Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Please help, wedding in less than one week


  • This topic is locked This topic is locked
7 replies to this topic

#1 brentorama

brentorama

    Authentic Member

  • Authentic Member
  • PipPip
  • 33 posts
  • Interests:Film, game design, programming, american history

Posted 12 May 2008 - 07:30 PM

Hello - I am in great need of some professional help. My computer has been affected in a way I cannot solve - the most prominent symptom is that my internet and network functions have slowed to a grind. If someone could lend a hand I would really appreciate it - my wedding is on the 17th and I desperately need to rely on my internet and printer. Below are the Hijackthis and combofix logs (I'd run combofix on the advice of my office tech guy) - Sincere thanks to anyone willing to help me with this

Logfile of HijackThis v1.99.1
Scan saved at 9:29:01 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\bforrest\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\bforrest\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1010434988859
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\systp.dll
O20 - Winlogon Notify: rbsldad - C:\WINDOWS\SYSTEM32\rbsldad.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wlxlyt - C:\WINDOWS\SYSTEM32\WLXlyt.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner (avast! web scanner) - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe


ComboFix 08-05-09.1 - bforrest 2008-05-12 21:16:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1487 [GMT -4:00]
Running from: C:\Documents and Settings\bforrest\Desktop\system Helpers\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-13 to 2008-05-13 )))))))))))))))))))))))))))))))
.

2008-05-12 16:38 . 2008-05-12 16:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 16:38 . 2008-05-12 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 15:28 . 2008-05-12 15:28 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-10 10:11 . 2008-05-10 10:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-10 10:11 . 2008-05-10 10:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-10 03:00 . 2008-05-10 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-09 22:20 . 2008-05-09 22:20 <DIR> d-------- C:\Program Files\eRightSoft
2008-05-09 22:20 . 2008-05-09 22:20 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-09 22:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-09 22:08 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-09 22:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-09 21:49 . 2008-05-09 21:49 21,504 --a------ C:\WINDOWS\system32\rbsldad.dll
2008-05-09 00:57 . 2008-05-09 00:57 <DIR> d-------- C:\Program Files\Registrar Registry Manager
2008-05-09 00:57 . 2008-02-09 11:20 31,280 --a------ C:\WINDOWS\system32\rrMon.sys
2008-05-08 22:01 . 2008-05-08 22:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-08 20:57 . 2008-05-09 01:05 <DIR> d-------- C:\Program Files\Adware Away
2008-05-07 23:58 . 2008-05-12 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 20:14 . 2008-05-12 15:35 196,608 --a------ C:\WINDOWS\system32\Rsox.exe
2008-05-07 20:14 . 2008-05-12 15:35 135,168 --a------ C:\WINDOWS\system32\MiRD.dll
2008-05-07 20:14 . 2008-05-12 15:35 106,496 --a------ C:\WINDOWS\system32\BuYw.dll
2008-05-07 20:14 . 2008-05-07 20:14 81,920 --a------ C:\WINDOWS\system32\WiIW.dll
2008-05-07 20:14 . 2008-05-07 20:14 73,728 --a------ C:\WINDOWS\system32\WLXlyt.dll
2008-05-07 20:09 . 2008-05-07 20:09 29 --a------ C:\WINDOWS\system32\yfeyhioh.tmp
2008-05-06 17:56 . 2008-05-06 17:56 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll
2008-05-06 17:08 . 2008-05-06 17:08 10,752 -rah----- C:\WINDOWS\system32\svchsh.exe
2008-05-06 17:03 . 2008-05-07 20:34 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\bforrest\Application Data\CyberLink
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\bforrest\Application Data\AVS4YOU
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-06 17:02 . 2008-05-07 20:34 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-06 16:34 . 2008-05-06 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cyberlink
2008-05-06 16:34 . 2006-06-04 15:48 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-05-06 16:34 . 2006-06-04 15:48 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-05-06 16:33 . 2008-05-06 16:39 <DIR> d-------- C:\Program Files\CyberLink
2008-05-06 16:33 . 2008-05-06 16:33 <DIR> d-------- C:\MyWorks
2008-05-06 16:33 . 2006-06-04 15:48 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-05-06 16:33 . 2006-06-04 15:48 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-05-06 16:33 . 2006-06-04 15:48 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-06 16:33 . 2006-06-04 15:48 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-06 16:33 . 2006-06-04 15:48 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-04-18 19:57 . 2008-04-18 19:57 <DIR> d-------- C:\Program Files\Snapshot Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 23:54 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-12 19:24 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-12 19:24 --------- d-----w C:\Documents and Settings\bforrest\Application Data\WTablet
2008-05-12 19:24 --------- d-----w C:\Documents and Settings\bforrest\Application Data\OpenOffice.org2
2008-05-06 20:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 20:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-02 01:49 --------- d-----w C:\Program Files\Java
2008-04-11 02:50 --------- d-----w C:\Documents and Settings\bforrest\Application Data\Lexmark Productivity Studio
2008-04-09 03:16 --------- d-----w C:\Program Files\Lexmark 6500 Series
2008-04-01 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-12_15.34.57.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-12 20:38:38 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-05-12 20:38:38 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-05-12 20:38:38 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-05-12 20:38:38 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-05-12 23:59:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_b7d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]

