"Attention 1972vet"

  • 50 Replies
  • 10180 Views
*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #30 on: March 08, 2009, 06:54:58 PM »
Most of my posts are being made from my desktop PC so when I am running combofix or Mbam on the laptop
I can give you up to date description of whats going on with it via my desk top PC.
With out disturbing the programs trying to run on the laptop

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #31 on: March 08, 2009, 07:21:53 PM »
Please perform an online scan with a-squared Web Malware Scanner
1. Click "Scan Your PC now".
2. You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Insall ActiveX component.
3. A new window will appearing asking "Do you want to install this software?""
4. Select "Install" to download the ActiveX controls. When the download completes, you will be presented with  new screen. Here, make sure you click on Deep Scan to put the bullet there.
5. Click the blue "Scan" button on the right to begin.
6. When the scan completes, click the Quarantine selected objects button at the bottom.
7. When finished, click the Save Report button and save it to your desktop.

Post back your results. Thanks!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #32 on: March 08, 2009, 07:26:16 PM »
You could also try running the combofix script from safe mode.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #33 on: March 08, 2009, 07:27:36 PM »
should I disable avira and which option do you recommend I do frist

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #34 on: March 08, 2009, 07:28:28 PM »
opp nevermind the on-line scanner is running I guess

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #35 on: March 08, 2009, 07:39:17 PM »
Since avira has just recently been run, I don't expect any problem while it's running the online scan because avira already found everything that it's going to find...however, by disabling it you might speed things up a bit.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #36 on: March 08, 2009, 08:25:31 PM »
a-squared Web Malware Scanner v. 4.0

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start:   2009-03-09 18:33:24


Scanned

Files:    80993
Traces:    372123
Cookies:    24
Processes:    32

Found

Files:    0
Traces:    5
Cookies:    1
Processes:    0

Scan end:   2009-03-09 19:16:37
Scan time:   00:43:13

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #37 on: March 08, 2009, 08:28:51 PM »
I am going to try combofix in safe mode next

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #38 on: March 08, 2009, 08:35:45 PM »
That log looks fine.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #39 on: March 08, 2009, 08:41:22 PM »
oh I have notice that the laptop will not shutdown?
Its stuck on the Windows is shutting down...
screen

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #40 on: March 08, 2009, 08:51:13 PM »
I dont have a ComboFix shortcut on my desktop when in safe mode

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #41 on: March 09, 2009, 06:36:29 AM »
That's because you were logged on as "Administrator". If you want to try the cfscript.txt, boot back to safe mode and log on with your user account. By the way, can I assume that it eventually shut down for you?
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #42 on: March 09, 2009, 01:32:30 PM »
ok Ill try that.

about the lap top not shuting down It only happens when the combofix/script fails
for what ever reason it freezes on that program and wont let me power down,

but if I was to shutdown now I would have no trouble

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #43 on: March 09, 2009, 06:31:30 PM »
ComboFix/CFScript

ComboFix 09-03-06.02 - Eva 2009-03-10 12:48:25.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.825 [GMT -7:00]
Running from: c:\documents and settings\Eva\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eva\Desktop\CFScript.txt

FILE ::
c:\program files\BitComet
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Symantec

.
(((((((((((((((((((((((((   Files Created from 2009-02-10 to 2009-03-10  )))))))))))))))))))))))))))))))
.

