Is my computer possesed ? do i need an Exorcism? HLT log incl.

Discussion in 'Windows - Virus and spyware problems' started by narcismo, Sep 8, 2008.

  1. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    My computer has been running stupid slow. On-line scans and AVG free show no problems. Dont's see anything weird on HJT either (but i'm no expert).AD-AWARE wont even load, i get an error code that asks me if "i'm logged in as a diff user".And i keep geting "low virtual memory" warnings. Maybe i just need to switch some paging files to a portion of my (partitioned x3) hard drive w/more available memory, but i'm not sure how.
    I'd appreciate any advice.
    Thanks in advsnce. Heres an HJT log.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:48:35 PM, on 9/8/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\AVG\AVG8\avgtray.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\system32\drwtsn32.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140654306906
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140654255531
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi narcismo,

    Your HJT Log is Clean… That don’t always mean you don’t have infection but it’s a pretty good sign that it’s not a bad infection..

    From your description, it sounds like you have just ran out of free space in your C partition.

    How many HD's do you have? How many partitions do you have on the operating drive?? 3?

    Go to Start > My Computer > right click the drives (partitions) > Properties

    And see how much free space you have on each of the Drives (partitions)
    You need bare minimum of 15 percent free space on your operating partition and that is pushing it.

    If one of the other partitions has enough free space then you can move the My Documents folder to it and free up the space on your operating partition.

    If you have only one HD, I wouldn’t recommend moving the paging file that would just slow you down.

    You are able to resize the partition with programs like Partition Magic or Acronis Disk Director (not free). I don’t know of a free partitioning software that really works..


    2OG
     
  3. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Thanks 2OG,
    I'll give it a shot and post back.
     
  4. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    2OL,
    It seems I still have about 47% of avail memory on my C:Drive and alot more on D & E. Sounds like i should be OK. But when i look at my "System Moniter" I see HUGE spikes in my paging file usage. Not sure why. Does'nt seem that I should have to re-allocate any virt-memory? I'm confused. If you check my 1st post, I mentioned about the ERROR msg i got from the AD-AWARE program. I just can't make sence of it.
    I need the advice of an elder! LOL! Seriously!
    Thanks in advance.
    Eric

    P.S.
    My machine froze for nearly 2 min while posting this msg.
    That can't be good. An easy fix woulg be great...but I'm "lacing them up" just in case. Thanks again
     
    Last edited: Sep 9, 2008
  5. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Hi narcismo,


    Sometimes these new malwares can hide pretty well.

    Let’s do a little pre-cleaning and then dig a little deeper to see if we can pull something out of the woodwork. [​IMG]



    (1.) Please download ATF Cleaner by Atribune & save it to your desktop.


    Double-click ATF-Cleaner.exe to run the program.

    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.

    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • Click Exit on the Main menu to close the program.




    (2.) Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.

    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.

    • Be sure that everything is checked, and click Remove Selected. << Do Not Forget This!!

    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Please post contents of that file in your next reply.



    (3.) Download Combo fix from one of these locations.
    * IMPORTANT !!! Place combofix.exe on your Desktop

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    http://subs.geekstogo.com/ComboFix.exe

    Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.




    [​IMG]


    ComboFix will begin to run DO NOTHING while this is happening.
    • It will kill a few processes and disconnect you from the internet.
    • If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
    • This needs to be done so the program can work most efficiently for you.
    Do not attempt to use the internet or anything else while it's doing its job for you.

    If when it's completed you can not get on the internet just reboot the computer

    Post the log from comboFix for me located in c:\comboFix.txt, MBAM Log and a fresh HijackThis Log.


    2OG

    Edit: I finally noticed that you are using an out dated HJT. This may be the reason we can't see the malware.. Update your HijackThis to the latest version.
     
    Last edited: Sep 10, 2008
  6. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Wow youre fast 2OL!
    I just moved some paging files. I'm going to power down/re-start ,check my machine , then post back. Choi!
    Thankyou again.
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    I'm OLD not SLOW!
     
