Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix Log


  • Please log in to reply
1 reply to this topic

#1 crabbo

crabbo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:36 PM

Posted 18 February 2008 - 02:00 PM

hi the storage protector virus has installed itself on my computer with all the problems that everybody seems to have with it......warning messages, masses of little files all over the place and computer 'hangs' every 10 minutes. just ran combofix on recomendation by your site and i am posting the log. any help greatly appreciated.

ComboFix 08-02-18.1 - Owner 2008-02-18 19:02:24.1 - NTFSx86
Running from: C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\wvurpol.dll
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users.WINDOWS\Application Data\storageprotector\Data\user
C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\storageprotector
C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\storageprotector\Logs\update.log
C:\Temp\isgTi19
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\aighumti.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\coivtuud.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\lbvmontj.dll
C:\WINDOWS\system32\lbvmontj.dll . . . . failed to delete
C:\WINDOWS\system32\lbvmontj.dllbox
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\llnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\rqrqpml.dll
C:\WINDOWS\system32\rqrqpqn.dll
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\sicvoutu.ini
C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\utuovcis.dll
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wvurpol.dll
C:\WINDOWS\system32\wvuvttr.dll
C:\WINDOWS\system32\wxnwmkxj.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\NPF


((((((((((((((((((((((((( Files Created from 2008-01-18 to 2008-02-18 )))))))))))))))))))))))))))))))
.

2008-02-18 19:17 . 2008-02-18 19:17 14,033 --a------ C:\posBF.tmp
2008-02-18 19:16 . 2008-02-18 19:18 19,054 ---hs---- C:\WINDOWS\system32\lbvmontj.dllbox
2008-02-18 12:33 . 2008-02-18 12:41 <DIR> d-------- C:\Program Files\XoftSpySE
2008-02-18 11:58 . 2008-02-18 11:59 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-18 11:21 . 2008-02-18 19:08 163,904 --a------ C:\WINDOWS\system32\lbvmontj.dll
2008-02-17 09:31 . 2008-02-17 09:31 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-07 22:17 . 2008-02-07 22:17 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Yahoo! Companion
2008-02-07 17:51 . 2008-02-07 17:51 <DIR> d-------- C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\Yahoo!
2008-02-07 17:49 . 2008-02-07 17:49 <DIR> d-------- C:\Program Files\BT Broadband Talk Softphone
2008-02-07 17:49 . 2008-02-07 17:49 <DIR> d-------- C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\BT
2008-02-07 17:48 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-02-07 17:48 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-02-07 17:47 . 2008-02-07 18:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\yahoo!
2008-02-07 17:47 . 2002-02-21 18:56 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-07 17:46 . 2008-02-07 17:51 <DIR> d-------- C:\Program Files\Yahoo!
2008-02-07 17:46 . 2002-01-05 05:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-02-07 17:46 . 2001-10-11 10:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-02-07 17:45 . 2008-02-07 22:16 <DIR> d-------- C:\WINDOWS\Motive
2008-02-07 17:42 . 2008-02-07 17:42 <DIR> d-------- C:\Program Files\BTHomeHub
2008-02-07 17:31 . 2008-02-07 17:31 <DIR> d-------- C:\WINDOWS\tmp.0000
2008-02-07 09:20 . 2008-02-07 09:20 2 --a------ C:\WINDOWS\msoffice.ini
2008-02-05 18:54 . 2008-02-05 18:54 <DIR> d-------- C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\Samsung
2008-02-05 18:36 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-02-05 18:34 . 2005-08-30 01:49 94,000 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2008-02-05 18:34 . 2005-08-30 01:47 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2008-02-05 18:34 . 2005-08-30 01:49 8,336 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2008-02-05 18:34 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2008-02-05 18:34 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2008-02-05 18:34 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2008-02-05 18:34 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2008-02-05 18:32 . 2008-02-05 18:32 <DIR> d-------- C:\Program Files\Samsung
2008-01-31 14:45 . 2008-01-31 18:49 140,577 --------- C:\WINDOWS\hpoins14.dat.temp
2008-01-31 14:45 . 2007-06-05 23:07 2,000 --------- C:\WINDOWS\hpomdl14.dat.temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 12:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-02-17 17:14 --------- d-----w C:\Program Files\Azureus
2008-02-17 15:28 --------- d-----w C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\Azureus
2008-02-17 11:35 --------- d-----w C:\Program Files\Pr settings
2008-02-15 11:37 --------- d-----w C:\Program Files\Java
2008-02-07 17:43 155,995 ----a-w C:\WINDOWS\java\Packages\NL3PN7J5.ZIP
2008-02-07 09:21 --------- d-----w C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\AOL
2008-02-07 09:21 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-02-07 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 09:17 --------- d-----w C:\Program Files\QuickTime
2008-02-07 09:17 --------- d-----w C:\Program Files\DivX
2008-02-07 09:17 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-02-07 09:16 --------- d-----w C:\Program Files\Apple Software Update
2008-01-17 14:52 --------- d-----w C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\HP
2008-01-17 14:52 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\HP
2008-01-07 21:51 --------- d-----w C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\LimeWire
2007-12-27 19:09 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WEBREG
2007-12-27 19:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Hewlett-Packard
2007-12-27 19:04 --------- d-----w C:\Program Files\HP
2007-12-27 19:04 --------- d-----w C:\Documents and Settings\Owner.PAUL-CZ1P199GR1\Application Data\HPAppData
2007-12-27 19:04 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\HPSSUPPLY
2007-12-27 19:02 --------- d-----w C:\Program Files\Common Files\HP
2007-12-27 19:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\HP Product Assistant
2007-12-27 19:01 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2006-07-31 07:07 205,918 --sha-w C:\WINDOWS\system32\prutv.bak1
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
2007-03-02 16:52 1298024 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{053F9267-DC04-4294-A72C-58F732D338C0}]
2007-03-02 16:52 177768 -ra------ C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0d636e6b-646a-4b3a-9db5-d3c57db8f70e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E0A2AD5-1ADC-4EC3-90FC-0FB793C9259E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{724BCB4C-BDEE-4902-8E68-6BE716FCAF25}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-18 19:08 163904 --a------ C:\WINDOWS\system32\lbvmontj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEFF87D9-0538-4E1C-B95C-344788315E37}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11 4670968]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2005-10-19 07:59 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-10-19 07:59 126976]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 19:56 188416]
"CARPService"="carpserv.exe" [2001-12-23 11:02 4608 C:\WINDOWS\system32\carpserv.exe]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-02-18 19:03 26112]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 19:14 271672]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 21:34 49152]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [ ]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"winupdates"="C:\Program Files\winupdates\winupdates.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2003-07-16 20:26 13312]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lbvmontj]
lbvmontj.dll 2008-02-18 19:08 163904 C:\WINDOWS\system32\lbvmontj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvurpol]

