Member Avatar for Serakus

Nothing popped up after telling it to run.

Member Avatar for MoralTerror

Good stuff!! Your logs are clean, if there are no more issues you should be good to go

Kindly follow these simple steps in order to keep your computer clean and secure:


  2. UNINSTALL COMBOFIX
    This process will also perform some final cleanup steps
    Click Start > Run and type ComboFix /u


  3. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  4. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  5. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  6. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  7. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  • Google Toolbar - Get the free google toolbar to help stop pop up windows.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

If there are no more issues please mark this thread as resolved.

Member Avatar for Serakus

The POS files are back im posting a log of highjackthis and combofix.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:47, on 2008-03-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\V2FsdGVyIEJyYWluZXJk\command.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1124400053\ee\aolsoftware.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\COMMON~1\WNSXS~1\userinit.exe
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
C:\Documents and Settings\Joe\My Documents\??mbols\dllhost.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Documents and Settings\Joe\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Joe\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Joe\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ICQ Messenger] ICQLite.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [BM333da36a] Rundll32.exe "C:\WINDOWS\system32\nksmnvhi.dll",s
O4 - HKLM\..\RunServices: [ICQ Messenger] ICQLite.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\COMMON~1\WNSXS~1\userinit.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Joewvshg] "C:\Documents and Settings\Joe\My Documents\??mbols\dllhost.exe"
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Joe\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Joe\Application Data\Microsoft\Windows\rayiou.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {210D0CBC-8B17-48D1-B294-1A338DD2EB3A} (VatCtrl Class) - http://24.123.151.50:8081/VatDec.cab
O16 - DPF: {226ACC34-3194-40E2-9AE8-834FCFE9E80D} (CPlayFirstmsiControl Object) - http://aolsvc.aol.com/onlinegames/free-trial-mystery-of-shark-island/MysteryOfSharkIslandWeb.1.0.0.8.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures05.aim.com/ygp/aol/plugin/upf/AOLUPF.en-US-AIM.9.5.1.8.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\V2FsdGVyIEJyYWluZXJk\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://www.thefirst4.com/images/algonquin_cup.jpg

--
End of file - 8474 bytes

Member Avatar for Serakus

at the moment my computer wont even let me run Combofix. just Hijackthis so what i have posted is at the moment all i can do.

Also can you tell me what is bringing this back? I hardly use the computer, only to look up Guitar Tabs and check my E-mail. My son uses it alot more, is there something he is doing?

Member Avatar for Serakus

ComboFix 08-03-05.1 - Joe 2008-03-03 20:25:24.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.469 [GMT -5:00]
Running from: C:\Documents and Settings\Joe\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Joe\Application Data\WinTouch
C:\Documents and Settings\Joe\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Joe\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Joe\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Joe\My Documents\MBOLS~1
C:\Program Files\ComPlus Applications\hejuryv89104.dll
C:\Program Files\inetget2
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.8\wbuninst.exe
C:\Program Files\web buying\v1.8.8\webbuying.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\temp\tn3
C:\WINDOWS\BM333da36a.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\bmhwmak.dll
C:\WINDOWS\system32\c2
C:\WINDOWS\system32\c2\bexdrll32.exe
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\c4\np89104.exe
C:\WINDOWS\system32\drivers\wanatw44.sys
C:\WINDOWS\system32\eghgyolj.dll
C:\WINDOWS\system32\egrnimtk.dll
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\iDlo01\iDlo011065.exe
C:\WINDOWS\system32\jkkjjjk.dll
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\k8\ravecom3.exe
C:\WINDOWS\SYSTEM32\mpqss.ini
C:\WINDOWS\SYSTEM32\mpqss.ini2
C:\WINDOWS\system32\nksmnvhi.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\s7\gbsu011.exe
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\tuvuusr.dll
C:\WINDOWS\system32\wcnanuan.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\x3
C:\WINDOWS\system32\x3\philcom3.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_WANATW44
-------\wanatw44


((((((((((((((((((((((((( Files Created from 2008-02-06 to 2008-03-06 )))))))))))))))))))))))))))))))
.