C:\Documents and Settings\bforrest\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 17:45:48 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rbsldad]
rbsldad.dll 2008-05-09 21:49 21504 C:\WINDOWS\system32\rbsldad.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlxlyt]
WLXlyt.dll 2008-05-07 20:14 73728 C:\WINDOWS\system32\WLXlyt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\systp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"SENTINEL"= snti386.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\FRun.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\lxdfcfg.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\Wireless\\lxdfwpss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 06:06]
R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 12:40]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-28 00:28]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 12:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 11:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 17:11]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 06:06]

*Newly Created Service* - AAWSERVICE
*Newly Created Service* - catchme
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 21:17:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\drivers\qandr.sys 123392 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\qandr]
"ImagePath"="\??\C:\WINDOWS\system32\drivers\qandr.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLXlyt.dll
-> C:\WINDOWS\system32\rbsldad.dll
-> C:\WINDOWS\system32\WiIW.dll
.
Completion time: 2008-05-12 21:18:00
ComboFix-quarantined-files.txt 2008-05-13 01:17:58
ComboFix2.txt 2008-05-12 19:35:19
ComboFix3.txt 2008-05-10 02:06:18

Pre-Run: 236,525,527,040 bytes free
Post-Run: 236,516,990,976 bytes free

159 --- E O F --- 2008-05-10 07:04:13

Edited by brentorama, 12 May 2008 - 07:36 PM.

    Advertisements

Register to Remove


#2 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 14 May 2008 - 12:20 PM

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!

  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!


Please always use ComboFix with caution. It is mostly for use by people who have been trained to use it.

But your OK for now.
Let's get you/ (your computer) cleaned up and you Married.



________________________________

Go to
Start/control panel/add remove programs ;
And Uninstall

Adware Away

Don't worry if you can't find it. Just continue on with the instructions.



We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you
in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
When complete, a log named CF_RC.txt will open. Please post the contents of that log.





______________________________
RUN HJT

HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O20 - AppInit_DLLs: C:\WINDOWS\system32\systp.dll
O20 - Winlogon Notify: rbsldad - C:\WINDOWS\SYSTEM32\rbsldad.dll

Close that.




________________________________________
Open notepad and copy/paste the text in the quotebox below into it:

File:: 
C:\WINDOWS\system32\Rsox.exe
C:\WINDOWS\system32\MiRD.dll
C:\WINDOWS\system32\BuYw.dll
C:\WINDOWS\system32\WiIW.dll
C:\WINDOWS\system32\WLXlyt.dll
C:\WINDOWS\system32\yfeyhioh.tmp
C:\WINDOWS\system32\cbOCR.dll
C:\WINDOWS\system32\svchsh.exe
Registry:: 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rbsldad]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlxlyt]


NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt which I will need in your next reply.

__________________________________________



Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the contents of that log.

    If you accidently close it you may find it here.
    Start -> All Programs -> Malwarebytes' Anti-Malware -> Logs



    _________________________
    In your next reply I would like to see: [list]
  • A new HJT log
  • The 2 report from ComboFix (ComboFix.txt and CF_RC.txt )
  • The report from Malware bytes
  • Let me know if there is any improvement

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#3 brentorama

brentorama

    Authentic Member

  • Authentic Member
  • PipPip
  • 33 posts
  • Interests:Film, game design, programming, american history

Posted 14 May 2008 - 04:38 PM

Thank you for your response - before applying these fixes I'd noticed the problems only persist after restarting my computer - so I've left my compute running the last few days to get the work done needed for my wedding - I will restart and check the status in a few days but before then here are the logs you requested - Hijack this was unable to fix

O20 - AppInit_DLLs: C:\WINDOWS\system32\systp.dll
O20 - Winlogon Notify: rbsldad - C:\WINDOWS\SYSTEM32\rbsldad.dll

