0

long story short
i cannot connect to microsoft or other antivirus/spyware sites. all other sites are ok it seems
i visited a site that was under attack and opened a podcast and my computer locked up and after restart it would not work. pretty much just a black screen.
i replaced the hard drive and loaded the original OS, drivers, etc from the original disc's. then installed windows XP upgrade.

i am able to connect to microsoft after following these steps as previously instructed:

1. Click Start > Run.
2. In the Run box, type the following: cmd
3. Click OK.
4. Type the following and then press Enter. cd..
5. Repeat the previous step until you get to the root level, or C:\>. Note that if your root drive is not C, the letter will be different.
6. At C:\> type the following: net stop dnscache
7. Press Enter. This disables the domain blocking feature of Conficker and you should now be able to reach security Web sites.

another symptom is also to update from microsoft it is necessary to RUN "services.msc" and restart "automatic updates" and "background intelligence transfer service"

i ran microsoft security essentials program and it removed worm conficker so it said......(problem still occurs).
i ran malwarebytes and it and it found nothing (log below)

Malwarebytes' Anti-Malware 1.41
Database version: 3129
Windows 5.1.2600 Service Pack 3

11/8/2009 11:57:55 AM
mbam-log-2009-11-08 (11-57-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 128135
Time elapsed: 27 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


then I ran Windows Live OneCare Safety Scanner and Malicious Software Removal Tool.

I still have to bypass the dns and restart auto update and BITS

if i run "regredit" there in every folder there is a file named "default" with no value dat 0000 is this normal?

thanks again for any help
NW

3
Contributors
14
Replies
15
Views
7 Years
Discussion Span
Last Post by PhilliePhan
0

i replaced the hard drive and loaded the original OS, drivers, etc from the original disc's. then installed windows XP upgrade. . . .
i ran microsoft security essentials program and it removed worm conficker so it said......(problem still occurs).

Hi NW,

So this is a clean install? I would think you would've installed the necessary patches to avoid conficker.

Do you have any important data stored on this machine, or can we run tools without worrying about losing data if another re-format is necessary?
It may be a bad install.... What we can do here is try to rule out malware as the culprit.


Let's go ahead and do this:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Cheers :)
PP

0

Hi NW,

So this is a clean install? I would think you would've installed the necessary patches to avoid conficker.

Do you have any important data stored on this machine, or can we run tools without worrying about losing data if another re-format is necessary?
It may be a bad install.... What we can do here is try to rule out malware as the culprit.


Let's go ahead and do this:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Cheers :)
PP

i have no important data to worry about.

i downloaded combofix and ran it. also the recovery console installed ok
here is the log:
ComboFix 09-11-08.03 - Gateway User 11/09/2009 18:27.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.98 [GMT -8:00]
Running from: c:\documents and settings\Gateway User\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Gateway User\My Documents\backup.reg
c:\documents and settings\Gateway User\My Documents\backupfile.reg
c:\windows\start.exe
c:\windows\system32\clrviddc.dll
c:\windows\system32\Data
c:\windows\system32\windows.scr
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-08 21:08 . 2009-11-08 21:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-08 19:28 . 2009-11-08 19:28 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Malwarebytes
2009-11-08 19:27 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 19:27 . 2009-11-08 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 19:27 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 19:27 . 2009-11-08 19:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 08:52 . 2009-08-29 07:36 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-08 08:52 . 2009-08-29 07:36 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-08 08:52 . 2009-08-29 07:36 268288 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-11-08 08:52 . 2009-08-29 07:36 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2009-11-08 08:52 . 2009-08-29 07:36 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2009-11-08 08:52 . 2009-08-28 10:29 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-11-08 08:52 . 2009-06-29 08:33 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat
2009-11-08 08:52 . 2009-08-29 07:36 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-11-08 08:19 . 2009-11-08 08:19 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-08 07:59 . 2009-11-08 07:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-08 07:59 . 2008-10-16 22:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-11-08 07:59 . 2008-10-16 22:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-11-08 07:04 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-08 06:14 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-11-08 06:06 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-11-08 06:06 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-11-08 06:06 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-11-08 06:06 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-08 06:06 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-11-08 06:06 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-11-08 06:06 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-08 06:06 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-08 06:06 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-11-08 06:06 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-11-08 06:06 . 2009-08-05 04:44 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-11-08 06:06 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-08 06:03 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-11-08 06:02 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\system32\scripting
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\l2schemas
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\system32\en
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\system32\bits
2009-11-08 05:49 . 2009-11-08 05:49 -------- d-----w- c:\windows\ServicePackFiles
2009-11-08 05:45 . 2009-11-08 05:45 -------- d-----w- c:\windows\EHome
2009-11-08 05:42 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-11-07 06:23 . 2009-11-07 06:23 -------- d-----w- c:\windows\system32\NtmsData
2009-11-07 04:23 . 2009-11-07 04:23 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Uniblue
2009-11-07 00:17 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-07 00:17 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-07 00:17 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-06 04:28 . 2009-11-06 04:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 04:24 . 2009-10-10 09:07 38208 ----a-w- c:\documents and settings\Gateway User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-06 04:24 . 2009-10-10 09:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-06 04:24 . 2009-11-06 04:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-06 04:21 . 2009-11-06 04:21 -------- d-----w- c:\program files\Google
2009-11-06 04:20 . 2009-11-06 04:20 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Adobe
2009-11-06 04:20 . 2009-11-06 04:20 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-06 04:20 . 2009-11-06 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-06 04:05 . 2009-11-06 04:05 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-11-03 13:35 . 2009-11-03 13:35 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Downloaded Installations
2009-11-02 03:06 . 2009-11-02 03:06 -------- d-----w- c:\program files\Common Files\Motive
2009-11-02 03:06 . 2009-11-02 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-11-02 02:37 . 2009-11-02 02:37 -------- d-----w- c:\program files\Verizon Online DSL
2009-10-31 18:01 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-31 18:01 . 2008-02-06 04:21 23832 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
2009-10-31 18:01 . 2009-10-31 18:01 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-10-31 18:01 . 2009-10-31 18:01 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Leadertech
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\windows\system32\DRVSTORE
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Yahoo
2009-10-31 08:03 . 2009-10-31 08:03 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Yahoo!