2009-03-09 20:25 . 2009-03-09 20:25   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-09 13:50 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 13:50 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-03-09 08:49 . 2009-03-09 08:49   <DIR>   d--------   c:\documents and settings\Eva\Application Data\Malwarebytes
2009-03-08 19:53 . 2009-03-08 19:53   <DIR>   d--------   c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-08 15:26 . 2009-03-09 22:16   <DIR>   d--------   c:\documents and settings\Eva\Application Data\HPAppData
2009-03-08 15:15 . 2005-04-10 03:06   <DIR>   d--------   c:\documents and settings\Eva\Application Data\Apple Computer
2009-03-08 15:15 . 2009-03-08 15:15   <DIR>   d--------   c:\documents and settings\Eva
2009-03-08 10:21 . 2009-01-09 12:19   1,089,593   ---------   c:\windows\system32\dllcache\ntprint.cat
2009-03-08 06:25 . 2005-04-10 03:06   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Apple Computer
2009-03-08 06:25 . 2009-03-08 06:25   <DIR>   d--------   c:\documents and settings\Administrator
2009-03-08 05:49 . 2009-03-08 05:49   <DIR>   d--------   c:\windows\system32\XPSViewer
2009-03-08 05:49 . 2009-03-08 05:49   <DIR>   d--------   c:\program files\Reference Assemblies
2009-03-08 05:48 . 2009-03-08 05:49   <DIR>   d--------   C:\b384df9af8b5ebf79356c52d
2009-03-08 05:48 . 2008-07-06 05:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2009-03-08 05:48 . 2008-07-06 05:06   1,676,288   ---------   c:\windows\system32\dllcache\xpssvcs.dll
2009-03-08 05:48 . 2008-07-06 03:50   597,504   ---------   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-08 05:48 . 2008-07-06 05:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2009-03-08 05:48 . 2008-07-06 05:06   575,488   ---------   c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-08 05:48 . 2008-07-06 05:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2009-03-08 05:48 . 2008-07-06 05:06   89,088   ---------   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\system32\scripting
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\system32\en
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\system32\bits
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\l2schemas
2009-03-07 22:41 . 2009-03-07 22:41   <DIR>   d--------   c:\windows\ServicePackFiles
2009-03-07 22:34 . 2009-03-07 22:34   <DIR>   d--------   c:\windows\EHome
2009-03-07 20:44 . 2009-03-07 20:44   324   --a------   C:\ituninst.bat
2009-03-07 16:54 . 2009-03-09 13:50   <DIR>   d--------   C:\Malwarebytes' Anti-Malware
2009-03-07 16:54 . 2009-03-07 16:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-07 16:23 . 2009-03-07 16:23   <DIR>   d--------   c:\program files\Trend Micro
2009-03-03 18:59 . 2009-03-07 21:45   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 18:06 . 2009-03-03 18:06   <DIR>   d--------   c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 17:53 . 2009-03-10 12:35   54,156   --ah-----   c:\windows\QTFont.qfn
2009-03-03 17:53 . 2009-03-03 17:53   1,409   --a------   c:\windows\QTFont.for
2009-03-03 17:13 . 2009-03-02 16:54   2,876,720   --a------   C:\mbam-setup.exe
2009-03-02 19:17 . 2008-04-13 17:12   1,737,856   ---------   c:\windows\system32\mtxparhd.dll
2009-03-02 19:16 . 2008-04-13 17:11   1,888,992   ---------   c:\windows\system32\ati3duag.dll
2009-02-26 14:06 . 2009-02-26 14:06   <DIR>   d--------   c:\documents and settings\Guest\Application Data\Sprint
2009-02-26 13:04 . 2009-02-26 13:04   <DIR>   d--------   c:\documents and settings\Guest\Application Data\Walgreens
2009-02-23 14:11 . 2009-02-26 14:47   <DIR>   d--------   c:\documents and settings\Guest\Application Data\HPAppData

