Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

'Personal Security' Rogue program damaged Windows XP


  • This topic is locked This topic is locked
45 replies to this topic

#1 Patiszerg

Patiszerg

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 18 March 2010 - 11:37 PM

Hello,

My brother's PC (Windows XP) was recently hit with a rogue antivirus program going by the name of "Personal Security". It completely shut down windows defender, windows security center, Norton antivirus and eventually prevented windows from booting. I received the computer from him with it being unable to boot and I was able to restore windows to a (somewhat) working state by doing a repair install but programs will only work and run in safe mode. Windows security center, firewall and defender will not work in safe mode though. Right now the only idea I had was to back up his data and format the old hard drive to wipe the virus and start over but I would rather try and see if I had other options first. A few things I have tried are running Norton in safe mode but it did not detect anything and I tried windows Live onecare safety scanner and it did find a few threats and issues but could not remove them all.

My brother has a terrible habit of not updating his software often so thus a lot of things are probably outdated. Don't worry, I will school him of the importance of updates next time I see him.

A side note... I can't seem to upload the Ark.txt file because there is nothing is saved in the text file after the scan and after I click 'save'. The GMER log did not show any rootkit infections after the scan in safe mode.

Thanks for the help.
Pat


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Owner at 6:29:30.53 on Wed 03/17/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.2039.1653 [GMT -6:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/?fr=fptb-hpd04
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
mSearchAssistant = hxxp://search.alot.com/sidebar?pr=asst&client_id=4D52B80001CA77F5030B3E82&install_time=08-12-2009:04:58&src_id=11231&camp_id=-3&tb_version=2.4.2.399&url=http%3A%2F%2Fm%2Ewww%2Eyahoo%2Ecom%2F%3Ffr%3Dfptb%2Dhpd04
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realone player\rpbrowserrecordplugin.dll
BHO: {549B5CA7-4A86-11D7-A4DF-000874180BB3} - No File
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: {6551001F-A07B-40B1-8F55-B44BF35A42A6} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.5.0\PriceGongIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
mRunOnce: [InstallShieldSetup] c:\progra~1\instal~1\{a3bc5~1\setup.exe -rebootc:\progra~1\instal~1\{a3bc5~1\reboot.ini -l0x9
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\2wirew~1.lnk - c:\program files\2wire 802.11g wireless\PRISMCFG.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\button~1.lnk - c:\program files\initio\button manager v1.836\inihid.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
uPolicies-system: DisableTaskMgr =
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188423276666
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206216674015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: altvxvm - {CE1A2179-DC00-47B8-8F8A-218EE78620B7} - No File
SSODL: CDDrv - {8d778a94-b011-4d37-b40a-27345fdd73eb} - No File
SSODL: zip - {a70bfbdb-a3de-42a4-b3f0-b935e3d241af} - No File
SSODL: CheckChk - {69b6a7b5-a434-4648-b53c-5291effd617f} - No File
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 607576]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2008-1-2 347648]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-2 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-2 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-2 482432]
S1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\idsxpx86.sys --> c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSxpx86.sys [?]
S2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]
S2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2009-8-30 99248]
S2 mrtRate;mrtRate; [x]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100226.033\NAVENG.SYS [2010-2-26 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100226.033\NAVEX15.SYS [2010-2-26 1324720]
UnknownUnknown xrjlzlyl;xrjlzlyl; [x]

=============== Created Last 30 ================

2010-03-17 08:44:09 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-03-17 05:28:18 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-03-17 05:13:16 290905 ----a-w- c:\windows\system32\PRISMSVR.exe
2010-03-17 05:13:16 0 d-----w- c:\program files\2Wire 802.11g Wireless
2010-03-17 03:09:22 552 ----a-w- c:\windows\system32\d3d8caps.dat

==================== Find3M ====================

2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-08 10:57:40 3265376 ----a-w- c:\program files\openoffice-impress.apgwba01.78.exe
2009-11-17 04:52:11 1079084 ----a-w- c:\program files\yahoomailuploader_0.5.exe
2005-05-26 20:35:42 1422 ----a-w- c:\program files\ReadMe.txt

============= FINISH: 6:29:39.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:26 PM

Posted 20 March 2010 - 05:39 AM

Hello my name is Sempai and welcome to Bleeping Computer. smile.gif
*We apologize for the delay. Forum have been busy.

