There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Incredibar Removal - Support Pls!
Go to first new post need help regarding malware/spyware
Go to first new post Somethings Amiss....
Go to first new post "svchost application error 0x6fe217 ...
Go to first new post Family Cyber Removal
Go to first new post Cannot access any google sites - youtube ...
Go to first new post We Got System Checked :-(
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post System Check problem
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Overall Sluggish Performance, Video Hicc ...
Go to first new post Extremely slow computer
Go to first new post RegClean Pro
Tag Cloud
access acer asus bios bsod computer crash dns drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet java laptop malware memory monitor motherboard network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
slow computer (hijack inside) (In Progress)

Page 2 of 3 1 2 3
Reply  
Thread Tools
muppy03's Avatar
Senior Member with 1,881 posts.
  
Join Date: Jun 2006
Location: Australia
Experience: gettin there
09-Jul-2009, 05:54 AM #16
Hello!

How is the computer running now?

Please go to Virus Total <http://www.virustotal.com/> or Jotti
and upload c:\windows\system32\drivers\bvfadxvt.sys for scanning.
For Virus Total
1. Please copy and paste c:\windows\system32\drivers\bvfadxvt.sys in the text box next to the Browse button.
2. Click on Send File.
For Jotti
1. Please copy and paste c:\windows\system32\drivers\bvfadxvt.sys in the text box next to the Browse button.
2. Click on Submit.

Repeat for the below file/s:
c:\windows\Lmeci.bin
c:\windows\Lmeci.binLmeci.bin
c:\windows\Lhomoge.dat


Please post back the results of the scan in your next post.

  • Go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab.
    Uncheck and Delete everything you find in there. (Except for "My Current Home Page.")

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present
  • O24 - Desktop Component 0: My Current Home Page - About:Home

Once selected close all windows except HJT an click on Fix Checked

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please delete the copy you have and download the latest version from one of these locations:

Link 1
Link 2
Link 3

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
c:\windows\2232132.bat
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-
  • Jotti results
  • Combofix log
  • New HJT log
__________________
Teacher - Malware Removal University - You too could train to help others

Topics not replied to within 3 days will be removed from my Subscribed Threads List
Register for free to hide this ad!
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
10-Jul-2009, 04:04 AM #17
before i go any further. i tried the virus total and jotti, but after i click on "send file" it would take me to a white page and says that 0 bytes have been transfered. i tried to manually find those files you posted to see if i even have those, and i couldnt find them at those locations. with jotti, after i clicked on "submit file", next to "Status" it says "no file uploaded".

also, i deleted the 024 file from HJT and now my background picture is all grey.
muppy03's Avatar
Senior Member with 1,881 posts.
  
Join Date: Jun 2006
Location: Australia
Experience: gettin there
10-Jul-2009, 09:57 AM #18
I am sorry, I forgot to change everything back to I:\ and had posted the files showing C:\. Try Virus total or Jotti again using the correct drive.

Are you able to change your background picture at all?


Please go to Virus Total <http://www.virustotal.com/> or Jotti
and upload I:\windows\system32\drivers\bvfadxvt.sys for scanning.
For Virus Total
1. Please copy and paste I:\windows\system32\drivers\bvfadxvt.sys in the text box next to the Browse button.
2. Click on Send File.
For Jotti
1. Please copy and paste c:\windows\system32\drivers\bvfadxvt.sys in the text box next to the Browse button.
2. Click on Submit.

Repeat for the below file/s:
I:\windows\Lmeci.bin
I:\windows\Lmeci.binLmeci.bin
I:\windows\Lhomoge.dat


Please post back the results of the scan in your next post.



COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please delete the copy you have and download the latest version from one of these locations:

Link 1
Link 2
Link 3

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
I:\windows\2232132.bat
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-
  • Jotti results
  • Combofix log
  • New HJT log
__________________
Teacher - Malware Removal University - You too could train to help others

Topics not replied to within 3 days will be removed from my Subscribed Threads List
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
11-Jul-2009, 12:10 AM #19
yeah the background changed once i restarted my computer.

i tried looking for the I:\windows\system32\drivers\bvfadxvt.sys file on my computer manually and i couldnt find it. virustotal couldnt find it either.

however the other three files are on my computer, i just didnt know if i should proceed with those before taking care of the I:\windows\system32\drivers\bvfadxvt.sys file.
muppy03's Avatar
Senior Member with 1,881 posts.
  
Join Date: Jun 2006
Location: Australia
Experience: gettin there
11-Jul-2009, 01:34 AM #20
Quote:
i tried looking for the I:\windows\system32\drivers\bvfadxvt.sys file on my computer manually and i couldnt find it. virustotal couldnt find it either.
That’s fine, I would say it’s a left over but wanted to make sure.

The other files I asked you to check, please still do that unless you know what they are.

You can also do the CF script.