S3 alcan5ln;SpeedTouch™ USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\System32\DRIVERS\alcan5ln.sys [2003-12-08 19:53]
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\System32\DRIVERS\k600bus.sys [2005-03-04 17:08]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k600mdfl.sys [2005-03-04 17:11]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\System32\DRIVERS\k600mdm.sys [2005-03-04 17:11]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\System32\DRIVERS\k600mgmt.sys [2005-03-04 17:13]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\System32\DRIVERS\k600obex.sys [2005-03-04 17:15]
S3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\System32\DRIVERS\PPPoEWin.SYS []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
Contents of the 'Scheduled Tasks' folder
"2008-01-23 08:38:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-17 14:44:14 C:\WINDOWS\Tasks\WebReg Deskjet F2100 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-18 19:17:03
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\lbvmontj.dll

PROCESS: C:\WINDOWS\explorer.exe [6.00.2800.1106]
-> C:\WINDOWS\system32\lbvmontj.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\dumprep.exe
C:\WINDOWS\System32\dwwin.exe
.
**************************************************************************
.
Completion time: 2008-02-18 19:23:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-18 19:23:05
.
2008-02-13 18:03:28 --- E O F ---


Mod Edit: Topic moved to more appropriate forum~ TMacK

Edited by TMacK, 18 February 2008 - 02:31 PM.


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:36 AM

Posted 22 February 2008 - 08:12 AM

You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users