* Please stay with me until I declare that your computer is clean as most users don't reply anymore once they found out that their computer is running smoothly, but absence of symptoms does not mean that a computer is free from infection.

*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.

*Please be patient, all Bleeping Computer helpers are volunteers and have lives outside this forum.

*You must reply within 5 days otherwise this topic will be closed.


++++++++++++++++++++


1. Please download RKill by Grinler.
Link 1
Link 2
Link 3
Link 4
  • Save it to your desktop.
  • Close/disable your anti virus program so they do not interfere with RKill. (Tutorials on how to disable your anti virus program can be found HERE.)
  • Double click the RKILL icon to start the program. (For Windows VISTA, right click the icon and run as administrator)
  • A window will appear and close automatically once completed. This indicates a successful run.
  • Do not reboot your computer and continue with step 2.
Note:
  1. Try running RKill using Link 1, if it does not run, download Link 2 and delete Link 1 then try running it again.
  2. If you still can't run RKill, repeat the same steps using Link 3 and 4. Please tell me if all the link does not work.




2. Please download Malwarebytes' Anti-Malware from here:
MalwareBytes' AntiMalware download link

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.




~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 20 March 2010 - 09:47 PM

Hello Sempai,

Thank you so very much for your help. smile.gif Link 1 worked fine for the download on the Rkill and this is the report it displayed after running it. Appologies if you did not need me to post it but rather safe than sorry. The malwarebytes prompted me to restart the computer to complete the removal process. I'm not sure if it was successful or not. Also on a side note I am doing all of these scans in safe mode logged in as 'owner'. So please let me know if something needs to be attempted out of safe mode.

Pat

Rkill log

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 03/19/2010 at 9:28:55.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Owner\Desktop\rkill.scr


Rkill completed on 03/19/2010 at 9:28:57.


And here is the Malwarebytes log.


Malwarebytes' Anti-Malware 1.44
Database version: 3889
Windows 5.1.2600 Service Pack 1 (Safe Mode)
Internet Explorer 6.0.2800.1106

3/19/2010 9:35:08 AM
mbam-log-2010-03-19 (09-35-08).txt

Scan type: Quick Scan
Objects scanned: 134783
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PersSecurity (Rogue.PersonalSecurity) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servises (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\altvxvm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\487656.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\d.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Edited by Patiszerg, 20 March 2010 - 09:48 PM.


#4 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:26 PM

Posted 20 March 2010 - 10:36 PM

Hi Patiszerg,

Looks good.

Can you please try to boot in normal windows and tell me how it went (state any problem/s on normal window) so I can adjust my fix accordingly. Thanks.


~Semp

Edited by sempai, 20 March 2010 - 10:39 PM.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#5 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 20 March 2010 - 10:45 PM

Will do, it's slow on the boot up so be right back in a few minutes once it is up.

#6 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 20 March 2010 - 11:06 PM

ok back -

A few things seem fishy or wrong. First of all a program under the task manager named 'msiexec.exe' has multiple instances running and is pegging the CPU speed at 100%. It stops after a few minutes so that is probably a boot up legit program.

A program call 'Status' attempts to load and install something and I can only stop it by going to end program in the task manager. Otherwise it will keep on popping up even after I click on the X to close it out or hit cancel.

Norton has a few errors; Frist error code: 0x00000001 and Auto protect error code 0.0000003E8. Norton also tries to load up a support page but I close that out as well.

There are updates available from microsoft but I am not installing those incase the security center is still infected. Also the security center still will not load on start up and it will not even load when I try a manual start up from the services program/window.

That is pretty much everything I see at the moment. I'll keep you updated with anything else or new I see come up.

Edited by Patiszerg, 20 March 2010 - 11:08 PM.


#7 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:26 PM

Posted 20 March 2010 - 11:13 PM

Ok thanks for the infos.... Let see if we can run ComboFix in Normal Windows.