Post logs on your reply
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
13-Jul-2009, 02:19 AM #21
ComboFix 09-07-12.03 - Vahab 07/12/2009 23:18.7.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.586 [GMT -5:00]
Running from: i:\documents and settings\Vahab\Desktop\ComboFix.exe
Command switches used :: i:\documents and settings\Vahab\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\windows\2232132.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\khkha.exe
i:\windows\system32\wbem\proquota.exe

i:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-08 18:59 . 2009-07-08 19:08 -------- d-----w- I:\New Folder
2009-07-08 09:46 . 2009-07-08 09:46 -------- d-----w- I:\rsit
2009-07-05 09:48 . 2009-07-05 09:48 -------- d-----w- I:\Big Bang Theory S02 Full
2009-06-23 20:01 . 2009-06-23 20:50 -------- d-----w- I:\Ben Kweller - Changing Horses - 2009 (rhsiv)
2009-06-23 09:05 . 2009-06-23 09:05 0 ----a-w- i:\windows\2232132.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 04:07 . 2008-07-01 12:44 -------- d-----w- i:\documents and settings\All Users\Application Data\Google Updater
2009-07-08 08:45 . 2008-12-19 21:24 -------- d-----w- i:\program files\Malwarebytes' Anti-Malware
2009-07-08 08:45 . 2009-03-01 18:24 3561743 ----a-w- i:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 16:27 . 2008-12-19 21:24 38160 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2008-12-19 21:24 19096 ----a-w- i:\windows\system32\drivers\mbam.sys
2009-06-10 19:00 . 2009-05-07 19:23 1290584 ----a-w- i:\documents and settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll
2009-06-10 19:00 . 2009-05-07 19:23 149768 ----a-w- i:\windows\system32\drivers\WpsHelper.sys
2009-06-10 14:42 . 2008-09-15 01:27 -------- d-----w- i:\program files\SUPERAntiSpyware
2009-06-10 13:36 . 2009-06-10 13:33 -------- d-----w- i:\program files\Common Files\Symantec Shared
2009-06-10 13:36 . 2009-06-10 13:33 -------- d-----w- i:\documents and settings\All Users\Application Data\Symantec
2009-06-10 13:35 . 2009-06-10 13:33 -------- d-----w- i:\program files\Symantec
2009-06-10 13:35 . 2009-06-10 13:34 805 ----a-w- i:\windows\system32\drivers\SYMEVENT.INF
2009-06-10 13:35 . 2009-06-10 13:34 60800 ----a-w- i:\windows\system32\S32EVNT1.DLL
2009-06-10 13:35 . 2009-06-10 13:34 123952 ----a-w- i:\windows\system32\drivers\SYMEVENT.SYS
2009-06-10 13:35 . 2009-06-10 13:34 10563 ----a-w- i:\windows\system32\drivers\SYMEVENT.CAT
2009-05-24 21:38 . 2008-03-25 05:26 -------- d-----w- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-15 16:30 . 2009-04-02 06:28 -------- d-----w- i:\documents and settings\Vahab\Application Data\Vso
2009-05-15 16:29 . 2009-04-02 06:28 -------- d-----w- i:\documents and settings\All Users\Application Data\Vso
2009-04-22 17:53 . 2009-04-22 17:53 107088 ----a-w- i:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-22 17:48 . 2009-04-22 17:45 52770576 ----a-w- i:\documents and settings\Vahab\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2009-04-18 07:52 . 2009-04-09 02:30 0 ----a-w- i:\windows\Lmeci.bin
2009-04-17 02:56 . 2009-04-17 02:56 0 ----a-w- i:\windows\Lmeci.binLmeci.bin
2009-04-16 21:27 . 2009-04-09 02:30 408 ----a-w- i:\windows\Lhomoge.dat
2008-05-30 19:37 . 2008-05-30 19:37 148847 ----a-w- i:\program files\DEC2006_XACT_x86.cab
2008-05-30 19:36 . 2008-05-30 19:36 13267416 ----a-w- i:\program files\dxnt.cab
2008-05-30 19:36 . 2008-05-30 19:36 4165878 ----a-w- i:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 19:36 . 2008-05-30 19:36 1805306 ----a-w- i:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 19:36 . 2008-05-30 19:36 1803408 ----a-w- i:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 19:34 . 2008-05-30 19:34 528392 ----a-w- i:\program files\DXSETUP.exe
2009-04-02 01:04 . 2009-04-02 01:04 61038 ----a-w- i:\program files\mozilla firefox\components\jar50.dll
2009-04-02 01:04 . 2009-04-02 01:04 49256 ----a-w- i:\program files\mozilla firefox\components\jsd3250.dll
2009-04-02 01:04 . 2009-04-02 01:04 166000 ----a-w- i:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 i:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 i:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 i:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D i:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E i:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 04:14 359040 9F4B36614A0FC234525BA224957DE55C i:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 i:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-07-08 03:23 360064 90CAFF4B094573449A0872A0F919B178 i:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 i:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\t cpip.sys
[-] 2008-10-22 03:11 360320 3ADCE4790F591BF160A94F6F08039577 i:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-10-22 03:11 360320 3ADCE4790F591BF160A94F6F08039577 i:\windows\system32\drivers\TCPIP.SYS