  8. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Thanks again for your reply,
    Did'nt work.I run ATF Cleaner regulary, I'm currently running "malewarebytes". Thats as far as got! Slow Down! lol!

    P.S. I run AVG-Free 8.0,Spy-Bot, Windows Defender, and Ad-Aware.
    Do any of these progs "argue with each other" ? My computer seemd to slow around the time i downloaded AVG 8.0.
    Have'nt got to the "Combo Fix " part yet...please bare with me , my machine is freezing like an ESKIMO!
    when this scann is done I'll post back.
     
    Last edited: Sep 10, 2008
  9. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Hello again 2OL,
    Heres the Malewarebytes log...not comforting.

    Malwarebytes' Anti-Malware 1.27
    Database version: 1134
    Windows 5.1.2600 Service Pack 3

    9/10/2008 5:28:26 AM
    mbam-log-2008-09-10 (05-28-26).txt

    Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|)
    Objects scanned: 75387
    Time elapsed: 1 hour(s), 12 minute(s), 18 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 5
    Files Infected: 6

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Program Files\VSAdd-in (Adware.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\DAP (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\DAP\LOG (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\DAP\NTLOG (Trojan.Agent) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system\DRIVER\Copy (5) of 3.txt (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\cygwin1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\Driver32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\New Text Document (5).txt (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\servicesmgr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system\DRIVER\winlogon.dll (Trojan.Agent) -> Quarantined and deleted successfully.


    P.S.
    Cannot run Combofix ?
    I get an error report from "SPYBOT" telling me that the prog cannot be re-named(in my registry)?
    Would that be because I moved "MY DOCUMENTS" folder to a diff partition? I've since moved it back and will try again.
    Thanks again.
     
    Last edited: Sep 10, 2008
  10. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Nope...No Dice.
    I've tried multiple times.It downloads but won't run.
    ERROR: Windows cannot locate C:/Documents and settings...,blah,blah,blah.
    I have the patience of Job, but this is driving me nuts!lol Will a "R0OTKIT REVEALER" log give you the info you need? I think i'm going stirr-crazy!I hate computers!lol Can i fix this thru "RegEdit" ?

    Thanks again for all your help. Sorry i know I'm rambling. lol
     
    Last edited: Sep 10, 2008
  11. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    You’re running scanners that will not allow ComboFix to run…

    Uninstall Combofix by going to Start > Run > type in combofix /u then OK

    Download a fresh ComboFix from Here

    Turn off (disable) Spybot Teatimer, windows defender, AVG8 and any other scanners that you have running.

    Run ComboFix from the Desktop by double clicking the icon.

    If that works post a Log…

    2OG
     
  12. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    2OG,
    Wow! What a difference! My machine is working much better.
    Heres my ComboFix log.


    ComboFix 08-09-10.02 - Administrator 2008-09-10 17:42:50.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.99 [GMT -4:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ADS - WINDOWS: deleted 24 bytes in 1 streams.

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\system32\2.txt
    C:\WINDOWS\system32\mlnmp.bak1
    C:\WINDOWS\system32\mlnmp.ini
    C:\WINDOWS\system32\url(3).dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_NTLOAD


    ((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
    .