Download Combofix (by Subs) from any of the links below, and save it to your desktop.
Link 1
Link 2
  • Temporary disable your anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    • It's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • If you did not have it installed, you will see the prompt below. Choose YES.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note**
*If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
*The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
*This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
**Please note**
*Leave your computer alone while ComboFix is running.
*ComboFix will restart your computer if malware is found; allow it to do so.
*Please Do NOT mouseclick combofix's window while its running because it may call it to stall.


Warning!
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper, *** If your are not the topic starter DO NOT run this tool as it could cause irreversible damage to your computer.


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



~Semp


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#8 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 20 March 2010 - 11:36 PM

The wireless connection just went down on the computer we're trying to fix... Sorry about that. If I can't get it back up I'll have to try it in safe mode. Also when the net was working when I would click on either of those links IE would lock up. I may have to download it in safe mode and try running it in normal windows.

#9 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:26 PM

Posted 20 March 2010 - 11:39 PM

QUOTE
I may have to download it in safe mode and try running it in normal windows.

This may work, please give it a shot.

~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#10 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 20 March 2010 - 11:44 PM

Ok got the download to work in normal mode... Right clicking and hitting 'save as' worked. Attempting to run it now in normal mode.

#11 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 21 March 2010 - 12:20 AM

It ran fine and everything. Here is the log. edit: This will be my last post of the night. Again thanks for the help and I will be here tomorrow. smile.gif

ComboFix 10-03-20.01 - Owner 03/19/2010 11:58:29.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.2039.1555 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\alot
c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\Owner\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\Owner\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\Owner\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\Owner\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\Owner\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\Owner\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\Owner\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\Owner\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\Owner\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\Owner\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Owner\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\Owner\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\Owner\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\Owner\Application Data\alot\products\products.xml
c:\documents and settings\Owner\Application Data\alot\products\products.xml.backup
c:\documents and settings\Owner\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\Owner\Application Data\alot\Resources\BrowserSearch\images\favicon.ico
c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\default_2302_default_1379_alot_cas_playgames.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_2\images\default_2302_default_1379_alot_cas_playgames.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_3\images\default_2304_default_1379_alot_cas_playgames.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_3\images\default_2304_default_1379_alot_cas_playgames.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_2303_default_1379_alot_cas_playgames.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_4\images\default_2303_default_1379_alot_cas_playgames.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2305_default_1613_alot_online_games_tetriz.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_5\images\default_2305_default_1613_alot_online_games_tetriz.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_2306_default_2080_frogger_button.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_6\images\default_2306_default_2080_frogger_button.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\cloudy.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_1007_alot_weather_widget.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\default_1007_alot_weather_widget.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\nclear.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_7\images\nmcloud.png
c:\documents and settings\Owner\Application Data\alot\Resources\Button_8\images\default_1363_alot_widget_radio.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Button_8\images\default_1363_alot_widget_radio.png
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_icon.png
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\discover.png
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\Owner\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Owner\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Owner\Application Data\alot\toolbar.xml
c:\documents and settings\Owner\Application Data\alot\toolbar.xml.backup
c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml
c:\documents and settings\Owner\Application Data\alot\toolbarContextMenu\toolbarContextMenu.xml.backup
c:\documents and settings\Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Owner\Application Data\alot\Updater\Updater.xml.backup
c:\program files\alot
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\recycler\NPROTECT
c:\recycler\S-1-5-21-1547161642-1960408961-839522115-500
c:\windows\system32\ps2.bat
D:\Autorun.inf