.
((((((((((((((((((((((((((((( SnapShot@2009-07-08_19.21.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-13 04:07 . 2009-07-13 04:07 16384 i:\windows\Temp\Perflib_Perfdata_678.dat
+ 2009-07-13 04:07 . 2009-07-13 04:07 16384 i:\windows\Temp\Perflib_Perfdata_5c4.dat
+ 2007-10-06 00:45 . 2009-07-13 04:13 32768 i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-06 00:45 . 2009-07-08 17:24 32768 i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-06 00:45 . 2009-07-13 04:13 32768 i:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-10-06 00:45 . 2009-07-08 17:24 32768 i:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2004-03-11 4841472]
"LVCOMS"="i:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="i:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="i:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"TkBellExe"="i:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-21 180269]
"VAIO Update 3"="i:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-08-25 144792]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ccApp"="i:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-07 115560]
"AGRSMMSG"="AGRSMMSG.exe" - i:\windows\AGRSMMSG.exe [2003-05-23 88363]
"BluetoothAuthenticationAgent"="bthprops.cpl" - i:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="i:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - i:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtM gr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetM gr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symant ec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\AIM\\aim.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"i:\\Program Files\\BitLord\\BitLord.exe"=
"i:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"i:\\Program Files\\MSN Messenger\\livecall.exe"=
"i:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"i:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"i:\\WINDOWS\\system32\\spoolsv.exe"=
"i:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"i:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"i:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"i:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"8085:TCP"= 8085:TCP:sys

R2 Viewpoint Manager Service;Viewpoint Manager Service;i:\program files\Viewpoint\Common\ViewpointService.exe [10/6/2007 1:26 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;i:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2009 8:36 PM 101936]
S0 acvvb;acvvb;i:\windows\system32\drivers\bvfadxvt.sys --> i:\windows\system32\drivers\bvfadxvt.sys [?]
S2 gmxfwsvc;Onlineeye Firewall Service;"i:\program files\Onlineeye\gmxffcsrv.exe" -service --> i:\program files\Onlineeye\gmxffcsrv.exe [?]
S3 COH_Mon;COH_Mon;i:\windows\system32\drivers\COH_Mon.sys [5/7/2009 2:23 PM 23888]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
szwnxoys
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-07-13 i:\windows\Tasks\Google Software Updater.job
- i:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-16 07:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - i:\documents and settings\Vahab\Application Data\Mozilla\Firefox\Profiles\djbdybif.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: i:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-12 23:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-13 23:26
ComboFix-quarantined-files.txt 2009-07-13 04:26
ComboFix2.txt 2009-07-08 19:26

Pre-Run: 4,820,205,568 bytes free
Post-Run: 4,812,328,960 bytes free

181 --- E O F --- 2009-02-12 07:37
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
13-Jul-2009, 02:21 AM #22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:32 AM, on 7/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
I:\Program Files\Java\jre6\bin\jusched.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
I:\Program Files\Viewpoint\Common\ViewpointService.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\explorer.exe
I:\Program Files\AIM\aim.exe
I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] I:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] I:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] I:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VAIO Update 3] "I:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] I:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] I:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - I:\Program Files\AIM\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - I:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - I:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Onlineeye Firewall Service (gmxfwsvc) - Unknown owner - I:\Program Files\Onlineeye\gmxffcsrv.exe (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - I:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - I:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - I:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - I:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SonicStage Back-End Service - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - I:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - I:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7545 bytes
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
13-Jul-2009, 02:23 AM #23
with the virustotal thing...
I:\windows\Lmeci.bin
I:\windows\Lmeci.binLmeci.bin
those two files are on my computer, but when i submit them...it doesnt do anything and says 0bytes uploaded. i have no idea what they are, can i just delete them?

when i submitted the I:\windows\Lhomoge.dat file, it did its thing and said it "found nothing" for all the virus scans(im assuming).
muppy03's Avatar
Senior Member with 1,881 posts.
  
Join Date: Jun 2006
Location: Australia
Experience: gettin there
13-Jul-2009, 06:27 AM #24
Quote:
with the virustotal thing...
I:\windows\Lmeci.bin
I:\windows\Lmeci.binLmeci.bin
those two files are on my computer, but when i submit them...it doesnt do anything and says 0bytes uploaded. i have no idea what they are, can i just delete them?

when i submitted the I:\windows\Lhomoge.dat file, it did its thing and said it "found nothing" for all the virus scans(im assuming).
Just leave this for now, I want to check it out some more.