2008-03-04 16:32 . 2008-03-04 14:32 105,984 --a------ C:\WINDOWS\b152.exe
2008-03-03 20:04 . 2004-08-04 02:56 388,608 --a------ C:\CF25565.exe
2008-03-03 19:04 . 2008-03-03 20:25 20,732 ---hs---- C:\WINDOWS\SYSTEM32\eghgyolj.dllbox
2008-03-03 18:57 . 2008-03-03 18:57 <DIR> d-------- C:\Program Files\nvcoi
2008-03-03 18:54 . 2008-03-03 18:54 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-03 18:53 . 2008-03-03 20:19 <DIR> d--hs---- C:\WINDOWS\V2FsdGVyIEJyYWluZXJk
2008-03-03 18:53 . 2008-03-03 19:56 687,592 --a------ C:\WINDOWS\SYSTEM32\atmtd.dll._
2008-03-03 18:53 . 2008-03-03 18:53 167,545 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\core.cache.dsk
2008-03-03 18:53 . 2008-03-03 18:53 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-03-03 18:53 . 2008-03-03 19:02 37,376 --a------ C:\WINDOWS\mrofinu572.exe
2008-03-03 18:53 . 2008-03-03 18:53 37,376 --a------ C:\WINDOWS\mrofinu1000106.exe
2008-03-02 11:26 . 2008-03-02 09:26 73,728 --a------ C:\WINDOWS\b153.exe
2008-03-01 20:22 . 2008-03-01 20:40 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\Aim
2008-03-01 20:21 . 2008-03-01 20:27 <DIR> d-------- C:\Program Files\Viewpoint
2008-03-01 20:21 . 2008-03-01 20:21 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-27 06:44 . 2008-03-01 20:42 <DIR> d-------- C:\Program Files\World of Warcraft
2008-02-25 10:00 . 2008-02-25 08:00 81,920 --a------ C:\WINDOWS\b154.exe
2008-02-23 20:12 . 2008-02-23 20:17 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-02-19 16:52 . 2008-02-19 16:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-02-19 16:52 . 2008-02-19 16:52 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-19 16:22 . 2007-12-06 21:21 6,066,176 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2008-02-19 16:22 . 2007-06-30 22:31 2,455,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dat
2008-02-19 16:22 . 2007-06-30 22:36 991,232 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll.mui
2008-02-19 16:22 . 2007-12-06 21:21 459,264 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2008-02-19 16:22 . 2007-12-06 21:21 383,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2008-02-19 16:22 . 2007-12-06 21:21 267,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2008-02-19 16:22 . 2007-12-06 21:21 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2008-02-19 16:22 . 2007-12-06 21:21 52,224 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2008-02-19 16:22 . 2007-12-06 06:00 13,824 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2008-02-16 22:47 . 2008-02-16 22:47 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\ErrorKiller
2008-02-16 22:46 . 2008-02-16 22:51 <DIR> d-------- C:\Program Files\ErrorKiller
2008-02-11 19:17 . 2008-02-11 19:17 <DIR> d-------- C:\Documents and Settings\Joe\Application Data\acccore
2008-02-11 19:11 . 2008-02-11 19:12 <DIR> d-------- C:\Program Files\AIM6
2008-02-11 19:11 . 2008-02-11 19:14 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-02-11 18:30 . 2004-08-04 03:56 116,224 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwiadr.dll
2008-02-11 18:30 . 2001-08-17 22:37 99,865 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xlog.exe
2008-02-11 18:30 . 2001-08-17 22:37 27,648 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxftplt.exe
2008-02-11 18:30 . 2001-08-17 22:36 23,040 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2008-02-11 18:30 . 2001-08-17 22:36 17,408 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxscnui.dll
2008-02-11 18:30 . 2001-08-17 12:11 16,970 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xem336n5.sys
2008-02-11 18:30 . 2004-08-04 03:56 8,192 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\wshirda.dll
2008-02-11 18:30 . 2001-08-17 22:37 4,608 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\xrxflnch.exe
2008-02-11 18:28 . 2001-08-17 22:36 525,568 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\tridxp.dll
2008-02-11 18:27 . 2001-08-17 22:36 495,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\sblfx.dll
2008-02-11 18:26 . 2001-08-17 13:28 899,146 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\r2mdkxga.sys
2008-02-11 18:25 . 2001-08-17 14:05 351,616 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ovcodek2.sys
2008-02-11 18:24 . 2002-08-29 05:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\msir3jp.lex
2008-02-11 18:23 . 2002-08-29 05:00 1,158,818 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\korwbrkr.lex
2008-02-11 18:22 . 2002-08-29 05:00 471,102 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\imskdic.dll
2008-02-11 18:21 . 2002-08-29 05:00 13,463,552 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\hwxjpn.dll
2008-02-11 18:20 . 2001-08-17 14:56 1,733,120 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\g400d.dll
2008-02-11 18:19 . 2001-08-17 13:28 634,134 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\el656ct5.sys
2008-02-11 18:18 . 2001-08-17 12:20 334,208 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\ds1wdm.sys
2008-02-11 18:18 . 2004-08-04 01:58 207,360 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\dot4.sys
2008-02-11 18:18 . 2001-08-17 12:11 29,696 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\dm9pci5.sys
2008-02-11 18:18 . 2001-08-17 12:12 28,062 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\dp83820.sys
2008-02-11 18:18 . 2001-08-17 13:47 23,808 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\dot4usb.sys
2008-02-11 18:18 . 2004-08-04 03:56 20,992 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\dshowext.ax
2008-02-11 18:18 . 2001-08-17 13:47 12,928 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\dot4prt.sys
2008-02-11 18:18 . 2001-08-17 13:47 8,704 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\dot4scan.sys
2008-02-11 18:16 . 2002-08-29 05:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\chsbrkr.dll
2008-02-11 18:15 . 2001-08-17 13:28 871,388 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\bcmdm.sys
2008-02-11 18:14 . 2001-08-17 14:56 66,048 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\s3legacy.dll
2008-02-11 09:40 . 2008-02-11 09:40 2,715,648 --a------ C:\WINDOWS\SYSTEM32\OnlineScanner.ocx
2008-02-11 09:39 . 2008-02-11 09:39 253,952 --a------ C:\WINDOWS\SYSTEM32\OnlineScannerDLLA.dll
2008-02-11 09:39 . 2008-02-11 09:39 237,568 --a------ C:\WINDOWS\SYSTEM32\OnlineScannerDLLW.dll
2008-02-10 21:41 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\SYSTEM32\d3dx9_26.dll
2008-02-10 21:12 . 2008-03-05 20:37 22,775 --a--c--- C:\logfile
2008-02-10 21:02 . 2008-02-10 21:02 <DIR> d-------- C:\Program Files\Disney
2008-02-09 22:38 . 2008-02-09 22:38 <DIR> d-------- C:\Program Files\Windows Defender
2008-02-08 13:53 . 2008-02-08 13:53 110,592 --a------ C:\WINDOWS\SYSTEM32\OnlineScannerLang.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-04 00:03 10 ----a-w C:\Program Files\.autoreg
2008-03-02 01:40 --------- d-----w C:\Program Files\AIM
2008-03-02 01:21 --------- d-----w C:\Program Files\AOD
2008-02-27 11:48 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2008-02-23 16:59 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-23 16:59 --------- d-----w C:\Program Files\QuickTime
2008-02-23 16:59 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-02-23 16:59 --------- d-----w C:\Program Files\iTunes
2008-02-23 16:59 --------- d-----w C:\Program Files\Dell AIO Printer A920
2008-02-23 16:59 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-23 16:45 --------- d-----w C:\Program Files\Symantec
2008-02-12 00:12 --------- dc----w C:\Documents and Settings\All Users\Application Data\AOL
2008-02-12 00:06 --------- d-----w C:\Program Files\VideoLAN
2008-02-09 23:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-04 04:37 --------- d-----w C:\Program Files\WinSCP
2008-02-01 01:56 --------- d-----w C:\Documents and Settings\Joe\Application Data\AdobeUM
2008-01-27 05:31 --------- d-----w C:\Program Files\DivX
2008-01-24 12:49 224,256 ----a-w C:\WINDOWS\b116.exe
2008-01-20 15:56 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-20 15:55 --------- d-----w C:\Program Files\Real
2008-01-20 15:55 --------- d-----w C:\Program Files\Common Files\Real
2008-01-15 23:19 --------- d-----w C:\Documents and Settings\Joe\Application Data\vlc
2008-01-08 03:37 --------- d-----w C:\Documents and Settings\Joe\Application Data\Apple Computer
2008-01-08 03:26 --------- d-----w C:\Program Files\Google
2008-01-08 03:21 --------- d-----w C:\Program Files\iPod
2008-01-08 01:58 --------- d-----w C:\Program Files\Full Tilt Poker
2008-01-08 01:55 --------- d-----w C:\Program Files\AIM+
2008-01-08 01:42 --------- d-----w C:\Program Files\Apple Software Update
2008-01-08 01:17 --------- d-----w C:\Program Files\Analog Devices
2004-08-04 07:56 73,728 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\V2FsdGVyIEJyYWluZXJk\pZIPx3pVKHLVsq5RtrL4.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-03 18:57 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2008-01-11 22:25 110592]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-20 10:55 185896]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2008-01-11 22:25 204800]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-11 22:25 267048]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2008-01-11 22:25 124520]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2008-01-11 22:25 221184]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2008-01-11 22:25 217088]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-11 22:25 155648]
"ICQ Messenger"="ICQLite.exe" []
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-11 22:25 114688]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2008-01-11 22:25 28672]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2008-01-11 22:25 270336]
"BuildBU"="c:\dell\bldbubg.exe" [2008-01-10 20:25 61440]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2008-01-10 20:25 57344]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 20:26 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"ICQ Messenger"="ICQLite.exe" []