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\$NtUninstallKB842773$\qmgr.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 15:17 . 2010-03-19 15:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-19 15:17 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 15:17 . 2010-03-19 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 15:17 . 2010-03-19 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 15:17 . 2010-01-07 22:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 04:44 . 2010-03-18 04:44 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\PCHealth
2010-03-17 05:16 . 2010-03-17 08:03 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-17 05:13 . 2010-03-17 05:13 -------- d-----w- c:\program files\2Wire 802.11g Wireless
2010-03-17 05:13 . 2004-04-14 01:45 290905 ----a-w- c:\windows\system32\PRISMSVR.exe
2010-03-17 03:09 . 2010-03-17 03:09 552 ----a-w- c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 20:08 . 2010-03-20 20:08 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\naveng.sys
2010-03-20 20:08 . 2010-03-20 20:08 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\eeCtrl.sys
2010-03-20 20:08 . 2010-03-20 20:08 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\cceraser.dll
2010-03-20 20:08 . 2010-03-20 20:08 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\ecmsvr32.dll
2010-03-20 20:08 . 2010-03-20 20:08 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\naveng32.dll
2010-03-20 20:08 . 2010-03-20 20:08 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\navex32a.dll
2010-03-20 20:08 . 2010-03-20 20:08 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\navex15.sys
2010-03-20 20:08 . 2010-03-20 20:08 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\eraser.sys
2010-03-19 18:11 . 2007-09-30 22:15 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-03-19 17:46 . 2008-11-14 06:26 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-03-19 15:18 . 2010-03-19 15:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-19 15:01 . 2010-03-19 15:01 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-03-17 16:20 . 2008-08-15 04:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 05:10 . 2004-04-02 09:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 06:17 . 2010-02-06 06:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-03 09:00 . 2010-02-27 00:59 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVENG.SYS
2010-02-03 09:00 . 2010-02-27 00:59 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVEX15.SYS
2010-02-02 02:20 . 2010-02-02 02:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Individual Software
2010-01-26 21:55 . 2010-01-26 21:48 -------- d-----w- c:\program files\ResumeMaker
2010-01-26 21:48 . 2010-01-26 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Individual Software
2010-01-26 21:38 . 2010-01-26 21:38 -------- d-----w- c:\program files\BudgetExpress 3
2010-01-22 01:04 . 2010-01-22 01:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-01-22 00:29 . 2010-01-22 00:29 -------- d-----w- c:\program files\Common Files\Logitech
2010-01-22 00:29 . 2010-01-22 00:28 -------- d-----w- c:\program files\Logitech
2010-01-21 23:53 . 2010-01-21 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2010-01-21 23:53 . 2010-01-21 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-01-21 23:52 . 2010-01-21 23:52 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2010-01-14 17:12 . 2009-10-05 03:01 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2009-08-31 17:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-04 22:31 . 2010-01-04 22:31 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2010-01-04 22:31 . 2010-01-04 22:31 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\finish.exe
2010-01-04 22:31 . 2010-01-04 22:31 175104 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\reduced_contents_PrintCreation_expanded\setup.exe
2010-01-04 22:24 . 2010-01-04 22:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2010-01-04 22:22 . 2010-01-04 22:22 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\start.exe
2010-01-04 22:22 . 2010-01-04 22:22 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_1e6d8995\EasyShrx.Dll
2010-01-04 22:22 . 2010-01-04 22:22 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.30.1.dll
2009-12-08 10:57 . 2009-12-08 10:57 3265376 ----a-w- c:\program files\openoffice-impress.apgwba01.78.exe
2009-11-17 04:52 . 2009-11-17 04:52 1079084 ----a-w- c:\program files\yahoomailuploader_0.5.exe
2005-05-26 20:35 . 2009-12-30 00:21 1422 ----a-w- c:\program files\ReadMe.txt
.

------- Sigcheck -------

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-10-08 03:01 288056 ----a-w- c:\program files\PriceGong\1.5.0\PriceGongIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-22 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2003-03-31 208953]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-02-13 44032]
"AlcxMonitor"="ALCXMNTR.EXE" [2003-04-04 50176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"PRISMSVR.EXE"="c:\windows\System32\PRISMSVR.EXE" [2004-04-14 290905]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.EXE [2010-3-16 335979]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Button Manager v1.836.lnk - c:\program files\INITIO\Button Manager v1.836\inihid.exe [2009-12-29 192512]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2010-1-2 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=c:\windows\pss\IMStart.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 13:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2003-04-04 04:35 50176 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-21 21:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 21:44 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2003-09-13 03:13 98304 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 04:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2003-12-18 07:31 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-02 08:49 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-02-22 04:45 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=""
"FirewallOverride"=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSXpx86.sys [3/19/2010 11:04 AM 329592]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [1/23/2008 2:19 AM 501560]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [8/30/2009 12:25 PM 99248]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 3:49 AM 117640]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 4:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 6:46 AM 102448]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [1/2/2008 9:17 PM 347648]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/2/2010 3:49 AM 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/2/2010 3:49 AM 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/2/2010 3:49 AM 482432]
S2 mrtRate;mrtRate; [x]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 6:44 AM 580992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]