The error given is posted below

thanks again

Brent

ComboFix 08-05-09.1 - bforrest 2008-05-14 18:10:51.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1536 [GMT -4:00]
Running from: C:\Documents and Settings\bforrest\Desktop\system Helpers\ComboFix.exe
Command switches used :: C:\Documents and Settings\bforrest\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-14 03:00 . 2008-05-14 03:00 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-12 16:38 . 2008-05-12 16:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 16:38 . 2008-05-12 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 15:28 . 2008-05-12 15:28 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-10 10:11 . 2008-05-10 10:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-10 10:11 . 2008-05-10 10:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-10 03:00 . 2008-05-10 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-09 22:20 . 2008-05-09 22:20 <DIR> d-------- C:\Program Files\eRightSoft
2008-05-09 22:20 . 2008-05-09 22:20 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-09 22:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-09 22:08 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-09 22:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-09 21:49 . 2008-05-09 21:49 21,504 --a------ C:\WINDOWS\system32\rbsldad.dll
2008-05-09 00:57 . 2008-05-09 00:57 <DIR> d-------- C:\Program Files\Registrar Registry Manager
2008-05-09 00:57 . 2008-02-09 11:20 31,280 --a------ C:\WINDOWS\system32\rrMon.sys
2008-05-08 22:01 . 2008-05-08 22:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-07 23:58 . 2008-05-12 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 20:14 . 2008-05-12 15:35 196,608 --a------ C:\WINDOWS\system32\Rsox.exe
2008-05-07 20:14 . 2008-05-12 15:35 135,168 --a------ C:\WINDOWS\system32\MiRD.dll
2008-05-07 20:14 . 2008-05-12 15:35 106,496 --a------ C:\WINDOWS\system32\BuYw.dll
2008-05-07 20:14 . 2008-05-07 20:14 81,920 --a------ C:\WINDOWS\system32\WiIW.dll
2008-05-07 20:14 . 2008-05-07 20:14 73,728 --a------ C:\WINDOWS\system32\WLXlyt.dll
2008-05-07 20:09 . 2008-05-07 20:09 123,392 --a------ C:\WINDOWS\system32\drivers\qandr.sys
2008-05-07 20:09 . 2008-05-07 20:09 29 --a------ C:\WINDOWS\system32\yfeyhioh.tmp
2008-05-06 17:56 . 2008-05-06 17:56 192,512 --a------ C:\WINDOWS\system32\cbOCR.dll
2008-05-06 17:08 . 2008-05-06 17:08 10,752 -rah----- C:\WINDOWS\system32\svchsh.exe
2008-05-06 17:03 . 2008-05-07 20:34 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\bforrest\Application Data\CyberLink
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\bforrest\Application Data\AVS4YOU
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-06 17:02 . 2008-05-07 20:34 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-06 16:34 . 2008-05-06 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cyberlink
2008-05-06 16:34 . 2006-06-04 15:48 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-05-06 16:34 . 2006-06-04 15:48 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-05-06 16:33 . 2008-05-06 16:39 <DIR> d-------- C:\Program Files\CyberLink
2008-05-06 16:33 . 2008-05-06 16:33 <DIR> d-------- C:\MyWorks
2008-05-06 16:33 . 2006-06-04 15:48 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-05-06 16:33 . 2006-06-04 15:48 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-05-06 16:33 . 2006-06-04 15:48 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-06 16:33 . 2006-06-04 15:48 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-06 16:33 . 2006-06-04 15:48 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-04-18 19:57 . 2008-04-18 19:57 <DIR> d-------- C:\Program Files\Snapshot Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 02:42 --------- d-----w C:\Documents and Settings\bforrest\Application Data\OpenOffice.org2
2008-05-14 00:26 --------- d-----w C:\Documents and Settings\bforrest\Application Data\WTablet
2008-05-13 22:19 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-12 23:54 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-06 20:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 20:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-02 01:49 --------- d-----w C:\Program Files\Java
2008-04-11 02:50 --------- d-----w C:\Documents and Settings\bforrest\Application Data\Lexmark Productivity Studio
2008-04-09 03:16 --------- d-----w C:\Program Files\Lexmark 6500 Series
2008-04-01 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-12_15.34.57.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-23 04:56:21 554,008 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\dao360.dll
+ 2007-12-10 12:41:11 518,944 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexch40.dll
+ 2007-12-10 12:41:11 326,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msexcl40.dll
+ 2007-12-10 12:41:11 1,516,568 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjet40.dll
+ 2007-12-10 12:41:11 355,112 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjetol1.dll
+ 2008-03-27 07:39:13 151,583 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjint40.dll
+ 2007-12-10 12:41:12 60,192 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjter40.dll
+ 2007-12-10 12:41:12 248,608 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msjtes40.dll
+ 2007-12-10 12:41:12 219,936 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msltus40.dll
+ 2007-12-10 12:41:12 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mspbde40.dll
+ 2007-12-10 12:41:13 432,928 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd2x40.dll
+ 2007-12-10 12:41:13 322,336 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrd3x40.dll
+ 2007-12-10 12:41:13 559,904 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msrepl40.dll
+ 2007-12-10 12:41:13 264,992 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mstext40.dll
