13 replies to this topic

[wtmas22]

LDTate helped me with this problem and asked me to run GooredFix and then Combofix. I had run GooredFix but not Combofix.
I have just now run Combofix, following LDTate's instrctions. I have posted the Combofix log below.
wHAT IS THE NEXT STEP? PLEASE HELP.
------------
ComboFix 10-08-30.02 - Masoud 08/31/2010 11:52:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2722 [GMT -4:00]
Running from: c:\documents and settings\Masoud\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100831-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG11.tmp
C:\LOG12.tmp
C:\LOG13.tmp
C:\LOG15.tmp
C:\LOG28.tmp
C:\LOG29.tmp
C:\LOG30.tmp
C:\LOG31.tmp
C:\LOG8C.tmp
C:\LOGB.tmp
C:\VDM107.tmp
C:\VDM108.tmp
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-31 )))))))))))))))))))))))))))))))
.

2010-08-31 15:26 . 2010-08-31 15:26 -------- d-----w- c:\windows\LastGood.Tmp
2010-08-29 21:36 . 2010-08-29 21:36 61440 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-335432e1-n\decora-sse.dll
2010-08-29 21:36 . 2010-08-29 21:36 503808 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e58ef12-n\msvcp71.dll
2010-08-29 21:36 . 2010-08-29 21:36 499712 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e58ef12-n\jmc.dll
2010-08-29 21:36 . 2010-08-29 21:36 348160 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e58ef12-n\msvcr71.dll
2010-08-29 21:36 . 2010-08-29 21:36 12800 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-335432e1-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-31 15:30 . 2008-10-23 09:12 -------- d-----w- c:\documents and settings\Masoud\Application Data\Delicious IE Extension
2010-08-29 21:41 . 2008-10-01 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-07-04 05:28 . 2008-04-14 12:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-07-02 20:18 . 2010-05-21 06:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-30 14:47 . 2008-10-22 20:19 82512 ----a-w- c:\documents and settings\Masoud\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-29 22:15 . 2008-04-14 12:00 24576 ----a-w- c:\windows\system32\drivers\kbdclass.sys
2010-06-28 02:29 . 2010-06-28 02:29 503808 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4c56f939-n\msvcp71.dll
2010-06-28 02:29 . 2010-06-28 02:29 499712 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4c56f939-n\jmc.dll
2010-06-28 02:29 . 2010-06-28 02:29 348160 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4c56f939-n\msvcr71.dll
2010-06-28 02:29 . 2010-06-28 02:29 61440 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c147fd7-n\decora-sse.dll
2010-06-28 02:29 . 2010-06-28 02:29 12800 ----a-w- c:\documents and settings\Masoud\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-2c147fd7-n\decora-d3d.dll
2010-06-28 02:29 . 2010-06-28 02:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-27 03:37 . 2010-06-27 03:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-27 03:37 . 2009-03-21 21:07 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-27 03:37 . 2009-03-21 18:31 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-21 23:13 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP345e.tmp
2010-06-21 23:12 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP344e.tmp
2010-06-21 23:11 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP4110.tmp
2010-06-19 04:20 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP34fa.tmp
2010-06-19 04:15 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP3818.tmp
2010-06-19 04:14 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP3817.tmp
2010-06-19 04:12 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP3807.tmp
2010-06-19 04:11 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP34ea.tmp
2010-06-19 04:10 . 2008-11-04 23:26 90112 ----a-w- c:\windows\DUMP3ff7.tmp
2010-06-15 01:05 . 2010-06-10 07:33 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-06-10 07:34 . 2010-06-10 07:34 53248 ----a-r- c:\documents and settings\Masoud\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-13 39408]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"RTHDCPL"="RTHDCPL.EXE" [2008-02-13 16857600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WD Button Manager"="WDBtnMgr.exe" [2009-10-20 364544]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 188416]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-01 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-06-27 864112]
"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2008-03-13 81920]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-16 202256]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1311312]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\Masoud\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-1-14 25214]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Masoud\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"427:UDP"= 427:UDP:SLP_Port(427)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/21/2009 2:31 PM 64288]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [11/5/2008 3:24 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/5/2008 3:24 PM 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/3/2009 1:51 AM 10448]
S2 gupdate1c9c07a63a465d2;Google Update Service (gupdate1c9c07a63a465d2);c:\program files\Google\Update\GoogleUpdate.exe [4/18/2009 7:07 PM 133104]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 3:12 PM 341504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 19:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 03:36]

2009-04-22 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4231568697.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]

2010-08-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-13 07:26]

2010-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 23:07]

2010-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-18 23:07]

2010-08-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-3425560987-363441517-1764276209-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-08-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-3425560987-363441517-1764276209-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-08-31 c:\windows\Tasks\User_Feed_Synchronization-{A0F51526-BAF6-41A7-AC02-629CB6466642}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
FF - ProfilePath - c:\documents and settings\Masoud\Application Data\Mozilla\Firefox\Profiles\efkwstrb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Masoud\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Notify-avldr - avldr.dll
SafeBoot-klmdb.sys
SafeBoot-PskSvcRetail