2010-02-26 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-12 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/?fr=fptb-hpd04
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
.
- - - - ORPHANS REMOVED - - - -

SSODL-CDDrv-{8d778a94-b011-4d37-b40a-27345fdd73eb} - (no file)
SSODL-CheckChk-{69b6a7b5-a434-4648-b53c-5291effd617f} - (no file)
MSConfigStartUp-VTTimer - VTTimer.exe
AddRemove-alotToolbar - c:\program files\alot\alotUninst.exe
AddRemove-OVT Scanner - c:\windows\omniuns.exe USB\Vid_05a9&PID_1550 OVT Scanner



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 12:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(892)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(948)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(3884)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\System32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\lxdicoms.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\msiexec.exe
c:\windows\System32\taskmgr.exe
c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\OCSCtl.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2010-03-19 12:17:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-19 18:17

Pre-Run: 257,988,866,048 bytes free
Post-Run: 259,322,355,712 bytes free

- - End Of File - - 9B878CC70E0FF80DCB23172E25615A6E

Edited by Patiszerg, 21 March 2010 - 12:35 AM.


#12 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:26 PM

Posted 21 March 2010 - 01:09 AM

Hi,

P2P warning:

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case LimeWire and Vuze).
These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."



++++++++++++++++++++++++++++++++++++++++++


1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    c:\program files\yahoomailuploader_0.5.exe
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/




2. We need to execute a ComboFix script. (Tutorials on how to disable your anti virus and anti malware programs can be found HERE.)
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the code box below into it:

CODE
DDS::
mRun: [AlcxMonitor] ALCXMNTR.EXE
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

SrPeek::
c:\windows\system32\wscntfy.exe
c:\windows\system32\xmlprov.dll
c:\windows\system32\drivers\ip6fw.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


4. Save this as CFScript.txt, in the same location as ComboFix.exe




5. Refering to the picture above, drag CFScript into ComboFix.exe

6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



3. Please create a new DDS log and post it when you reply. Thanks.


~Semp


~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#13 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 21 March 2010 - 11:59 AM

For step 1. Both of those scanning websites were busy so I used one at totalvirus.com and the .exe file checked out fine against 41 scanners.

For step 2. I have ran into a bit of a snag running combofix. A program in the task manager going by the name of svchost.exe is running the computer at 100% CPU usage and has been going on for a about 30 minutes now. I know that program has something to do with microsoft services but I can't recall what. I have automatic updates off right now and windows defender off as well. Also I had two different errors when trying to run combofix with the scrip... first it came up with a 'date error check your settings'. Somehow the date on the computer was changed. Changing it fixed that. Then I had an error claiming combofix could only run on windows ME (I think) or XP. I tried again and eventually combo fix completed all 50 stages and seemed to run fine. After the reboot svchost.exe is not hogging the PC's cpu anymore. I'll let you know if that comes back at anytime.

That 'stats' program is still trying to run on boot up as well but this time when I hit end program on it via the task manager the 'end program' confirmation box stated it had something to do with HP display monitors.

Norton did not have any errors on start up this time.

Thank you for the warning about the Limewire and Vuse programs. Peer-to-peer programs do indeed make it easy to infect computers now days.

EDIT: Those scanning websites could have seemed busy because the computer was being bogged down by svchost.exe. If you would still like me to scan the .exe file using one of those above let me know.

Recent combofix log:

ComboFix 10-03-20.06 - Owner 03/21/2010 23:00:33.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.2039.1579 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt.txt
AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\web\related.htm

Infected copy of c:\windows\system32\qmgr.dll was found and disinfected
Restored copy from - c:\windows\$NtUninstallKB842773$\qmgr.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-22 to 2010-03-22 )))))))))))))))))))))))))))))))
.