+ 2007-12-10 12:41:13 838,432 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswdat10.dll
+ 2007-12-10 12:41:14 621,344 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\mswstr10.dll
+ 2007-12-10 12:41:14 355,104 ----a-w C:\WINDOWS\$hf_mig$\KB950749\SP2QFE\msxbde40.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB950749\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB950749\update\updspapi.dll
- 2008-05-12 19:24:00 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 00:25:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-12 20:38:38 1,038,336 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-05-12 20:38:38 178,688 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-05-12 20:38:38 171,008 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-05-12 20:38:38 8,704 ----a-r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
- 2006-02-28 12:00:00 561,179 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
+ 2008-03-25 04:50:25 554,008 -c--a-w C:\WINDOWS\system32\dllcache\dao360.dll
- 2006-02-28 12:00:00 512,029 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
+ 2008-03-25 04:50:28 518,944 -c--a-w C:\WINDOWS\system32\dllcache\msexch40.dll
- 2006-02-28 12:00:00 319,517 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 -c--a-w C:\WINDOWS\system32\dllcache\msexcl40.dll
- 2006-02-28 12:00:00 1,507,356 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 -c--a-w C:\WINDOWS\system32\dllcache\msjet40.dll
- 2006-02-28 12:00:00 358,976 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
+ 2008-03-25 04:50:40 355,112 -c--a-w C:\WINDOWS\system32\dllcache\msjetol1.dll
- 2006-02-28 12:00:00 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
+ 2008-03-27 08:12:54 151,583 -c--a-w C:\WINDOWS\system32\dllcache\msjint40.dll
- 2006-02-28 12:00:00 53,279 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
+ 2008-03-25 04:50:42 60,192 -c--a-w C:\WINDOWS\system32\dllcache\msjter40.dll
- 2006-02-28 12:00:00 241,693 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 -c--a-w C:\WINDOWS\system32\dllcache\msjtes40.dll
- 2006-02-28 12:00:00 213,023 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
+ 2008-03-25 04:50:44 219,936 -c--a-w C:\WINDOWS\system32\dllcache\msltus40.dll
- 2006-02-28 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 -c--a-w C:\WINDOWS\system32\dllcache\mspbde40.dll
- 2006-02-28 12:00:00 421,919 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 -c--a-w C:\WINDOWS\system32\dllcache\msrd2x40.dll
- 2006-02-28 12:00:00 315,423 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 -c--a-w C:\WINDOWS\system32\dllcache\msrd3x40.dll
- 2006-02-28 12:00:00 552,989 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 -c--a-w C:\WINDOWS\system32\dllcache\msrepl40.dll
- 2006-02-28 12:00:00 258,077 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
+ 2008-03-25 04:50:55 264,992 -c--a-w C:\WINDOWS\system32\dllcache\mstext40.dll
- 2006-02-28 12:00:00 831,519 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 -c--a-w C:\WINDOWS\system32\dllcache\mswdat10.dll
- 2006-02-28 12:00:00 614,429 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 -c--a-w C:\WINDOWS\system32\dllcache\mswstr10.dll
- 2006-02-28 12:00:00 348,189 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 -c--a-w C:\WINDOWS\system32\dllcache\msxbde40.dll
+ 2007-07-11 18:37:26 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 17:58:08 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 17:56:58 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
- 2006-02-28 12:00:00 512,029 ----a-w C:\WINDOWS\system32\msexch40.dll
+ 2008-03-25 04:50:28 518,944 ----a-w C:\WINDOWS\system32\msexch40.dll
- 2006-02-28 12:00:00 319,517 ----a-w C:\WINDOWS\system32\msexcl40.dll
+ 2008-03-25 04:50:30 326,432 ----a-w C:\WINDOWS\system32\msexcl40.dll
- 2006-02-28 12:00:00 1,507,356 ----a-w C:\WINDOWS\system32\msjet40.dll
+ 2008-03-25 04:50:34 1,516,568 ----a-w C:\WINDOWS\system32\msjet40.dll
- 2006-02-28 12:00:00 358,976 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
+ 2008-03-25 04:50:40 355,112 ----a-w C:\WINDOWS\system32\msjetoledb40.dll
- 2006-02-28 12:00:00 53,279 ----a-w C:\WINDOWS\system32\msjter40.dll
+ 2008-03-25 04:50:42 60,192 ----a-w C:\WINDOWS\system32\msjter40.dll
- 2006-02-28 12:00:00 241,693 ----a-w C:\WINDOWS\system32\msjtes40.dll
+ 2008-03-25 04:50:42 248,608 ----a-w C:\WINDOWS\system32\msjtes40.dll
- 2006-02-28 12:00:00 213,023 ----a-w C:\WINDOWS\system32\msltus40.dll
+ 2008-03-25 04:50:44 219,936 ----a-w C:\WINDOWS\system32\msltus40.dll
- 2006-02-28 12:00:00 348,189 ----a-w C:\WINDOWS\system32\mspbde40.dll
+ 2008-03-25 04:50:45 355,104 ----a-w C:\WINDOWS\system32\mspbde40.dll
- 2006-02-28 12:00:00 421,919 ----a-w C:\WINDOWS\system32\msrd2x40.dll
+ 2008-03-25 04:50:47 432,928 ----a-w C:\WINDOWS\system32\msrd2x40.dll
- 2006-02-28 12:00:00 315,423 ----a-w C:\WINDOWS\system32\msrd3x40.dll
+ 2008-03-25 04:50:49 322,336 ----a-w C:\WINDOWS\system32\msrd3x40.dll
- 2006-02-28 12:00:00 552,989 ----a-w C:\WINDOWS\system32\msrepl40.dll
+ 2008-03-25 04:50:52 559,904 ----a-w C:\WINDOWS\system32\msrepl40.dll
- 2006-02-28 12:00:00 258,077 ----a-w C:\WINDOWS\system32\mstext40.dll
+ 2008-03-25 04:50:55 264,992 ----a-w C:\WINDOWS\system32\mstext40.dll
- 2006-02-28 12:00:00 831,519 ----a-w C:\WINDOWS\system32\mswdat10.dll
+ 2008-03-25 04:50:57 838,432 ----a-w C:\WINDOWS\system32\mswdat10.dll
- 2006-02-28 12:00:00 614,429 ----a-w C:\WINDOWS\system32\mswstr10.dll
+ 2008-03-25 04:50:58 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
- 2006-02-28 12:00:00 348,189 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-03-25 04:50:58 355,104 ----a-w C:\WINDOWS\system32\msxbde40.dll
+ 2008-05-14 00:56:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_53c.dat
+ 2008-05-14 00:26:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5b8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]