In the meantime Onlineeye Firewall Service Is this something you no longer use?

Also you are missing a System file so I want to see if you have another hiding on the machine.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :Filefind
Proquota.ex*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Also how is computer running now, what problems are you still having?


Please reply with:-
  • System look file
  • Answer to questions
__________________
Teacher - Malware Removal University - You too could train to help others

Topics not replied to within 3 days will be removed from my Subscribed Threads List
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
15-Jul-2009, 02:55 AM #25
i have no idea what Onlineeye Firewall Service is, so we can go ahead and delete that.
computer seems to be running fine. not really having anymore problems. can't think of any symptoms that the computer is having.

_______________

S y s t e m L o o k v 1 . 0 b y j p s h o r t s t u f f ( 2 2 . 0 5 . 0 9 )

L o g c r e a t e d a t 0 0 : 5 1 o n 1 5 / 0 7 / 2 0 0 9 b y V a h a b ( A d m i n i s t r a t o r - E l e v a t i o n s u c c e s s f u l )



= = = = = = = = = = F i l e f i n d = = = = = = = = = =



S e a r c h i n g f o r " P r o q u o t a . e x * "

I : \ Q o o b o x \ Q u a r a n t i n e \ I \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ p r o q u o t a . e x e . v i r - - a - - - 3 6 3 5 2 b y t e s [ 0 5 : 5 6 0 4 / 0 8 / 2 0 0 4 ] [ 0 5 : 5 6 0 4 / 0 8 / 2 0 0 4 ] 3 4 1 2 8 F A C 8 7 3 E D 9 9 9 E F 8 B D C 6 A B 5 8 3 8 3 2 7

I : \ W I N D O W S \ P r e f e t c h \ P R O Q U O T A . E X E - 3 B 5 8 F D 9 A . p f - - a - - - 4 5 7 4 6 b y t e s [ 1 2 : 1 4 1 1 / 0 7 / 2 0 0 9 ] [ 0 5 : 5 0 1 5 / 0 7 / 2 0 0 9 ] 6 4 3 D 5 9 B 3 A F 5 9 F 4 0 A 8 6 F F F 6 E A E 3 F B 5 C D 7

I : \ W I N D O W S \ S o f t w a r e D i s t r i b u t i o n \ D o w n l o a d \ d d 9 a b 5 1 9 3 5 0 1 4 8 4 c f 5 e 6 8 8 4 f a 1 d 2 2 f 9 e \ p r o q u o t a . e x e - - a - - - 5 0 1 7 6 b y t e s [ 0 0 : 1 1 2 1 / 0 1 / 2 0 0 9 ] [ 0 0 : 1 2 1 4 / 0 4 / 2 0 0 8 ] F 6 4 6 5 A 2 E E F 7 5 4 6 8 9 8 8 A 4 F C F 1 2 4 1 4 8 F A 8

I : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ p r o q u o t a . e x e - - a - - - 3 6 3 5 2 b y t e s [ 0 5 : 5 6 0 4 / 0 8 / 2 0 0 4 ] [ 0 5 : 5 6 0 4 / 0 8 / 2 0 0 4 ] 1 7 B F E 7 C E 4 3 6 3 B A 7 8 2 2 0 E F 2 3 5 3 7 6 0 B B 3 3



- = E n d O f F i l e = -
muppy03's Avatar
Senior Member with 1,881 posts.
  
Join Date: Jun 2006
Location: Australia
Experience: gettin there
15-Jul-2009, 04:46 AM #26
Quote:
computer seems to be running fine. not really having anymore problems. can't think of any symptoms that the computer is having.
Excellent!


Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present
  • O23 - Service: Onlineeye Firewall Service (gmxfwsvc) - Unknown owner - C:\Program Files\Onlineeye\gmxffcsrv.exe (file missing)

Once selected close all windows except HJT an click on Fix Checked
***************

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please delete the copy you have and download the latest version from one of these locations:

Link 1
Link 2
Link 3

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code:
    File::
I:\windows\2232132.bat
i:\windows\system32\drivers\bvfadxvt.sys
i:\program files\Onlineeye\gmxffcsrv.exe

Driver::
acvvb
gmxfwsvc 

Fcopy::
I:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\proquota.exe | i:\windows\system32\proquota.exe
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 14.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 14
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u14-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Please reply with:-
  • Combofix log
  • New HJT log
__________________
Teacher - Malware Removal University - You too could train to help others

Topics not replied to within 3 days will be removed from my Subscribed Threads List
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
16-Jul-2009, 07:04 PM #27
ComboFix 09-07-14.08 - Vahab 07/15/2009 22:36.8.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.601 [GMT -5:00]
Running from: i:\documents and settings\Vahab\Desktop\ComboFix.exe
Command switches used :: i:\documents and settings\Vahab\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"i:\program files\Onlineeye\gmxffcsrv.exe"
"i:\windows\2232132.bat"
"i:\windows\system32\drivers\bvfadxvt.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\windows\2232132.bat
i:\windows\system32\wbem\proquota.exe

.
--------------- FCopy ---------------

i:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\p roquota.exe --> i:\windows\system32\proquota.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GMXFWSVC
-------\Service_acvvb
-------\Service_gmxfwsvc


((((((((((((((((((((((((( Files Created from 2009-06-16 to 2009-07-16 )))))))))))))))))))))))))))))))
.