2010-03-19 15:17 . 2010-03-19 15:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-03-19 15:17 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 15:17 . 2010-03-19 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-19 15:17 . 2010-03-19 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-19 15:17 . 2010-01-07 22:07 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-18 04:44 . 2010-03-18 04:44 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\PCHealth
2010-03-17 05:16 . 2010-03-17 08:03 -------- d-----w- c:\program files\Windows Live Safety Center
2010-03-17 05:13 . 2010-03-17 05:13 -------- d-----w- c:\program files\2Wire 802.11g Wireless
2010-03-17 05:13 . 2004-04-14 01:45 290905 ----a-w- c:\windows\system32\PRISMSVR.exe
2010-03-17 03:09 . 2010-03-17 03:09 552 ----a-w- c:\windows\system32\d3d8caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-22 05:35 . 2007-09-30 22:15 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2010-03-20 20:08 . 2010-03-20 20:08 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\naveng.sys
2010-03-20 20:08 . 2010-03-20 20:08 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\eeCtrl.sys
2010-03-20 20:08 . 2010-03-20 20:08 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\cceraser.dll
2010-03-20 20:08 . 2010-03-20 20:08 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\ecmsvr32.dll
2010-03-20 20:08 . 2010-03-20 20:08 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\naveng32.dll
2010-03-20 20:08 . 2010-03-20 20:08 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\navex32a.dll
2010-03-20 20:08 . 2010-03-20 20:08 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\navex15.sys
2010-03-20 20:08 . 2010-03-20 20:08 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100320.022\eraser.sys
2010-03-20 03:44 . 2008-11-14 06:26 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-03-19 15:18 . 2010-03-19 15:18 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-19 15:01 . 2010-03-19 15:01 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-03-17 16:20 . 2008-08-15 04:03 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-17 05:10 . 2004-04-02 09:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-06 06:17 . 2010-02-06 06:17 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-03 09:00 . 2010-02-27 00:59 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVENG.SYS
2010-02-03 09:00 . 2010-02-27 00:59 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100226.033\NAVEX15.SYS
2010-02-02 02:20 . 2010-02-02 02:20 -------- d-----w- c:\documents and settings\Owner\Application Data\Individual Software
2010-01-26 21:55 . 2010-01-26 21:48 -------- d-----w- c:\program files\ResumeMaker
2010-01-26 21:48 . 2010-01-26 21:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Individual Software
2010-01-26 21:38 . 2010-01-26 21:38 -------- d-----w- c:\program files\BudgetExpress 3
2010-01-22 01:04 . 2010-01-22 01:04 -------- d-----w- c:\documents and settings\Owner\Application Data\Leadertech
2010-01-22 00:29 . 2010-01-22 00:29 -------- d-----w- c:\program files\Common Files\Logitech
2010-01-22 00:29 . 2010-01-22 00:28 -------- d-----w- c:\program files\Logitech
2010-01-21 23:53 . 2010-01-21 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\UAB
2010-01-21 23:53 . 2010-01-21 23:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2010-01-21 23:52 . 2010-01-21 23:52 -------- d-----w- c:\program files\PC Drivers HeadQuarters
2010-01-14 17:12 . 2009-10-05 03:01 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00 . 2009-08-31 17:50 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-04 22:31 . 2010-01-04 22:31 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2010-01-04 22:31 . 2010-01-04 22:31 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\finish.exe
2010-01-04 22:31 . 2010-01-04 22:31 175104 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\reduced_contents_PrintCreation_expanded\setup.exe
2010-01-04 22:24 . 2010-01-04 22:24 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2010-01-04 22:22 . 2010-01-04 22:22 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\start.exe
2010-01-04 22:22 . 2010-01-04 22:22 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_1e6d8995\EasyShrx.Dll
2010-01-04 22:22 . 2010-01-04 22:22 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.0.30.1.dll
2009-12-08 10:57 . 2009-12-08 10:57 3265376 ----a-w- c:\program files\openoffice-impress.apgwba01.78.exe
2009-11-17 04:52 . 2009-11-17 04:52 1079084 ----a-w- c:\program files\yahoomailuploader_0.5.exe
2005-05-26 20:35 . 2009-12-30 00:21 1422 ----a-w- c:\program files\ReadMe.txt
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A2595C-4FE4-4315-AA9B-19DBD6271B71}]
2009-10-08 03:01 288056 ----a-w- c:\program files\PriceGong\1.5.0\PriceGongIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2009-11-10 5244216]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-22 185896]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"FaxCenterServer"="c:\program files\\Lexmark Fax Solutions\fm3032.exe" [2007-07-16 311984]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2003-03-31 208953]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-02-13 44032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"PRISMSVR.EXE"="c:\windows\System32\PRISMSVR.EXE" [2004-04-14 290905]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.EXE [2010-3-16 335979]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Button Manager v1.836.lnk - c:\program files\INITIO\Button Manager v1.836\inihid.exe [2009-12-29 192512]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2009-7-10 323584]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
TotalMedia Backup Monitor.lnk - c:\program files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe [2010-1-2 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk
backup=c:\windows\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-29 13:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2003-04-04 04:35 50176 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-06-21 21:44 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-08 00:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-06-05 18:39 292136 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 21:44 61440 ----a-w- c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
2003-09-13 03:13 98304 ----a-w- c:\windows\system32\ps2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 22:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-14 04:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2003-12-18 07:31 118784 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-04-02 08:49 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-02-22 04:45 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdiwbgw.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100312.001\IDSXpx86.sys [3/19/2010 11:04 AM 329592]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [1/23/2008 2:19 AM 501560]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [8/30/2009 12:25 PM 99248]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe [2/2/2010 3:49 AM 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 6:46 AM 102448]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [1/2/2008 9:17 PM 347648]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008000.029\SymEFA.sys [2/2/2010 3:49 AM 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008000.029\BHDrvx86.sys [2/2/2010 3:49 AM 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008000.029\cchpx86.sys [2/2/2010 3:49 AM 482432]
S2 mrtRate;mrtRate; [x]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 4:19 PM 13592]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [7/31/2006 6:44 AM 580992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\Norton Security Scan for Owner.job
- c:\program files\Norton Security Scan\Norton Security Scan\Engine\2.7.0.52\Nss.exe [2009-12-12 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://m.www.yahoo.com/?fr=fptb-hpd04
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-21 23:35
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\windows\System32\ODBC32.dll
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime

- - - - - - - > 'lsass.exe'(944)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(2408)
c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
c:\windows\System32\msctfime.ime
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\System32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\windows\system32\lxdicoms.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\system32\msiexec.exe
c:\windows\System32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-03-21 23:43:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-22 05:43
ComboFix2.txt 2010-03-19 18:17

Pre-Run: 259,264,954,368 bytes free
Post-Run: 259,220,230,144 bytes free

- - End Of File - - AFFA7C85C18A15F85A15101D39CABDD8


Here is the DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 23:51:20.96 on Sun 03/21/2010
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.2039.1386 [GMT -6:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdimon.exe
C:\Program Files\Lexmark 3500-4500 Series\lxdiamon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\System32\PRISMSVR.EXE
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\INITIO\Button Manager v1.836\inihid.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\ArcSoft\TotalMedia Backup & Record\uBBMonitor.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/?fr=fptb-hpd04
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realone player\rpbrowserrecordplugin.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: PriceGongCtrl Class: {d2a2595c-4fe4-4315-aa9b-19dbd6271b71} - c:\program files\pricegong\1.5.0\PriceGongIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [lxdimon.exe] "c:\program files\lexmark 3500-4500 series\lxdimon.exe"
mRun: [lxdiamon] "c:\program files\lexmark 3500-4500 series\lxdiamon.exe"
mRun: [FaxCenterServer] "c:\program files\\lexmark fax solutions\fm3032.exe" /s
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [PRISMSVR.EXE] "c:\windows\system32\PRISMSVR.EXE" /APPLY
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\2wirew~1.lnk - c:\program files\2wire 802.11g wireless\PRISMCFG.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\button~1.lnk - c:\program files\initio\button manager v1.836\inihid.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\totalm~1.lnk - c:\program files\arcsoft\totalmedia backup & record\uBBMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} - hxxp://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188423276666
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1206216674015
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100312.001\IDSXpx86.sys [2010-3-19 329592]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 607576]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\ACEDRV11.sys [2008-1-23 501560]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2009-8-30 99248]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-28 102448]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\drivers\WlanUIG.sys [2008-1-2 347648]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-2 310320]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-2 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-2 482432]
S2 mrtRate;mrtRate; [x]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-7-31 580992]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100320.022\naveng.sys [2010-3-20 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100320.022\navex15.sys [2010-3-20 1324720]

