!
On Windows ХР it works perfectly, only here in the Windows 7 is a problem with a logfile...

Alex, it's going to take me longer than expected to find the problem. For the moment, I'm fairly sure it's related to language issues (Hebrew) but tracking it down to which file will take some time.

How's your machine behaving now?

Alex, quick question for you - Did your machine come pre-installed with Hebrew or was it a language pack you downloaded off Windows Update?

My machine behaves normally...


I have installed on mine computer Windows 7 English version, and Hebrew language pack I have downloaded off Windows Update then...
But I have tried to return interface of mine Windows 7 on English language, and there to run ComboFix - but the result was same, as well as on Hebrew interface...

Please do me this favor.


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:



Save this as peek.bat Choose to "Save type as - All Files"
It should look like this: or
Double click on peek.bat & allow it to run

Post back to tell me what it says

Here that it has written that:

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_CURRENT_USER\control panel\desktop\muicached
MachinePreferredUILanguages REG_MULTI_SZ he-IL\0\0

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_CURRENT_USER\control panel\international
LocaleName REG_SZ he-IL

----a-w- 45,056 2009-07-14 02:04:56 C:\Windows\en-US\regedit.exe.mui
----a-w- 42,496 2009-07-13 16:40:30 C:\Windows\he-IL\regedit.exe.mui
----a-w- 2,048 2009-07-14 02:06:38 C:\Windows\System32\en-US\attrib.exe.mui
----a-w- 126,976 2009-07-14 02:09:26 C:\Windows\System32\en-US\cmd.exe.mui
----a-w- 11,264 2009-07-14 02:04:14 C:\Windows\System32\en-US\cscript.exe.mui
----a-w- 8,704 2009-07-14 02:09:18 C:\Windows\System32\en-US\findstr.exe.mui
----a-w- 27,648 2009-07-14 02:09:34 C:\Windows\System32\en-US\ipconfig.exe.mui
----a-w- 9,728 2009-07-14 02:07:52 C:\Windows\System32\en-US\ping.exe.mui
----a-w- 12,288 2009-07-14 02:07:02 C:\Windows\System32\en-US\route.exe.mui
----a-w- 10,752 2009-07-14 02:07:18 C:\Windows\System32\en-US\sort.exe.mui
----a-w- 11,264 2009-07-13 16:35:30 C:\Windows\System32\he-IL\cscript.exe.mui

Entries: 11 (11)
Directories: 0 Files: 11
Bytes: 308,224 Blocks: 602

Did you revert these settings as well?

Please try an updated copy of ComboFix.exe. Kindly run it the same way as Gringo laid out earlier > http://www.bleepingcomputer.com/forums/ind...t&p=1942407

Can't promise it'll produce a log but it should get you closer to the finish line. On my own machine after installing the Hebrew language pack, ComboFix did complete it's run.

YES!



Great!
Finally it works!
This is a logfile:

ComboFix 10-09-22.05 - SENDER 09/23/2010 2:32.9.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1255.972.1033.18.3037.2251 [GMT 2:00]
Running from: c:\users\SENDER\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.

2010-09-23 00:39 . 2010-09-23 00:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-23 00:30 . 2010-09-23 00:31 -------- d-----w- C:\32788R22FWJFW
2010-09-22 18:30 . 2010-09-22 18:30 7394930 ----a-w- C:\ComboFix.zip
2010-09-22 16:29 . 2010-09-22 22:16 -------- d-----w- C:\תיקי×â€� חדש×â€� (2)
2010-09-13 11:33 . 2010-09-13 11:33 133632 ----a-w- C:\RKUnhookerLE.EXE
2010-09-13 11:21 . 2010-09-13 11:21 50477 ----a-w- C:\Defogger.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-22 19:07 . 2009-12-01 01:50 667270 ----a-w- c:\windows\system32\perfh019.dat
2010-09-22 19:07 . 2009-12-01 01:50 129430 ----a-w- c:\windows\system32\perfc019.dat
2010-09-22 19:07 . 2009-06-23 16:18 66876 ----a-w- c:\windows\system32\perfc00D.dat
2010-09-22 19:07 . 2009-06-23 16:18 356080 ----a-w- c:\windows\system32\perfh00D.dat
2010-08-21 17:30 . 2010-08-21 17:25 -------- d-----w- c:\users\SENDER\AppData\Roaming\BSplayer PRO
2010-08-21 17:25 . 2010-08-21 15:36 -------- d-----w- c:\program files\Webteh
2010-08-21 15:44 . 2009-08-18 20:41 -------- d-----w- c:\users\SENDER\AppData\Roaming\CyberLink
2010-08-21 15:44 . 2009-09-26 14:38 -------- d-----w- c:\programdata\CyberLink
2010-08-02 10:12 . 2010-08-02 10:12 -------- d-----w- c:\programdata\Innovative Solutions
2010-08-02 10:12 . 2010-08-02 10:12 -------- d-----w- c:\program files\Innovative Solutions
2010-08-02 10:10 . 2010-08-02 10:10 -------- d-----w- c:\programdata\inf
2010-08-02 10:10 . 2010-08-02 10:10 -------- d-----w- c:\program files\My Drivers
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"RtHDVCpl"="RtHDVCpl.exe" [2008-09-18 6294048]
"eAudio"="c:\program files\Acer\Empowering Technology\eAudio\eAudio.exe" [2008-09-11 544768]
"ePower_DMC"="c:\program files\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2008-11-28 417792]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2008-06-09 870920]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\users\SENDER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
HDDlife.lnk - c:\program files\HDDlife 3\HDDlifePro.exe [2007-5-25 712758]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 08:38 34672 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 07:56 200704 ----a-w- c:\windows\PLFSetI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2006-11-23 12:10 56928 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-09-18 11:00 6294048 ----a-w- c:\windows\RtHDVCpl.exe

R3 WatAdminSvc;×â€�שירות 'טכנולוגיות ×â€�פעל×â€� של Windows;c:\windows\system32\Wat\WatAdminSvc.exe [2010-05-04 1343400]
R4 ETService;Empowering Technology Service;c:\program files\Acer\Empowering Technology\Service\ETService.exe [2008-11-28 24576]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-11-14 1179232]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-06-23 721904]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-09-23 64288]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-02-24 135336]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\DRIVERS\winbondcir.sys [2007-03-28 43008]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.il/
IE: &ייצו� �ל Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-DriverMax - (no file)
HKCU-Run-DriverMax_RESTART - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-09-23 02:41:39
ComboFix-quarantined-files.txt 2010-09-23 00:41

Pre-Run: 4,966,760,448 bytes free
Post-Run: 4,885,712,896 bytes free

- - End Of File - - 2C100A923D414F8D6A6A4A350780656E

This post has been edited by alex1200: 22 September 2010 - 07:59 PM

Many thanks to you!

But I have still questions on this theme:
1. Why in this logfile (ComboFix.txt) there is no usual report of "rootkit/stealth malware detector by Gmer"?

2. Now ComboFix will work without problems on machines come pre-installed with Hebrew too (Windows 7 and Windows Vista SP2)?