C:\Documents and Settings\bforrest\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 17:45:48 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rbsldad]
rbsldad.dll 2008-05-09 21:49 21504 C:\WINDOWS\system32\rbsldad.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlxlyt]
WLXlyt.dll 2008-05-07 20:14 73728 C:\WINDOWS\system32\WLXlyt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\system32\systp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"SENTINEL"= snti386.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\FRun.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\lxdfcfg.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\Wireless\\lxdfwpss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 06:06]
R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 12:40]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-28 00:28]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 12:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 11:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 17:11]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 06:06]
S2 qandr;qandr;C:\WINDOWS\system32\drivers\qandr.sys [2008-05-07 20:09]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 18:11:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DiagnosticScan]
"ImagePath"="\??\C:\Program Files\Adware Away\DiagnosticScan.SYS"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\WLXlyt.dll
-> C:\WINDOWS\system32\rbsldad.dll
-> C:\WINDOWS\system32\WiIW.dll
.
Completion time: 2008-05-14 18:11:43
ComboFix-quarantined-files.txt 2008-05-14 22:11:32
ComboFix2.txt 2008-05-14 02:42:00
ComboFix3.txt 2008-05-14 00:29:45
ComboFix4.txt 2008-05-13 01:18:01
ComboFix5.txt 2008-05-12 19:35:19

Pre-Run: 236,353,191,936 bytes free
Post-Run: 236,325,601,280 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons



****************************


O20 - AppInit_DLLs: C:\WINDOWS\system32\systp.dll
O20 - Winlogon Notify: rbsldad - C:\WINDOWS\SYSTEM32\rbsldad.dll


were present but got this error:

261 --- E O F --- 2008-05-14 07:00:38

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: C:\WINDOWS\system32\systp.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 7.0.5730.11
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


****************************************

ComboFix 08-05-09.1 - bforrest 2008-05-14 18:16:59.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1533 [GMT -4:00]
Running from: C:\Documents and Settings\bforrest\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\bforrest\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\BuYw.dll
C:\WINDOWS\system32\cbOCR.dll
C:\WINDOWS\system32\MiRD.dll
C:\WINDOWS\system32\Rsox.exe
C:\WINDOWS\system32\svchsh.exe
C:\WINDOWS\system32\WiIW.dll
C:\WINDOWS\system32\WLXlyt.dll
C:\WINDOWS\system32\yfeyhioh.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\BuYw.dll
C:\WINDOWS\system32\cbOCR.dll
C:\WINDOWS\system32\MiRD.dll
C:\WINDOWS\system32\Rsox.exe
C:\WINDOWS\system32\svchsh.exe
C:\WINDOWS\system32\WiIW.dll
C:\WINDOWS\system32\WLXlyt.dll
C:\WINDOWS\system32\yfeyhioh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-04-14 to 2008-05-14 )))))))))))))))))))))))))))))))
.

2008-05-12 16:38 . 2008-05-12 16:38 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-12 16:38 . 2008-05-12 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 15:28 . 2008-05-12 15:28 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-10 10:11 . 2008-05-10 10:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-10 10:11 . 2008-05-10 10:11 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-10 03:00 . 2008-05-10 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-09 22:20 . 2008-05-09 22:20 <DIR> d-------- C:\Program Files\eRightSoft
2008-05-09 22:20 . 2008-05-09 22:20 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-09 22:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-09 22:08 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-09 22:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-09 21:49 . 2008-05-09 21:49 21,504 --a------ C:\WINDOWS\system32\rbsldad.dll
2008-05-09 00:57 . 2008-05-09 00:57 <DIR> d-------- C:\Program Files\Registrar Registry Manager
2008-05-09 00:57 . 2008-02-09 11:20 31,280 --a------ C:\WINDOWS\system32\rrMon.sys
2008-05-08 22:01 . 2008-05-08 22:01 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-07 23:58 . 2008-05-12 16:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-07 20:09 . 2008-05-07 20:09 123,392 --a------ C:\WINDOWS\system32\drivers\qandr.sys
2008-05-06 17:03 . 2008-05-07 20:34 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\bforrest\Application Data\CyberLink
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\bforrest\Application Data\AVS4YOU
2008-05-06 17:03 . 2008-05-06 17:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-06 17:02 . 2008-05-07 20:34 <DIR> d-------- C:\Program Files\AVS4YOU
2008-05-06 16:34 . 2008-05-06 16:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cyberlink
2008-05-06 16:34 . 2006-06-04 15:48 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-05-06 16:34 . 2006-06-04 15:48 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-05-06 16:33 . 2008-05-06 16:39 <DIR> d-------- C:\Program Files\CyberLink
2008-05-06 16:33 . 2008-05-06 16:33 <DIR> d-------- C:\MyWorks
2008-05-06 16:33 . 2006-06-04 15:48 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-05-06 16:33 . 2006-06-04 15:48 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2008-05-06 16:33 . 2006-06-04 15:48 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-05-06 16:33 . 2006-06-04 15:48 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-05-06 16:33 . 2006-06-04 15:48 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-04-18 19:57 . 2008-04-18 19:57 <DIR> d-------- C:\Program Files\Snapshot Viewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 22:19 --------- d-----w C:\Documents and Settings\bforrest\Application Data\WTablet
2008-05-14 22:19 --------- d-----w C:\Documents and Settings\bforrest\Application Data\OpenOffice.org2
2008-05-13 22:19 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-06 20:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-06 20:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-02 01:49 --------- d-----w C:\Program Files\Java
2008-04-11 02:50 --------- d-----w C:\Documents and Settings\bforrest\Application Data\Lexmark Productivity Studio
2008-04-09 03:16 --------- d-----w C:\Program Files\Lexmark 6500 Series
2008-04-01 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-12-17 12:43 27,648 --sh--w C:\WINDOWS\system32\Smab0.dll
.