    2008-09-10 05:46 . 2008-09-10 05:46 <DIR> d-------- C:\Documents and Settings\My Documents\DVDFab
    2008-09-10 05:46 . 2008-09-10 05:46 <DIR> d-------- C:\Documents and Settings\My Documents\Downloads
    2008-09-10 05:46 . 2008-09-10 05:46 <DIR> d-------- C:\Documents and Settings\My Documents\candystand
    2008-09-10 05:45 . 2008-09-10 05:45 <DIR> d-------- C:\Documents and Settings\My Documents\Updater5
    2008-09-10 05:45 . 2008-09-10 05:45 <DIR> d-------- C:\Documents and Settings\My Documents\PcSetup
    2008-09-10 05:45 . 2008-09-10 05:45 <DIR> d-------- C:\Documents and Settings\My Documents\NeroVision
    2008-09-10 05:45 . 2008-09-10 05:45 <DIR> dr------- C:\Documents and Settings\My Documents\My Videos
    2008-09-10 05:45 . 2008-09-10 05:45 <DIR> dr------- C:\Documents and Settings\My Documents\my pictures
    2008-09-10 05:45 . 2008-09-10 05:46 <DIR> dr------- C:\Documents and Settings\My Documents\My Music
    2008-09-10 05:45 . 2008-09-10 05:46 <DIR> dr------- C:\Documents and Settings\My Documents
    2008-09-10 00:29 . 2008-09-10 00:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2008-09-10 00:28 . 2008-09-10 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-09-10 00:28 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-09-10 00:28 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-09-08 20:43 . 2008-09-08 20:43 3,918 --a------ C:\Documents and Settings\My Documents\cc_20080908_204346.reg
    2008-08-29 20:41 . 2008-08-29 20:41 9,400 --a------ C:\Documents and Settings\My Documents\cc_20080829_204113.reg
    2008-08-16 21:34 . 2008-08-16 21:34 31,464 --a------ C:\Documents and Settings\My Documents\cc_20080816_213414.reg
    2008-08-16 20:55 . 2008-09-10 17:10 <DIR> d-------- C:\Program Files\Panda Security
    2008-08-16 20:55 . 2008-08-17 22:22 <DIR> d-------- C:\Program Files\Mozilla ActiveX Control v1.7.12
    2008-08-16 20:55 . 2008-08-16 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall6.6
    2008-08-16 20:55 . 2008-08-16 20:55 <DIR> d-------- C:\Documents and Settings\Administrator\.housecall
    2008-08-15 20:42 . 2008-05-01 10:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-15 20:41 . 2008-04-11 15:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-10 21:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-09-10 21:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-30 00:26 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
    2008-08-17 23:19 --------- d-----w C:\Program Files\Elaborate Bytes
    2008-08-17 02:24 --------- d-----w C:\Program Files\Windows Live Safety Center
    2008-08-10 00:28 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Graboid Inc
    2008-08-06 00:33 78,568 ----a-w C:\Documents and Settings\My Documents\cc_20080805_203321.reg
    2008-08-03 01:48 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ImgBurn
    2008-08-01 13:27 99,648 ----a-w C:\WINDOWS\system32\drivers\AnyDVD.sys
    2008-07-31 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
    2008-07-29 04:03 --------- d-----w C:\Documents and Settings\Administrator\Application Data\dvdcss
    2008-07-27 01:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Graboid Inc
    2008-07-27 01:51 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MozillaControl
    2008-07-27 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Launcher
    2008-07-21 12:11 24,392 ----a-w C:\WINDOWS\system32\drivers\ElbyCDIO.sys
    2008-07-13 00:09 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
    2008-07-13 00:09 --------- d-----w C:\Program Files\AVG
    2008-07-13 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-07-12 03:01 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Vso
    2007-06-02 02:54 87,608 ----a-w C:\Documents and Settings\Administrator\Application Data\ezpinst.exe
    2007-06-02 02:54 47,360 ----a-w C:\Documents and Settings\Administrator\Application Data\pcouffin.sys
    2004-03-11 17:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
    2008-05-28 22:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052820080529\index.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
    "Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2008-04-13 143360]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-29 1235736]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
    -ra------ 2007-03-01 11:37 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
    --a------ 2008-08-01 09:32 2161600 C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
    --a------ 2008-01-07 12:26 390568 C:\WINDOWS\system32\Macromed\SHOCKW~1\SWHELP~2.EXE

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "E:\\program files\\iTunes\\iTunes.exe"=
    "D:\\Program Files\\LimeWire\\LimeWire.exe"=
    "C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-29 97928]
    R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 875288]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 231704]
    R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-12 76040]
    S3 AntiAries;Anti Aries Helper Driver;C:\WINDOWS\System32\drivers\RKL15.tmp.sys [2007-03-21 7680]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f25ef62-5f41-11d9-a9dc-806d6172696f}]
    \shell\play\command - "C:\Program Files\iTunes\iTunes.exe" /playCD "%L"
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-POINTER - point32.exe