2009-07-16 03:36 . 2008-04-14 00:12 50176 ----a-w- i:\windows\system32\proquota.exe
2009-07-08 18:59 . 2009-07-08 19:08 -------- d-----w- I:\New Folder
2009-07-08 09:46 . 2009-07-08 09:46 -------- d-----w- I:\rsit
2009-07-05 09:48 . 2009-07-05 09:48 -------- d-----w- I:\Big Bang Theory S02 Full
2009-06-23 20:01 . 2009-06-23 20:50 -------- d-----w- I:\Ben Kweller - Changing Horses - 2009 (rhsiv)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-16 00:49 . 2008-05-08 04:14 1878984 ----a-w- i:\documents and settings\Vahab\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-15 21:12 . 2008-07-01 12:44 -------- d-----w- i:\documents and settings\All Users\Application Data\Google Updater
2009-07-08 08:45 . 2008-12-19 21:24 -------- d-----w- i:\program files\Malwarebytes' Anti-Malware
2009-07-08 08:45 . 2009-03-01 18:24 3561743 ----a-w- i:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 16:27 . 2008-12-19 21:24 38160 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2008-12-19 21:24 19096 ----a-w- i:\windows\system32\drivers\mbam.sys
2009-06-10 19:00 . 2009-05-07 19:23 1290584 ----a-w- i:\documents and settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll
2009-06-10 19:00 . 2009-05-07 19:23 149768 ----a-w- i:\windows\system32\drivers\WpsHelper.sys
2009-06-10 14:42 . 2008-09-15 01:27 -------- d-----w- i:\program files\SUPERAntiSpyware
2009-06-10 13:36 . 2009-06-10 13:33 -------- d-----w- i:\program files\Common Files\Symantec Shared
2009-06-10 13:36 . 2009-06-10 13:33 -------- d-----w- i:\documents and settings\All Users\Application Data\Symantec
2009-06-10 13:35 . 2009-06-10 13:33 -------- d-----w- i:\program files\Symantec
2009-06-10 13:35 . 2009-06-10 13:34 805 ----a-w- i:\windows\system32\drivers\SYMEVENT.INF
2009-06-10 13:35 . 2009-06-10 13:34 60800 ----a-w- i:\windows\system32\S32EVNT1.DLL
2009-06-10 13:35 . 2009-06-10 13:34 123952 ----a-w- i:\windows\system32\drivers\SYMEVENT.SYS
2009-06-10 13:35 . 2009-06-10 13:34 10563 ----a-w- i:\windows\system32\drivers\SYMEVENT.CAT
2009-05-24 21:38 . 2008-03-25 05:26 -------- d-----w- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 17:53 . 2009-04-22 17:53 107088 ----a-w- i:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-22 17:48 . 2009-04-22 17:45 52770576 ----a-w- i:\documents and settings\Vahab\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2009-04-18 07:52 . 2009-04-09 02:30 0 ----a-w- i:\windows\Lmeci.bin
2008-05-30 19:37 . 2008-05-30 19:37 148847 ----a-w- i:\program files\DEC2006_XACT_x86.cab
2008-05-30 19:36 . 2008-05-30 19:36 13267416 ----a-w- i:\program files\dxnt.cab
2008-05-30 19:36 . 2008-05-30 19:36 4165878 ----a-w- i:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 19:36 . 2008-05-30 19:36 1805306 ----a-w- i:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 19:36 . 2008-05-30 19:36 1803408 ----a-w- i:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 19:34 . 2008-05-30 19:34 528392 ----a-w- i:\program files\DXSETUP.exe
2009-04-02 01:04 . 2009-04-02 01:04 61038 ----a-w- i:\program files\mozilla firefox\components\jar50.dll
2009-04-02 01:04 . 2009-04-02 01:04 49256 ----a-w- i:\program files\mozilla firefox\components\jsd3250.dll
2009-04-02 01:04 . 2009-04-02 01:04 166000 ----a-w- i:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 i:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 i:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 i:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D i:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E i:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 04:14 359040 9F4B36614A0FC234525BA224957DE55C i:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 i:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-07-08 03:23 360064 90CAFF4B094573449A0872A0F919B178 i:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 i:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\t cpip.sys
[-] 2008-10-22 03:11 360320 3ADCE4790F591BF160A94F6F08039577 i:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-10-22 03:11 360320 3ADCE4790F591BF160A94F6F08039577 i:\windows\system32\drivers\TCPIP.SYS