((((((((((((((((((((((((((((( snapshot_2008-05-14_18.11.28.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-14 00:25:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 22:18:39 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 22:18:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06 79224]

C:\Documents and Settings\bforrest\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
OpenOffice.org 2.1.lnk - C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 17:45:48 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"SENTINEL"= snti386.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Autodesk\\Maya8.5\\bin\\maya.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfamon.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\FRun.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\lxdfmon.exe"=
"C:\\WINDOWS\\system32\\lxdfcfg.exe"=
"C:\\WINDOWS\\system32\\lxdfcoms.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"C:\\Program Files\\Lexmark 6500 Series\\Wireless\\lxdfwpss.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 lxdf_device;lxdf_device;C:\WINDOWS\system32\lxdfcoms.exe [2007-05-29 06:06]
R2 TabletServiceWacom;TabletServiceWacom;C:\WINDOWS\system32\Wacom_Tablet.exe [2007-09-07 12:40]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\atl01_xp.sys [2006-07-28 00:28]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 12:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 11:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 17:11]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe [2007-05-29 06:06]
S2 qandr;qandr;C:\WINDOWS\system32\drivers\qandr.sys [2008-05-07 20:09]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 18:19:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.bin
.
**************************************************************************
.
Completion time: 2008-05-14 18:21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-14 22:21:51
ComboFix2.txt 2008-05-14 22:11:44
ComboFix3.txt 2008-05-14 02:42:00
ComboFix4.txt 2008-05-14 00:29:45
ComboFix5.txt 2008-05-13 01:18:01

Pre-Run: 236,324,028,416 bytes free
Post-Run: 236,313,350,144 bytes free

164 --- E O F --- 2008-05-14 07:00:38



Malwarebytes' Anti-Malware 1.12
Database version: 750

Scan type: Full Scan (C:\|)
Objects scanned: 106262
Time elapsed: 13 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qandr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\qandr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qandr (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\bforrest\Desktop\cbOCR.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\bqzpas.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\cbOCR.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\fccaBTKC.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\geBtUkhi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\svchsh.exe.vir (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\tcpsr.sys.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP76\A0005516.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP76\A0005525.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005829.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005840.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005847.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005864.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005884.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP78\A0005904.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP78\A0005909.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP78\A0005910.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP78\A0005922.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP83\A0006902.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP83\A0006905.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\qandr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

#4 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 14 May 2008 - 06:51 PM

Looks much better so far.

But I do need a new HJT log please.

There was so much on this Machine I would like to get another scan done. to be certain we don't miss anything. No reason to post back to me until this scan is done.


_________________________________
Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Registry function to clean anything with this program. Having anything auto clean your regisrty is risky).


_________________________________

Using Internet Explorer, please do a Kaspersky Online Scan

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure as follows: [list]
  • Scan using the following Anti-Virus database:
  • Extended
  • Scan Options:[list]
  • Scan Archives
  • Scan Mail Bases

  • Click OK & have it scan My Computer
  • Once the scan is complete, it will provide a report if your system is infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click save report as

Posted Image

[*] Click the Save as Text button to save the file to your desktop and post it in your next reply
Posted Image



Turn off the real time scanner of any existing antivirus program while performing the online scan

____________________________________
PLease Post a new HJT log

and

The report from Kasperskys.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#5 brentorama

brentorama

    Authentic Member

  • Authentic Member
  • PipPip
  • 33 posts
  • Interests:Film, game design, programming, american history