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\f3licwif.default\
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-10 17:47:45
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-10 17:52:00 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-10 21:51:54

    Pre-Run: 12,063,322,112 bytes free
    Post-Run: 12,033,540,096 bytes free

    146 --- E O F --- 2008-09-03 20:54:57
     
  13. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    That's looking much better.... :)

    Now post a fresh HJT Log and we'll pick up the trash.
     
  14. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Here you go.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:09:39 PM, on 9/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140654306906
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140654255531
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

     
  15. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Congratulations narcismo, your log now looks CLEAN [​IMG]


    Things to do:
    Install a firewall – see below.

    Update your Java – see below.


    Here are a few other things you must do once you are completely clean:

    1. Time for some housekeeping

    Please download the OTMoveIt2 by OldTimer

    Save it to your desktop.
    Run the tool by clicking on the icon.
    • Click the Cleanup button.

    • The tools that we used as well as this one will be removed from your system.


    2. Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only


    Double-click ATF-Cleaner.exe to run the program.

    • Under Main "Select Files to Delete" choose: Select All.
    • Click the Empty Selected button.

    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.

    • Click Exit on the Main menu to close the program.


    3. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

    Update Java using JavaRa

    Please download JavaRa and unzip it to your desktop.
    • Double-click on JavaRa.exe to start the program.
    • Click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.


    Then download and install Java Runtime Environment (JRE) 6 Update 7.




    4. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    The easiest and safest way to do this is:

    • Go to Start > Programs > Accessories > System Tools and click "System Restore".

    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    • Then go to Start > Run and type: Cleanmgr
    • Click "OK"
    Select the drive you want to clean usually C:
    Click OK
    When it completes the scan:
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


    5. Defragment your Hard Drive

    1.Open My Computer.
    2.Right-click the local disk volume that you want to defragment, and then click Properties.
    3.On the Tools tab, click Defragment Now.
    4.Click Defragment.




    And here are some tips to reduce the potential for spyware infection in the future:


    It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Two good ones are are Comodo Free and Online Armor Personal Firewall
    I have recently changed my firewall to Comodo, love it and highly recommend it..

    Make sure you keep your Windows OS current by visiting Windows update
    regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

    I strongly recommend installing the following applications:


    To protect your machine, I highly recommend BOClean. It’s FREE and it works. I use it and never get one of these infections.

    In order to prevent the installation of Trojans and Malware on your machine:
    Download and install: Comodo BOClean

    Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 60,000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.

    Spywareblaster <= SpywareBlaster will prevent spyware from being installed.



    See Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


    And also see TonyKlein's good advice
    So how did I get infected in the first place?




    Enjoy your clean computer. Any questions?


    2OG
     
  16. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Good to go. Justice is served and Evil is Punished!
    Thanks again 2OL :)
    You're offically on my Christmas list !
     
    Last edited: Sep 10, 2008
  17. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Just remember me in your will.. [​IMG]


    2OG
     
  18. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    You are THE MAN !
    Thanks again.
     
  19. narcismo

    narcismo Regular member

    Joined:
    Jun 3, 2006
    Messages:
    309
    Likes Received:
    0
    Trophy Points:
    26
    Dear Kind Sir (2OG),
    Thanks 4 all your help. My machine worked fine for a day or two. Now it's back to it's former "retarded-state" .......slow and slower. I did everything you asked(updated JAVA added COMODO & Blaster). And it seemed to work fine ...temporalliy. But Not 4 Long. ANY RECOMENDATIONS ?

    NARCISMO
     
  20. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Did you defrag your drive? A badly fragmented drive can slow you down.

    How much free space is left on your drive? A drive that has ran out of free space can slow you.

    Also, check out Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
     

Share This Page