C:\Documents and Settings\Joe\Start Menu\Programs\Startup\
RABCO - Auto Update.lnk - C:\QooBox\Quarantine\C\Program Files\RABCO\RABCOse.exe.vir [2008-03-03 18:53:19 183216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-06-30 03:33:04 36953]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-06-21 22:56:14 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 Belkin700F;Belkin Wireless G Desktop Card Service v7;C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys [2006-10-19 04:44]
S2 DVC150;DVC 150B;C:\WINDOWS\system32\Drivers\dvc150b.sys [2003-11-04 15:56]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
Contents of the 'Scheduled Tasks' folder
"2008-02-26 04:30:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-01 18:16:00 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
- C:\WINDOWS\system32\rundll32.exelC:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.4.20.2.sxt _RegistrationOffer@16
"2008-03-03 08:30:00 C:\WINDOWS\Tasks\ErrorKiller Scheduled Scan.job"
- C:\Program Files\ErrorKiller\ErrorKiller.ex
- C:\Program Files\ErrorKiller
"2008-03-06 01:40:34 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-05 20:38:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
ICQ Messenger = ICQLite.exe?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1124400053\ee\aolsoftware.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-05 20:43:15 - machine was rebooted [Joe]
ComboFix-quarantined-files.txt 2008-03-06 01:43:11
ComboFix2.txt 2008-02-27 00:28:29
ComboFix3.txt 2008-02-24 01:00:51
ComboFix4.txt 2008-02-23 17:11:42
ComboFix5.txt 2008-02-21 15:13:41
.
2008-02-28 00:43:15 --- E O F ---

