need help with combofix log

Viruses and worms
1

ComboFix 08-01-18.5 - alain 2008-01-18 19:54:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.340 [GMT -5:00]
Running from: C:\Documents and Settings\alain\My Documents\Windows\ComboFix\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\regedit.com
C:\WINDOWS\system32\taskmgr.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.

2008-01-18 19:53 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 13:50 . 2008-01-14 13:50 d-------- C:\Documents and Settings\alain\DoctorWeb
2008-01-13 13:39 . 2008-01-13 13:39 d-------- C:\Program Files\Common Files\xing shared
2008-01-07 20:27 . 2008-01-07 20:27 d-------- C:\Documents and Settings\All Users\Application Data\G DATA
2008-01-07 19:08 . 2008-01-07 19:08 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-04 16:38 . 2008-01-04 16:38 1,576 --a------ C:\WINDOWS\uninst23.mif
2008-01-04 15:53 . 2008-01-04 15:53 d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-12-25 16:04 . 2007-12-25 17:16 65,568 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-25 16:04 . 2007-12-25 17:16 1,844 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-24 12:59 . 2007-12-24 12:59 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-24 12:46 . 2008-01-18 01:08 d-------- C:\Documents and Settings\alain\Application Data\PrevxCSI
2007-12-22 16:17 . 2007-12-22 16:17 26 --a------ C:\WINDOWS\Lic.xxx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 03:39 --------- d–h–w C:\Documents and Settings\alain\Application Data\Move Networks
2008-01-13 18:39 --------- d-----w C:\Program Files\Real
2008-01-13 18:39 --------- d-----w C:\Program Files\Common Files\Real
2007-12-08 17:59 --------- d-----w C:\Program Files\MPlayer
2007-11-30 18:12 --------- d-----w C:\Documents and Settings\alain\Application Data\Winamp
2007-04-24 23:25 21,672 ----a-w C:\Documents and Settings\alain\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\2.tmp

.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-19 00:55:00 C:\WINDOWS\Tasks\User_Feed_Synchronization-{375E6485-7927-400B-A32F-33A139330382}.job”

  • C:\WINDOWS\system32\msfeedssync.exe
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 19:57:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-18 19:58:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-19 00:58:01

2

Are you experiencing any problems as that looks OK ?

3

False alarm. I found a driver entry called MEMSWEEP2 which had rootkit behavior. That driver actually belongs to Sophos Antirootkit.

Thanks for the quick response.