"Attention 1972vet"

  • 50 Replies
  • 10181 Views
*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #45 on: March 10, 2009, 09:58:00 AM »
yes, it is the third run I had run combo fix with out the CFScript on accedent when I was in safe mode, I should be able to psot it if you like I think I know where it is.

No, I did not create batch file C:\ituninst.bat I'm not even sure my freind did.

The system appers to be running really well I had figuerd you would be telling me that from the last logs I posted that you would say im all good.

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #46 on: March 10, 2009, 10:29:42 AM »
Yes I'd like to see the log from the second combofix run...also, locate and delete this file:
C:\ituninst.bat
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #47 on: March 10, 2009, 01:06:57 PM »
ComboFix 09-03-06.02 - Administrator 2009-03-09 20:01:02.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.807 [GMT -7:00]
Running from: c:\documents and settings\Eva\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
.

(((((((((((((((((((((((((   Files Created from 2009-02-10 to 2009-03-10  )))))))))))))))))))))))))))))))
.

2009-03-09 13:50 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 13:50 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-03-09 10:39 . 2009-03-09 10:39   <DIR>   d--------   c:\program files\Avira
2009-03-09 10:39 . 2009-03-09 10:39   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Avira
2009-03-09 08:49 . 2009-03-09 08:49   <DIR>   d--------   c:\documents and settings\Eva\Application Data\Malwarebytes
2009-03-08 19:53 . 2009-03-08 19:53   <DIR>   d--------   c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-08 15:26 . 2009-03-09 18:30   <DIR>   d--------   c:\documents and settings\Eva\Application Data\HPAppData
2009-03-08 15:15 . 2005-04-10 03:06   <DIR>   d--------   c:\documents and settings\Eva\Application Data\Apple Computer
2009-03-08 15:15 . 2009-03-08 15:15   <DIR>   d--------   c:\documents and settings\Eva
2009-03-08 10:21 . 2009-01-09 12:19   1,089,593   ---------   c:\windows\system32\dllcache\ntprint.cat
2009-03-08 06:25 . 2005-04-10 03:15   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Symantec
2009-03-08 06:25 . 2005-04-10 03:06   <DIR>   d--------   c:\documents and settings\Administrator\Application Data\Apple Computer
2009-03-08 06:25 . 2009-03-08 06:25   <DIR>   d--------   c:\documents and settings\Administrator
2009-03-08 05:49 . 2009-03-08 05:49   <DIR>   d--------   c:\windows\system32\XPSViewer
2009-03-08 05:49 . 2009-03-08 05:49   <DIR>   d--------   c:\program files\Reference Assemblies
2009-03-08 05:48 . 2009-03-08 05:49   <DIR>   d--------   C:\b384df9af8b5ebf79356c52d
2009-03-08 05:48 . 2008-07-06 05:06   1,676,288   ---------   c:\windows\system32\xpssvcs.dll
2009-03-08 05:48 . 2008-07-06 05:06   1,676,288   ---------   c:\windows\system32\dllcache\xpssvcs.dll
2009-03-08 05:48 . 2008-07-06 03:50   597,504   ---------   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-08 05:48 . 2008-07-06 05:06   575,488   ---------   c:\windows\system32\xpsshhdr.dll
2009-03-08 05:48 . 2008-07-06 05:06   575,488   ---------   c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-08 05:48 . 2008-07-06 05:06   117,760   ---------   c:\windows\system32\prntvpt.dll
2009-03-08 05:48 . 2008-07-06 05:06   89,088   ---------   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\system32\scripting
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\system32\en
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\system32\bits
2009-03-07 22:44 . 2009-03-07 22:44   <DIR>   d--------   c:\windows\l2schemas
2009-03-07 22:41 . 2009-03-07 22:41   <DIR>   d--------   c:\windows\ServicePackFiles
2009-03-07 22:34 . 2009-03-07 22:34   <DIR>   d--------   c:\windows\EHome
2009-03-07 20:44 . 2009-03-07 20:44   324   --a------   C:\ituninst.bat
2009-03-07 16:54 . 2009-03-09 13:50   <DIR>   d--------   C:\Malwarebytes' Anti-Malware
2009-03-07 16:54 . 2009-03-07 16:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-07 16:23 . 2009-03-07 16:23   <DIR>   d--------   c:\program files\Trend Micro
2009-03-03 18:59 . 2009-03-07 21:45   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-03 18:06 . 2009-03-03 18:06   <DIR>   d--------   c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 17:53 . 2009-03-09 17:20   54,156   --ah-----   c:\windows\QTFont.qfn
2009-03-03 17:53 . 2009-03-03 17:53   1,409   --a------   c:\windows\QTFont.for
2009-03-03 17:13 . 2009-03-02 16:54   2,876,720   --a------   C:\mbam-setup.exe
2009-03-02 19:17 . 2008-04-13 17:12   1,737,856   ---------   c:\windows\system32\mtxparhd.dll
2009-03-02 19:16 . 2008-04-13 17:11   1,888,992   ---------   c:\windows\system32\ati3duag.dll
2009-02-26 14:06 . 2009-02-26 14:06   <DIR>   d--------   c:\documents and settings\Guest\Application Data\Sprint
2009-02-26 13:04 . 2009-02-26 13:04   <DIR>   d--------   c:\documents and settings\Guest\Application Data\Walgreens
2009-02-23 14:11 . 2009-02-26 14:47   <DIR>   d--------   c:\documents and settings\Guest\Application Data\HPAppData

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-08 22:20   ---------   d-----w   c:\program files\GetRight
2009-03-08 12:49   ---------   d-----w   c:\program files\MSBuild
2009-03-08 05:09   ---------   d-----w   c:\program files\Hp
2009-03-08 05:08   ---------   d-----w   c:\program files\Google
2009-03-08 05:08   ---------   d-----w   c:\program files\DivX
2009-03-08 05:03   ---------   d-----w   c:\program files\HPQ
2009-03-08 05:02   ---------   d-----w   c:\program files\Common Files\Sonic Shared
2009-03-08 05:00   ---------   d-----w   c:\program files\Common Files\InstallShield
2009-03-08 04:53   ---------   d-----w   c:\program files\MUSICMATCH
2009-03-08 04:51   ---------   d-----w   c:\program files\MySpace
2009-03-08 04:42   ---------   d-----w   c:\program files\Verizon Games on Demand Player
2009-03-08 04:40   ---------   d-----w   c:\program files\Common Files\Motive
2009-03-08 04:37   ---------   d-----w   c:\documents and settings\All Users\Application Data\yahoo!
2009-03-08 04:30   ---------   d-----w   c:\program files\Yahoo!
2009-03-08 04:27   ---------   d-----w   c:\program files\YPOPs
2009-03-08 04:00   ---------   d-----w   c:\documents and settings\All Users\Application Data\HP
2009-03-08 03:43   ---------   d-----w   c:\program files\iDump
2009-03-08 03:42   ---------   d-----w   c:\program files\Easy Internet signup
2009-03-08 03:39   ---------   d-----w   c:\program files\ClubUBT
2009-03-08 03:36   ---------   d-----w   c:\program files\Apple Software Update
2009-03-04 00:59   ---------   d-----w   c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-28 17:22   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-02-25 14:53   ---------   d-----w   c:\program files\Microsoft Money 2005
2009-02-23 21:13   ---------   d-----w   c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-22 08:41   ---------   d-----w   c:\program files\Lx_cats
2009-01-27 20:32   ---------   d-----w   c:\program files\Sierra Wireless
2009-01-27 20:32   ---------   d-----w   c:\program files\Common Files\Research in Motion
2009-01-27 20:31   ---------   d-----w   c:\program files\Sprint
2009-01-27 20:31   ---------   d-----w   c:\program files\Novatel Wireless
2009-01-27 20:31   ---------   d-----w   c:\program files\Common Files\Motorola Shared
2009-01-27 20:31   ---------   d-----w   c:\documents and settings\All Users\Application Data\Sprint
2009-01-27 12:34   ---------   d-----w   c:\documents and settings\All Users\Application Data\WEBREG
2009-01-26 13:42   ---------   d-----w   c:\program files\Common Files\Hewlett-Packard
2009-01-26 13:34   ---------   d-----w   c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-26 03:46   410,984   ----a-w   c:\windows\system32\deploytk.dll
2009-01-26 03:46   ---------   d-----w   c:\program files\Java
2009-01-17 01:35   3,594,752   ------w   c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10   70,656   ------w   c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10   13,824   ------w   c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25   634,024   ------w   c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23   161,792   ------w   c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57   333,952   ------w   c:\windows\system32\dllcache\srv.sys
.