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-31 12:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

- - - - - - - > 'explorer.exe'(4524)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\WDBtnMgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Logitech\SetPointP\LU\LULnchr.exe
c:\program files\Logitech\SetPointP\LU\LogitechUpdate.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqbam08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgpc01.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-08-31 12:04:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-31 16:04

Pre-Run: 396,533,600,256 bytes free
Post-Run: 397,688,135,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5B0AB2BFEBEDB85C3F8674AC7AB12C82

[wtmas22]

To add to the completed Combofix run: My system is not stable even after running Combifix. It now restarts and reboots the PC automatically without warning. It did this now 4 times. Is there anything in the Combofix Log that I need to be aware of? What next steps should I take? Thank.

[LDTate]

If it's running good now, don't break it.

Good job

The following will implement some cleanup procedures as well as reset System Restore points:

• Click START run
• Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.


Log looks good

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
• Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
  (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
  Without a firewall your computer is succeptible to being hacked and taken over.
  I am very serious about this and see it happen almost every day with my clients.
  Simply using a Firewall in its default configuration can lower your risk greatly.
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
  This will ensure your computer has always the latest security updates available installed on your computer.
  If there are new updates to install, install them immediately, reboot your computer, and revisit the site
  until there are no more critical updates.

Only run one Anti-Virus and Firewall program.


I would suggest you read:
PC Safety and Security--What Do I Need?.
How to Prevent Malware:

[wtmas22]

LDTate - URGENT: I had followed up all of your instructions. But as reported last time, my system is not stable. The system now does not load Windows and reboots on a loop showing the "blue scree" for half a second and tries to reboot again. Even going to Safe Mode was not easy but I was able to force it to Safe. I am now without a working system. You had confrimed that the Combofix Log looked good. So what's wrong? Is the virus gone? Did we do everything rights? What are the next steps. Thanks.

[LDTate]

The only items Combofix removed were temporary files.

Do you have your Windows CD?

You can use windows sfc (system file checker) You'd need your XP CD to make this work.
Click Start> Run> type sfc /scannow Note the space.
(Note that there is a space between sfc and /scannow)

[wtmas22]

If Combofix only removed temp files (and not the original virus), do we need to run it again? Is the virus still active on my system? And why is it that after running Combifix (as per your recommendation) now my system cannot load Windows and is REBOOTING on a loop? In addition, before the rebooting problem started, Outlook would shut down in the middle of uploanding emails. I do not have the Windows CD now. Is there any alternatives. Thanks.

[LDTate]

From your orignal topic.

I have a virus that causes
(1) the blue scree to appear for a few seconds and then my XP system reboots. It loops back to the same and never reboots to Windows
(2) When xp was runiing, the virus Redirects links in IE or Fireforx to ads, etc, and
(3) My system cannot go to Hibernate either -- it shows the hibernate screen for an instant and then comes back without hibernating.
All of the above are new.

So you had these issues before we did anything. You might have damaged Windows files.

If you can atleast boot in Safe Mode with networking, try this online scan.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Important
  Disable any script blocking protection (How to Disable your Security Programs)

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

• Once the update is complete, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases
• Click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View report... at the bottom.
• Click the Save report... button.
  
  
  
  
• Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

• Kaspersky log
• Let me know how your computer is running

[wtmas22]

LDTate - I can run Kaspersky (althouge I beleive I had run it previously) but I have Avast and have run the full scan many times now. It did not find anything recetly. Also I have been runnning Malarbytes consistently. Do I still need to run Kaspersky in the way you had recommended? Also, I found a back up of my Windows CD. So I can attempt to run the sfc. Does running sfc affect data files, documents, etc? WHAT DO YOU RECOMMEND? Thanks.

[LDTate]

So I can attempt to run the sfc. Does running sfc affect data files, documents, etc?
WHAT DO YOU RECOMMEND?

It won't do anything with data files.
It only checks Windows OS files. Run SFC

[wtmas22]

LDtate - HELP! The disc I found was not the proper Windows XP disc. However, I have a XP laptop and I found a i386 directory on its hard drive. Can I copy the directory on a disc to use in my affected PC or to copy to its hard drive? If so, do I need to do anything about the Registry? Or any other alternatives as I do not have the XP CDs. Thank you.

[LDTate]

Try this: Click Start> click Run. In the open window type in CMD and tap enter. At the command prompt type in Chkdsk /r and tap enter <--Note the space between the k /, it needs to be there. Reboot and let chkdsk run

[wtmas22]

Ok. I run Chkdsk. It run ok for 4 of 5 stages but on stage 4 (checking free space) the System rebooted by itself. When back, Chkdsk is re-running. It looks like this cannot resolve it. Is there anyway to go the way of sfc and copy the i386 from the other laptop? Thanks.

[LDTate]

Is there anyway to go the way of sfc and copy the i386 from the other laptop?

I don't think I'd try that.
I suggest you start a new topic in our Windows Forum and get help from the Tech Team.

[LDTate]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.