The Pos files are gone after running combofix but will they come back?

Member Avatar for MoralTerror

Hi Serakus



Also can you tell me what is bringing this back? I hardly use the computer, only to look up Guitar Tabs and check my E-mail. My son uses it alot more, is there something he is doing?


As far as I can tell it looks like new infections. Ask your son if he has downloaded/installed anything. Also ask what type of sites he has been browsing to.

----------------------------

From Control Panel > Add/REmove Programs uninstall the following if they still exist
Viewpoint
Viewpoint Manager
Viewpoint Media Player

----------------------------

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\b154.exe
C:\WINDOWS\b152.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\SYSTEM32\atmtd.dll._
C:\WINDOWS\SYSTEM32\eghgyolj.dllbox
C:\Documents and Settings\Joe\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
Folder::
C:\WINDOWS\V2FsdGVyIEJyYWluZXJk
C:\Program Files\nvcoi
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvcoi"=-
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"=-
Driver::
MSControlService
FileLook::
C:\CF25565.exe


Save this asCFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at"C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

* Download Host.zip to your desktop.
* From your Desktop right-click (hosts.zip) and select:
Extract All from the menu.
* Click Next, click Next, select the option:
"Show Extracted files", click Finish
* This will open the newly created hosts folder on your Desktop.
* Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.

--------------------------------------

Download SpywareBlaster 4.0
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

--------------------------------------

Post the new ComboFix.txt along with a new HiajckThis log

CFScript.gif 27.09 KB
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.