.
((((((((((((((((((((((((((((( SnapShot@2009-07-08_19.21.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-16 03:45 . 2009-07-16 03:45 16384 i:\windows\Temp\Perflib_Perfdata_7f0.dat
+ 2009-07-16 03:45 . 2009-07-16 03:45 16384 i:\windows\Temp\Perflib_Perfdata_5a8.dat
+ 2009-07-14 06:58 . 2009-07-15 21:16 32768 i:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-06 00:45 . 2009-07-15 21:16 32768 i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-06 00:45 . 2009-07-08 17:24 32768 i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-06 00:45 . 2009-07-15 21:16 32768 i:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-10-06 00:45 . 2009-07-08 17:24 32768 i:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2004-03-11 4841472]
"LVCOMS"="i:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="i:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="i:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"TkBellExe"="i:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-21 180269]
"VAIO Update 3"="i:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-08-25 144792]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"ccApp"="i:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-07 115560]
"AGRSMMSG"="AGRSMMSG.exe" - i:\windows\AGRSMMSG.exe [2003-05-23 88363]
"BluetoothAuthenticationAgent"="bthprops.cpl" - i:\windows\system32\bthprops.cpl [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="i:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - i:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtM gr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetM gr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symant ec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\AIM\\aim.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"i:\\Program Files\\BitLord\\BitLord.exe"=
"i:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"i:\\Program Files\\MSN Messenger\\livecall.exe"=
"i:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"i:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"i:\\WINDOWS\\system32\\spoolsv.exe"=
"i:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"i:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"i:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"i:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"8085:TCP"= 8085:TCP:sys

R2 Viewpoint Manager Service;Viewpoint Manager Service;i:\program files\Viewpoint\Common\ViewpointService.exe [10/6/2007 1:26 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;i:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2009 8:36 PM 101936]
S3 COH_Mon;COH_Mon;i:\windows\system32\drivers\COH_Mon.sys [5/7/2009 2:23 PM 23888]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
szwnxoys
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-07-16 i:\windows\Tasks\Google Software Updater.job
- i:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-16 07:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
FF - ProfilePath - i:\documents and settings\Vahab\Application Data\Mozilla\Firefox\Profiles\djbdybif.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: i:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 22:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(840)
i:\windows\system32\WPDShServiceObj.dll
i:\windows\system32\PortableDeviceTypes.dll
i:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
i:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
i:\program files\Common Files\Symantec Shared\ccSvcHst.exe
i:\program files\Bonjour\mDNSResponder.exe
i:\program files\Java\jre6\bin\jqs.exe
i:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
i:\windows\system32\nvsvc32.exe
i:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
i:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
i:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-16 22:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-16 03:50
ComboFix2.txt 2009-07-13 04:26
ComboFix3.txt 2009-07-08 19:26

Pre-Run: 4,737,982,464 bytes free
Post-Run: 4,718,559,232 bytes free

207 --- E O F --- 2009-02-12 07:37
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
16-Jul-2009, 07:04 PM #28
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:04:20 PM, on 7/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\AGRSMMSG.exe
I:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\Java\jre6\bin\jusched.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
I:\Program Files\Viewpoint\Common\ViewpointService.exe
I:\WINDOWS\system32\wscntfy.exe
I:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Mozilla Firefox\firefox.exe
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\msiexec.exe
I:\Program Files\AIM\aim.exe
I:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - I:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - I:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] I:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] I:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] I:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VAIO Update 3] "I:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] I:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] I:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = I:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - I:\Program Files\AIM\aim.exe
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - I:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - I:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - I:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - I:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - I:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - I:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - I:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SonicStage Back-End Service - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - I:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - I:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - I:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8139 bytes
muppy03's Avatar
Senior Member with 1,881 posts.
  
Join Date: Jun 2006
Location: Australia
Experience: gettin there
16-Jul-2009, 07:40 PM #29
Hi Buda18, I was hoping we were going to be finished, but your last HJT log show infection yet again.

O4 - HKLM\..\Run: [sysldtray] C:\windows\ld12.exe
O4 - HKLM\..\Run: [pp] C:\windows\pp10.exe

That is not good.

Please delete the Combofix from your desktop and download the latest version. Use the original instructions I posted and remember to disable your Antivirus protection.

Post the Combofix log and New HJT when done.
__________________
Teacher - Malware Removal University - You too could train to help others

Topics not replied to within 3 days will be removed from my Subscribed Threads List
buda18's Avatar
Member with 127 posts.
  
Join Date: Jan 2004
21-Jul-2009, 02:11 AM #30
ComboFix 09-07-20.04 - Vahab 07/21/2009 0:02.9.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.617 [GMT -5:00]
Running from: J:\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.