Posted 14 May 2008 - 10:09 PM

Here are both logs - pleasee note I ran HJT before running CCleaner

thanks again

BF

Logfile of HijackThis v1.99.1
Scan saved at 11:03:37 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\bforrest\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\bforrest\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1010434988859
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner (avast! mail scanner) - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner (avast! web scanner) - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdfCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdfserv.exe
O23 - Service: lxdf_device - - C:\WINDOWS\system32\lxdfcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 15, 2008 12:05:53 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/05/2008
Kaspersky Anti-Virus database records: 774238
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 71617
Number of viruses found: 10
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 00:27:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\bforrest\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\cert8.db Object is locked skipped
C:\Documents and Settings\bforrest\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\history.dat Object is locked skipped
C:\Documents and Settings\bforrest\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\key3.db Object is locked skipped
C:\Documents and Settings\bforrest\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\parent.lock Object is locked skipped
C:\Documents and Settings\bforrest\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\search.sqlite Object is locked skipped
C:\Documents and Settings\bforrest\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\bforrest\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Application Data\Mozilla\Firefox\Profiles\3vko5tb2.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0001\~efe2.tmp Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Temp\Photoshop Temp83879 Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Temp\svl14.tmp\svl15.tmp Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Temp\~DF9DDC.tmp Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\bforrest\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bforrest\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\bforrest\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Gpa03.sys.vir Infected: Trojan-Downloader.Win32.Mutant.wl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Yhj48.sys.zip/Yhj48.sys Infected: Trojan-Downloader.Win32.Agent.nsl skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\Yhj48.sys.zip ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ihekuiqr.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\Rsox.exe.vir Infected: Trojan-PSW.Win32.Agent.aif skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WiIW.dll.vir Infected: Trojan-Downloader.Win32.Injecter.ot skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WLCtrl32.dll.vir Infected: Trojan-Downloader.Win32.Mutant.ow skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\WLXlyt.dll.vir Infected: Trojan-Downloader.Win32.Injecter.pv skipped
C:\QooBox\Quarantine\catchme2008-05-09_220117.51.zip/bqzpas.sys Infected: Rootkit.Win32.Agent.akq skipped
C:\QooBox\Quarantine\catchme2008-05-09_220117.51.zip/jkkKawuT.dll Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\catchme2008-05-09_220117.51.zip/WinData.cab Infected: Trojan-Downloader.Win32.Agent.ohi skipped
C:\QooBox\Quarantine\catchme2008-05-09_220117.51.zip ZIP: infected - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP76\A0005509.dll Infected: Trojan-Downloader.Win32.Mutant.ow skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP76\A0005518.dll Infected: Trojan-Downloader.Win32.Mutant.ow skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005834.dll Infected: Trojan-Downloader.Win32.Mutant.ow skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005843.dll Infected: Trojan-Downloader.Win32.Agent.ohi skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005851.exe Infected: Trojan-PSW.Win32.Agent.aif skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005858.dll Infected: Trojan-Downloader.Win32.Agent.ohi skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005866.exe Infected: Trojan-PSW.Win32.Agent.aif skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005873.dll Infected: Trojan-Downloader.Win32.Agent.ohi skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005887.dll Infected: not-a-virus:Monitor.Win32.EliteKeylogger.b skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\A0005889.exe Infected: Trojan-PSW.Win32.Agent.aif skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP77\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Mutant.ow skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP78\A0005900.dll Infected: Trojan-Downloader.Win32.Mutant.ow skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP78\A0005911.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP79\A0006418.exe Infected: Trojan-PSW.Win32.Agent.aif skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP83\A0006904.exe Infected: Trojan-PSW.Win32.Agent.aif skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP83\A0006906.dll Infected: Trojan-Downloader.Win32.Injecter.ot skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP83\A0006907.dll Infected: Trojan-Downloader.Win32.Injecter.pv skipped
C:\System Volume Information\_restore{4CBCCC4B-4DFC-4503-AC9B-1320A341E9AE}\RP83\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{24B783ED-E5C3-4ABE-BB1F-B1D3D74CA95F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat Object is locked skipped
C:\WINDOWS\TempFile Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 15 May 2008 - 05:26 AM

Great news ! Posted Image

The only thing Kaspersky found were some items we removed with ComboFix and a few left in system restore points. Both of which we will take care of right now.



Your log now appears to be clean. As long as everything seems to be running OK.

________________________________
Go to start > run and copy and paste this in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the
system/hidden files and resets System Restore again.

______________________________


You may keep Malwarebytes as it is a very good tool.
You can read more about it here.
http://www.malwarebytes.org/mbam.php


________________________________________
I see no evidence of a fire wall. I suggest you get one in place now.

A few words on Microsofts firewall in XP . It only works in one direction. Incoming.
That means if something gets by it you would never know it was trying
to contact the internet.
Example: A bad program installs itself. You would never know it was contacting the internet.
Downloading other nasties and so forth.

If you decide to run one of these you should be certain Microsofts firewall is disabled.
To disable it.

I will list a few free firewalls for you. These are good (free) firewalls:

Never run 2 firewalls together. They will interfere with each other.
So just download and install one!


Comodo ...Fairly simple to use


Online armor Firewall




________________________________________
A few things to help with possible threats

These are optional . But will help protect you further.

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust...tsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.


Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.




Safe and Happy Surfing. :)
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

#7 brentorama

brentorama

    Authentic Member

  • Authentic Member
  • PipPip
  • 33 posts
  • Interests:Film, game design, programming, american history

Posted 15 May 2008 - 09:40 AM

Thank you Malware team!

#8 bob4

bob4

    MalwareTeam Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 2,205 posts

Posted 16 May 2008 - 05:08 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users