=============== Created Last 30 ================

2010-03-19 17:57:23 98816 ----a-w- c:\windows\sed.exe
2010-03-19 17:57:23 77312 ----a-w- c:\windows\MBR.exe
2010-03-19 17:57:23 261632 ----a-w- c:\windows\PEV.exe
2010-03-19 17:57:23 161792 ----a-w- c:\windows\SWREG.exe
2010-03-19 15:17:36 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-03-19 15:17:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 15:17:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-19 15:17:29 18520 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 15:17:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-17 08:44:09 0 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-03-17 05:28:18 217816 ----a-w- c:\windows\system32\wuaucpl.cpl
2010-03-17 05:13:16 290905 ----a-w- c:\windows\system32\PRISMSVR.exe
2010-03-17 05:13:16 0 d-----w- c:\program files\2Wire 802.11g Wireless
2010-03-17 03:09:22 552 ----a-w- c:\windows\system32\d3d8caps.dat

==================== Find3M ====================

2010-01-14 17:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-08 10:57:40 3265376 ----a-w- c:\program files\openoffice-impress.apgwba01.78.exe
2009-11-17 04:52:11 1079084 ----a-w- c:\program files\yahoomailuploader_0.5.exe
2005-05-26 20:35:42 1422 ----a-w- c:\program files\ReadMe.txt

============= FINISH: 23:51:33.43 ===============

Attached Files


Edited by Patiszerg, 21 March 2010 - 12:12 PM.


#14 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:04:26 PM

Posted 22 March 2010 - 05:57 AM

Hi,

asksbar / ask toolbar warning:
I strongly suggest that you uninstall asksbar. Some of the bad practices of this toolbar are:
  1. Promoting its toolbars on sites targeted to kids. Details.
  2. Promoting its toolbars through ads that appear to be part of other companies' sites. Details.
  3. Promoting its toolbars through other companies' spyware. Details.
  4. Installing without any disclosure whatsoever and without any consent whatsoever. Details.
  5. Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link. Details.
  6. Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit. Details.
Please read the full details HERE.

If you decided to remove Ask Toolbar. Go to Start > Control Panel > Add Remove programs and remove asksbar.
Then go to C: > Program Files and delete asksbar folder.



++++++++++++++++++++++++++


1. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  • Please click this link-->Jotti
  • When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
    c:\windows\system32\qmgr.dll
  • Please post back the results of the scan in your next post.
  • If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/



2. Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    wscntfy.exe
    xmlprov.dll
    ip6fw.sys
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply



3. Please go to Kaspersky website and perform an online antivirus scan.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply .



~Semp

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#15 Patiszerg

Patiszerg
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 22 March 2010 - 12:34 PM

qmgr.dll checked out perfect at virustotal.

Here is the log from SystemLook:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 00:09 on 23/03/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy.exe"
C:\WINDOWS\system32\wscntfy.exe ------ 13824 bytes [07:56 04/08/2004] [00:12 14/04/2008] F92E1076C42FCD6DB3D72D8CFE9816D5

Searching for "xmlprov.dll"
C:\WINDOWS\system32\xmlprov.dll ------ 129024 bytes [07:56 04/08/2004] [00:12 14/04/2008] 295D21F14C335B53CB8154E5B1F892B9

Searching for "ip6fw.sys"
C:\WINDOWS\system32\drivers\ip6fw.sys ------ 36608 bytes [06:00 04/08/2004] [18:53 13/04/2008] 3BB22519A194418D5FEC05D800A19AD0

-=End Of File=-



The Kaspersky website was difficult to load but once it finally went through it says it requires Java Framework version 1.5 or higher. Would you like me to go ahead and update Java?

Few more things to update you on. Svchost.exe came back running the CPU at 100% and also Norton came back with those errors again (error code: 0x00000001 and Auto protect error code 0.0000003E8). I think the one time Norton did not display the errors is when it was disabled for combofix.

Edited by Patiszerg, 22 March 2010 - 03:14 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users