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 22:20   ---------   d-----w   c:\program files\GetRight
2009-03-08 12:49   ---------   d-----w   c:\program files\MSBuild
2009-03-08 05:09   ---------   d-----w   c:\program files\Hp
2009-03-08 05:08   ---------   d-----w   c:\program files\Google
2009-03-08 05:08   ---------   d-----w   c:\program files\DivX
2009-03-08 05:03   ---------   d-----w   c:\program files\HPQ
2009-03-08 05:02   ---------   d-----w   c:\program files\Common Files\Sonic Shared
2009-03-08 05:00   ---------   d-----w   c:\program files\Common Files\InstallShield
2009-03-08 04:53   ---------   d-----w   c:\program files\MUSICMATCH
2009-03-08 04:51   ---------   d-----w   c:\program files\MySpace
2009-03-08 04:42   ---------   d-----w   c:\program files\Verizon Games on Demand Player
2009-03-08 04:40   ---------   d-----w   c:\program files\Common Files\Motive
2009-03-08 04:37   ---------   d-----w   c:\documents and settings\All Users\Application Data\yahoo!
2009-03-08 04:30   ---------   d-----w   c:\program files\Yahoo!
2009-03-08 04:27   ---------   d-----w   c:\program files\YPOPs
2009-03-08 04:00   ---------   d-----w   c:\documents and settings\All Users\Application Data\HP
2009-03-08 03:43   ---------   d-----w   c:\program files\iDump
2009-03-08 03:42   ---------   d-----w   c:\program files\Easy Internet signup
2009-03-08 03:39   ---------   d-----w   c:\program files\ClubUBT
2009-03-08 03:36   ---------   d-----w   c:\program files\Apple Software Update
2009-03-04 00:59   ---------   d-----w   c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-28 17:22   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-02-25 14:53   ---------   d-----w   c:\program files\Microsoft Money 2005
2009-02-23 21:13   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-22 08:41   ---------   d-----w   c:\program files\Lx_cats
2009-01-27 20:32   ---------   d-----w   c:\program files\Sierra Wireless
2009-01-27 20:32   ---------   d-----w   c:\program files\Common Files\Research in Motion
2009-01-27 20:31   ---------   d-----w   c:\program files\Sprint
2009-01-27 20:31   ---------   d-----w   c:\program files\Novatel Wireless
2009-01-27 20:31   ---------   d-----w   c:\program files\Common Files\Motorola Shared
2009-01-27 20:31   ---------   d-----w   c:\documents and settings\All Users\Application Data\Sprint
2009-01-27 12:34   ---------   d-----w   c:\documents and settings\All Users\Application Data\WEBREG
2009-01-26 13:42   ---------   d-----w   c:\program files\Common Files\Hewlett-Packard
2009-01-26 13:34   ---------   d-----w   c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-26 03:46   ---------   d-----w   c:\program files\Java
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ituninst.bat -- Not a PE file.
MD5: 6a502b835ccba619be535c3dc42e5595


(((((((((((((((((((((((((((((   SnapShot@2009-03-08_20.32.29.42   )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 23:02:28   163,328   ----a-w   c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28   163,328   ----a-w   c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 11:00:00   29,696   ----a-w   c:\windows\NIRCMD.exe
+ 2000-08-31 15:00:00   29,696   ----a-w   c:\windows\NIRCMD.exe
- 2000-08-31 11:00:00   161,792   ----a-w   c:\windows\SWREG.exe
+ 2000-08-31 15:00:00   161,792   ----a-w   c:\windows\SWREG.exe
- 2009-03-08 23:30:45   72,306   ----a-w   c:\windows\system32\perfc009.dat
+ 2009-03-10 19:49:54   71,904   ----a-w   c:\windows\system32\perfc009.dat
- 2009-03-08 23:30:46   444,596   ----a-w   c:\windows\system32\perfh009.dat
+ 2009-03-10 19:49:55   444,028   ----a-w   c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-08-30 286720]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.XVID"= xvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\123CopyDVD Gold\\123CopyDVD.exe"=
"c:\\Program Files\\123CopyDVD Gold 2009\\123CopyDVD.exe"=
"c:\\Program Files\\123CopyDVD Gold 2009\\123Movies2Portable.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.myspace.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-10 12:55:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?1?2?7??????? ?,?B?????????????hLC? ??????
  LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-10 13:01:13 - machine was rebooted [Eva]
ComboFix-quarantined-files.txt  2009-03-10 20:01:11
ComboFix2.txt  2009-03-10 03:08:39
ComboFix3.txt  2009-03-08 23:33:17

Pre-Run: 36,498,960,384 bytes free
Post-Run: 36,482,756,608 bytes free

195   --- E O F ---   2009-03-08 22:12:56

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #44 on: March 10, 2009, 06:32:49 AM »
OK thanks. That log by the way, shows that it's from the third run of combofix. How did the previous one go for you?

Did you create this batch file?:
C:\ituninst.bat

How's the system running for you now?
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven