Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Help

Unread postby meals1313 » February 6th, 2009, 6:03 pm

ComboFix 09-02-06.01 - Owner 2009-02-06 16:49:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.576 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFixnew.exe
AV: PC Tools AntiVirus 5.0.1.1 *On-access scanning disabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\SpamBlocker
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons\RegistryDefender_2.ico
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
c:\documents and settings\Owner\Application Data\SpamBlockerUtility_Icons\wallpapere1.ico
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\index.dat
c:\windows\lsass32.exe
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\FTPx.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\SOCKETX.DLL
c:\windows\system32\SOCKETX.OCX
c:\windows\winlogin.exe
C:\x.exe
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-06 15:05 . 2009-02-06 16:29 <DIR> d-------- c:\program files\PC Tools AntiVirus
2009-02-06 15:05 . 2009-02-06 15:05 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-02-06 15:05 . 2009-02-06 15:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-02-06 15:05 . 2009-02-06 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-02-06 15:05 . 2007-12-06 16:51 28,568 --a------ c:\windows\system32\drivers\AVHook.sys
2009-02-06 15:05 . 2007-12-06 16:51 21,912 --a------ c:\windows\system32\drivers\AVRec.sys
2009-02-06 15:05 . 2008-02-12 11:44 21,904 --a------ c:\windows\system32\drivers\AVFilter.sys
2009-02-06 14:50 . 2009-02-06 14:50 <DIR> d-------- c:\program files\RegCure
2009-02-06 09:23 . 2009-02-06 09:23 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-04 18:53 . 2009-02-06 16:43 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-04 18:49 . 2009-02-04 18:49 214,082 --a------ C:\isimer.exe
2009-02-04 18:43 . 2009-02-04 18:43 106,496 -r-hs---- c:\windows\windbg32.exe
2009-02-04 18:43 . 2009-02-04 18:43 106,496 --a------ C:\mrsmsn.exe
2009-02-04 18:25 . 2009-02-04 18:25 2,367,545 --a------ C:\ez.exe
2009-02-04 18:20 . 2009-02-04 18:20 94,208 --a------ C:\atjkhwe32.exe
2009-01-31 19:04 . 2009-01-31 19:56 94,208 --a------ C:\winsys.exe
2009-01-31 19:04 . 2009-01-31 19:04 94,208 -r-hs---- c:\windows\winbsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-06 12:19 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-06 12:19 --------- d-----w c:\documents and settings\Owner\Application Data\Symantec
2009-02-06 12:19 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-05 01:20 --------- d-----w c:\program files\Symantec
2009-01-29 23:46 --------- d-----w c:\program files\Lx_cats
2009-01-22 17:47 1,690 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2008-12-24 21:39 --------- d-----w c:\program files\Google
2008-12-24 21:20 135,168 --sh--r c:\windows\winmsvc.exe
2008-12-20 12:51 131,072 --sh--r c:\windows\winhsvc.exe
2008-12-15 01:41 131,072 --sh--r c:\windows\winsvc32.exe
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-09 06:49 --------- d-----w c:\program files\LimeWire
2008-12-08 15:37 --------- d-----w c:\program files\Azureus
2008-12-08 15:36 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus
2008-11-18 20:34 64,562 --sh--r c:\windows\sqlhostt32.exe
2006-04-04 18:48 5,285,707 ----a-w c:\program files\win2k_xp1420.exe
2008-04-14 00:12 214,082 --sh--r c:\windows\system32\svcghosts.exe
2008-09-12 09:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091220080913\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{EEE6C35D-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll" [2008-07-06 173368]

[HKEY_CLASSES_ROOT\clsid\{eee6c35d-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35F-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SweetIM_URLSearchHook.ToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-07-06 11:44 1164600 --a------ c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EEE6C35B-6118-11DC-9C72-001320C79847}"= "c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll" [2008-07-06 1164600]

[HKEY_CLASSES_ROOT\clsid\{eee6c35b-6118-11dc-9c72-001320c79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE.3]
[HKEY_CLASSES_ROOT\TypeLib\{EEE6C35E-6118-11DC-9C72-001320C79847}]
[HKEY_CLASSES_ROOT\SWEETIE.SWEETIE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-06 68856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"Mixersel"="d:\i386\Apps\App31030\config\mixersel.exe" [2003-11-10 369664]
"LXCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-01-10 69632]
"lxccmon.exe"="c:\program files\Lexmark 3300 Series\lxccmon.exe" [2005-02-21 192512]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-01-19 299008]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2008-07-06 111928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-12-04 1370000]
"CHotkey"="zHotkey.exe" [2004-05-17 c:\windows\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-25 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-07-25 c:\windows\ALCWZRD.EXE]
"sqlhostt32bit"="sqlhostt32.exe" [2008-11-18 c:\windows\sqlhostt32.exe]
"winsvc32"="winsvc32.exe" [2008-12-14 c:\windows\winsvc32.exe]
"winhsvc"="winhsvc.exe" [2008-12-20 c:\windows\winhsvc.exe]
"winmsvc"="winmsvc.exe" [2008-12-24 c:\windows\winmsvc.exe]
"winbsvc"="winbsvc.exe" [2009-01-31 c:\windows\winbsvc.exe]
"windbgservice"="windbg32.exe" [2009-02-04 c:\windows\windbg32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"<NO NAME>"="svcghosts.exe" [2008-04-13 c:\windows\system32\svcghosts.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\minimavis.exe [2006-10-28 2392064]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\msagent\\i386\\svchost.exe"=
"c:\\WINDOWS\\system32\\IME\\MSINTLGNT\\msall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6667:TCP"= 6667:TCP:msiexec

R2 General-Systems;General-Systems;c:\windows\msagent\i386\Systems.exe [2009-02-04 167962]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-10 24652]
S2 msall.exe;msall.exe;c:\windows\system32\IME\MSINTLGNT\Service.exe [2009-02-04 557056]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]

2009-02-06 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 12:58]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yahoo! Pager - ~c:\program files\Yahoo!\Messenger\YahooMessenger.exe
HKLM-Run-sqlhosts32bit - sqlhosts32.exe
HKLM-Run-winlogin - winlogin.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?.home=msgr
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?.home=msgr
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
IE: &Viewpoint Search - c:\program files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} - hxxps://actsvr.comcastonline.com/techto ... ntrols.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 16:51:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(824)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2009-02-06 16:52:54
ComboFix-quarantined-files.txt 2009-02-06 21:52:34

Pre-Run: 154,006,134,784 bytes free
Post-Run: 154,934,431,744 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

218 --- E O F --- 2009-01-15 12:47:45
meals1313
Active Member
 
Posts: 10
Joined: February 6th, 2009, 6:00 pm
Top
Advertisement
Register to Remove

Re: Help

Unread postby NonSuch » February 8th, 2009, 1:30 am

In order for us to help you it is necessary that you provide us with a HijackThis log. Please follow the guideline at the link below to start a new topic and post your HijackThis log.

ComboFix is not a tool that should be used without the direct supervision of a qualified Helper. Do not run further scans on your own. To do so is to risk damaging your system.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 371 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index