2009-07-16 06:42 . 2009-07-16 06:42 1914000 ----a-w- i:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe
2009-07-16 06:42 . 2009-07-16 21:39 -------- d-----w- i:\documents and settings\All Users\Application Data\NOS
2009-07-16 06:42 . 2009-07-16 07:13 -------- d-----w- i:\program files\NOS
2009-07-16 03:36 . 2008-04-14 00:12 50176 ----a-w- i:\windows\system32\proquota.exe
2009-07-08 18:59 . 2009-07-08 19:08 -------- d-----w- I:\New Folder
2009-07-08 09:46 . 2009-07-08 09:46 -------- d-----w- I:\rsit
2009-07-05 09:48 . 2009-07-05 09:48 -------- d-----w- I:\Big Bang Theory S02 Full
2009-06-23 20:01 . 2009-06-23 20:50 -------- d-----w- I:\Ben Kweller - Changing Horses - 2009 (rhsiv)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 04:56 . 2008-07-01 12:44 -------- d-----w- i:\documents and settings\All Users\Application Data\Google Updater
2009-07-17 05:36 . 2007-10-06 01:40 17144 ----a-w- i:\documents and settings\Vahab\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 22:05 . 2007-10-22 04:31 -------- d-----w- i:\program files\MySpace
2009-07-16 22:03 . 2007-10-12 03:50 -------- d-----w- i:\program files\Common Files\Adobe
2009-07-16 21:49 . 2008-08-25 23:39 410984 ----a-w- i:\windows\system32\deploytk.dll
2009-07-16 21:49 . 2008-02-01 04:09 -------- d-----w- i:\program files\Java
2009-07-16 00:49 . 2008-05-08 04:14 1878984 ----a-w- i:\documents and settings\Vahab\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-07-08 08:45 . 2008-12-19 21:24 -------- d-----w- i:\program files\Malwarebytes' Anti-Malware
2009-07-08 08:45 . 2009-03-01 18:24 3561743 ----a-w- i:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 16:27 . 2008-12-19 21:24 38160 ----a-w- i:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2008-12-19 21:24 19096 ----a-w- i:\windows\system32\drivers\mbam.sys
2009-06-10 19:00 . 2009-05-07 19:23 1290584 ----a-w- i:\documents and settings\All Users\Application Data\Symantec\SyKnAppS\SyKnAppS.dll
2009-06-10 19:00 . 2009-05-07 19:23 149768 ----a-w- i:\windows\system32\drivers\WpsHelper.sys
2009-06-10 14:42 . 2008-09-15 01:27 -------- d-----w- i:\program files\SUPERAntiSpyware
2009-06-10 13:36 . 2009-06-10 13:33 -------- d-----w- i:\program files\Common Files\Symantec Shared
2009-06-10 13:36 . 2009-06-10 13:33 -------- d-----w- i:\documents and settings\All Users\Application Data\Symantec
2009-06-10 13:35 . 2009-06-10 13:33 -------- d-----w- i:\program files\Symantec
2009-06-10 13:35 . 2009-06-10 13:34 805 ----a-w- i:\windows\system32\drivers\SYMEVENT.INF
2009-06-10 13:35 . 2009-06-10 13:34 60800 ----a-w- i:\windows\system32\S32EVNT1.DLL
2009-06-10 13:35 . 2009-06-10 13:34 123952 ----a-w- i:\windows\system32\drivers\SYMEVENT.SYS
2009-06-10 13:35 . 2009-06-10 13:34 10563 ----a-w- i:\windows\system32\drivers\SYMEVENT.CAT
2009-05-24 21:38 . 2008-03-25 05:26 -------- d-----w- i:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-22 17:53 . 2009-04-22 17:53 107088 ----a-w- i:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-22 17:48 . 2009-04-22 17:45 52770576 ----a-w- i:\documents and settings\Vahab\Application Data\Sony Setup\64993CD0-67D1-4244-A2BC-FD73F4DA5B62\dotnetfx3.exe
2008-05-30 19:37 . 2008-05-30 19:37 148847 ----a-w- i:\program files\DEC2006_XACT_x86.cab
2008-05-30 19:36 . 2008-05-30 19:36 13267416 ----a-w- i:\program files\dxnt.cab
2008-05-30 19:36 . 2008-05-30 19:36 4165878 ----a-w- i:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 19:36 . 2008-05-30 19:36 1805306 ----a-w- i:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 19:36 . 2008-05-30 19:36 1803408 ----a-w- i:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 19:34 . 2008-05-30 19:34 528392 ----a-w- i:\program files\DXSETUP.exe
2009-04-02 01:04 . 2009-04-02 01:04 61038 ----a-w- i:\program files\mozilla firefox\components\jar50.dll
2009-04-02 01:04 . 2009-04-02 01:04 49256 ----a-w- i:\program files\mozilla firefox\components\jsd3250.dll
2009-04-02 01:04 . 2009-04-02 01:04 166000 ----a-w- i:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 i:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 i:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 i:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D i:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E i:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 04:14 359040 9F4B36614A0FC234525BA224957DE55C i:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 i:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-07-08 03:23 360064 90CAFF4B094573449A0872A0F919B178 i:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 i:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\t cpip.sys
[-] 2008-10-22 03:11 360320 3ADCE4790F591BF160A94F6F08039577 i:\windows\system32\dllcache\TCPIP.SYS
[-] 2008-10-22 03:11 360320 3ADCE4790F591BF160A94F6F08039577 i:\windows\system32\drivers\TCPIP.SYS