(((((((((((((((((((((((((((((   SnapShot@2009-03-08_20.32.29.42   )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 23:02:28   163,328   ----a-w   c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 03:02:28   163,328   ----a-w   c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2000-08-31 11:00:00   29,696   ----a-w   c:\windows\NIRCMD.exe
+ 2000-08-31 15:00:00   29,696   ----a-w   c:\windows\NIRCMD.exe
- 2000-08-31 11:00:00   161,792   ----a-w   c:\windows\SWREG.exe
+ 2000-08-31 15:00:00   161,792   ----a-w   c:\windows\SWREG.exe
- 2009-03-08 23:30:45   72,306   ----a-w   c:\windows\system32\perfc009.dat
+ 2009-03-10 02:54:03   71,904   ----a-w   c:\windows\system32\perfc009.dat
- 2009-03-08 23:30:46   444,596   ----a-w   c:\windows\system32\perfh009.dat
+ 2009-03-10 02:54:04   444,028   ----a-w   c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"SNPSTD2"="c:\windows\vsnpstd2.exe" [2004-08-30 286720]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-01-27 1381376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"lxdcamon"="c:\program files\Lexmark 1300 Series\lxdcamon.exe" [2007-02-05 20480]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-01-31 385024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-10-15 17664]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.XVID"= xvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\123CopyDVD Gold\\123CopyDVD.exe"=
"c:\\Program Files\\123CopyDVD Gold 2009\\123CopyDVD.exe"=
"c:\\Program Files\\123CopyDVD Gold 2009\\123Movies2Portable.exe"=
"c:\\Program Files\\Sprint\\Sprint SmartView\\SwiApiMux.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

S2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [2006-10-19 10664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-03-09 38496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.myspace.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-09 20:05:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????????P??|?`???? ?,?B?????????????hLC? ??????
  LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-09 20:08:38
ComboFix-quarantined-files.txt  2009-03-10 03:08:21
ComboFix2.txt  2009-03-08 23:33:17

Pre-Run: 36,077,723,648 bytes free
Post-Run: 36,108,435,456 bytes free

195   --- E O F ---   2009-03-08 22:12:56

*

Offline GRINGOYLE

  • Bronze Member
  • 49
Re: "Attention 1972vet"
« Reply #48 on: March 10, 2009, 01:10:39 PM »
Also deleted C:\ituninst.bat from C: drive but hoped you could tell me if there is any where Else it needs to deleted from cause I only saw that one file for it

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #49 on: March 10, 2009, 03:27:49 PM »
The file "ituninst.bat" showed up in the combofix log in only one location...that would be the file you already deleted.
Those logs look clean. Congratulations!

Click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /u

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?
  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.
Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:
Kerio Personal Firewall
Zone Alarm
Outpost Free
Comodo Beware of the "Ask" tool bar that's now included. If you don't want it, remove the check from the box during installation

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. I recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.
***Note***
The licensed version provides real time protection and other automatic features otherwise not available.


Comodo's BOClean utility is another very good "Free" malware cleaner that runs in the background to help prevent malware intrusions.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from  your browser" option during installation setup or else just download the Slim version (no toolbar...third download link at the bottom of that page)..

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:
Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?
Regards, and Happy Surfing!
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven

*

Offline 1972vet

  • Microsoft® MVP
  • Malware Removal Staff
  • Diamond Member
  • 8290
  • Patience is bitter indeed, but its fruit is sweet.
Re: "Attention 1972vet"
« Reply #50 on: March 10, 2009, 03:36:23 PM »
This issue appears resolved and the thread is closed to prevent others from posting here.

Other members who need assistance please start your own topic
in a new thread. Thanks!


The fixes and advice in this thread are for
this machine only. Do not apply the instructions from this thread to
your own machine. Please start a new thread describing your issue
and someone will be along to assist you.
Disabled Veteran
U.S.C.G. 1972 - 1978
Membership: U.N.I.T.E., A.S.A.P.

2009-13

Performance and Maintenance for Windows XP, Windows Vista and Windows Seven