.
((((((((((((((((((((((((((((( SnapShot@2009-07-08_19.21.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-21 04:56 . 2009-07-21 04:56 16384 i:\windows\Temp\Perflib_Perfdata_51c.dat
+ 2009-07-21 04:56 . 2009-07-21 04:56 16384 i:\windows\Temp\Perflib_Perfdata_2b8.dat
+ 2007-10-24 03:00 . 2009-07-16 06:42 88590 i:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-07-14 06:58 . 2009-07-15 21:16 32768 i:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-06 00:45 . 2009-07-08 17:24 32768 i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-06 00:45 . 2009-07-15 21:16 32768 i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-06 00:45 . 2009-07-15 21:16 32768 i:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-10-06 00:45 . 2009-07-08 17:24 32768 i:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-02-03 02:07 . 2009-02-03 02:07 240544 i:\windows\system32\Macromed\Flash\FlashUtil10b.exe
+ 2009-07-16 21:50 . 2009-07-16 21:49 148888 i:\windows\system32\javaws.exe
+ 2009-07-16 21:50 . 2009-07-16 21:49 144792 i:\windows\system32\javaw.exe
+ 2009-07-16 21:50 . 2009-07-16 21:49 144792 i:\windows\system32\java.exe
+ 2009-07-16 21:49 . 2009-07-16 21:49 1563648 i:\windows\Installer\6de38.msi
+ 2009-07-16 22:03 . 2009-07-16 22:03 3938816 i:\windows\Installer\512cd.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2004-03-11 4841472]
"LVCOMS"="i:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"LogitechGalleryRepair"="i:\program files\Logitech\ImageStudio\ISStart.exe" [2002-12-10 155648]
"LogitechImageStudioTray"="i:\program files\Logitech\ImageStudio\LogiTray.exe" [2002-12-10 61440]
"TkBellExe"="i:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-21 180269]
"VAIO Update 3"="i:\program files\Sony\VAIO Update 3\VAIOUpdt.exe" [2007-05-16 551032]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2008-02-01 385024]
"ccApp"="i:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-05-07 115560]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2009-07-16 148888]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"AGRSMMSG"="AGRSMMSG.exe" - i:\windows\AGRSMMSG.exe [2003-05-23 88363]
"BluetoothAuthenticationAgent"="bthprops.cpl" - i:\windows\system32\bthprops.cpl [2004-08-04 110592]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - i:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtM gr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetM gr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symant ec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"i:\\Program Files\\AIM\\aim.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"i:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"i:\\Program Files\\BitLord\\BitLord.exe"=
"i:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"i:\\Program Files\\MSN Messenger\\livecall.exe"=
"i:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"i:\\WINDOWS\\system32\\spoolsv.exe"=
"i:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"i:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"i:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"i:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"8085:TCP"= 8085:TCP:sys

R2 Viewpoint Manager Service;Viewpoint Manager Service;i:\program files\Viewpoint\Common\ViewpointService.exe [10/6/2007 1:26 PM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;i:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/24/2009 8:36 PM 101936]
S3 COH_Mon;COH_Mon;i:\windows\system32\drivers\COH_Mon.sys [5/7/2009 2:23 PM 23888]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
szwnxoys
.
Contents of the 'Scheduled Tasks' folder

2009-06-30 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 20:57]

2009-07-21 i:\windows\Tasks\Google Software Updater.job
- i:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-16 07:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - i:\documents and settings\Vahab\Application Data\Mozilla\Firefox\Profiles\djbdybif.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: i:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
i:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
i:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 00:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3304)
i:\windows\system32\WPDShServiceObj.dll
i:\windows\system32\PortableDeviceTypes.dll
i:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-21 0:10
ComboFix-quarantined-files.txt 2009-07-21 05:09
ComboFix2.txt 2009-07-16 03:50
ComboFix3.txt 2009-07-13 04:26
ComboFix4.txt 2009-07-08 19:26

Pre-Run: 4,265,107,456 bytes free
Post-Run: 4,280,528,896 bytes free

189 --- E O F --- 2009-02-12 07:37
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 2 of 3 1 2 3

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 01:49 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.