2009-10-31 08:01 . 2009-10-31 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-31 08:01 . 2009-05-27 03:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-10-31 08:01 . 2009-10-31 08:01 -------- d-----w- c:\program files\Yahoo!
2009-10-31 05:54 . 2009-10-31 05:54 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-31 05:54 . 2009-10-31 05:54 -------- d--h--r- c:\documents and settings\Gateway User\Application Data\SecuROM
2009-10-31 05:30 . 2009-10-31 05:30 -------- d-----w- c:\program files\EA SPORTS
2009-10-31 05:30 . 2005-05-26 23:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-10-31 05:07 . 2008-05-08 16:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-10-31 05:07 . 2008-10-24 13:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-31 05:07 . 2008-12-11 12:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-10-31 05:07 . 2009-07-10 15:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-10-31 05:04 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-31 05:04 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-31 05:04 . 2008-09-04 19:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-10-31 05:04 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-31 05:03 . 2008-05-03 13:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-31 05:03 . 2008-04-21 14:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-31 05:03 . 2009-10-31 05:03 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-31 05:03 . 2005-04-13 03:21 22240 ----a-w- c:\windows\system32\drivers\WmFilter.sys
2009-10-31 05:03 . 2005-04-13 03:21 5600 ----a-w- c:\windows\system32\drivers\WmVirHid.sys
2009-10-31 05:03 . 2005-04-13 03:21 10144 ----a-w- c:\windows\system32\drivers\WmBEnum.sys
2009-10-31 05:03 . 2005-04-13 03:21 45504 ----a-w- c:\windows\system32\drivers\WmXlCore.sys
2009-10-31 05:02 . 2009-10-31 05:02 -------- d-----w- c:\program files\Logitech
2009-10-31 05:01 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-10-31 05:00 . 2007-07-27 18:41 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-31 05:00 . 2009-10-31 05:00 -------- d--h--w- c:\windows\$hf_mig$
2009-10-31 04:56 . 2009-10-31 04:56 -------- d-sh--w- c:\documents and settings\Gateway User\UserData
2009-10-31 04:51 . 2008-10-15 18:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-10-31 04:48 . 2005-03-23 05:05 516096 ------w- c:\windows\system32\ati2sgag.exe
2009-10-31 04:47 . 2009-10-31 04:47 -------- d-----w- c:\program files\ATI Technologies
2009-10-31 04:44 . 2009-10-31 04:44 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Creative
2009-10-31 04:44 . 2009-10-31 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-10-31 04:42 . 2006-10-06 08:17 53248 ------w- c:\windows\Ctregrun.exe
2009-10-31 04:41 . 1999-12-12 19:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2009-10-31 04:41 . 1999-11-17 19:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2009-10-31 04:40 . 2009-10-31 04:40 -------- d-----w- c:\program files\Common Files\Creative
2009-10-31 04:40 . 2009-10-31 04:40 -------- d--h--w- c:\program files\Creative Installation Information
2009-10-31 04:40 . 2000-05-11 09:00 90112 ------w- c:\windows\Updreg.EXE
2009-10-31 04:37 . 2009-10-31 04:37 -------- d-----w- c:\program files\Creative
2009-10-31 04:36 . 2009-10-31 04:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-31 04:36 . 2009-10-31 04:36 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-31 04:31 . 2009-10-31 04:31 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Microsoft
2009-10-31 04:27 . 2001-08-18 06:36 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-10-31 04:26 . 2004-08-04 14:00 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-10-31 04:25 . 2008-04-14 00:09 13463552 ----a-w- c:\windows\system32\dllcache\hwxjpn.dll
2009-10-31 04:24 . 2004-08-04 20:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2009-10-31 04:24 . 2004-08-04 20:00 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll
2009-10-31 04:24 . 2001-08-18 06:36 45056 ----a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-10-31 04:24 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-10-31 04:22 . 2009-10-31 04:22 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2009-10-31 04:21 . 2009-10-31 04:21 -------- d-sh--w- c:\documents and settings\All Users\DRM
2009-10-31 04:19 . 2009-10-31 04:19 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2009-10-31 04:19 . 2009-10-31 04:19 -------- d-----w- c:\windows\system32\wbem\Performance
2009-10-31 04:16 . 2001-08-17 21:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2009-10-31 04:16 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-10-31 04:16 . 2001-08-17 21:28 907456 ----a-w- c:\windows\system32\drivers\HCF_MSFT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 02:37 . 2009-10-31 18:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-10 02:37 . 2009-10-31 18:01 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-08 05:52 . 2009-10-31 04:21 76487 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-10-31 04:23 . 2009-10-31 04:23 -------- d-----w- c:\program files\microsoft frontpage
2009-10-31 04:23 . 2009-10-31 04:23 478 ----a-w- c:\windows\LnkStub.dat
2009-10-31 04:23 . 2009-10-31 04:23 162304 ----a-w- c:\windows\system32\migicons.exe
2009-10-31 04:20 . 2009-10-31 04:20 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-10 09:07 . 2009-11-07 06:13 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-11 14:18 . 2009-10-31 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2009-10-31 04:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2009-10-31 04:01 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-10-31 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2009-10-31 03:59 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 10:00 . 2009-10-31 04:03 247326 ----a-w- c:\windows\system32\strmdll.dll
2004-04-13 04:18 . 2004-04-13 04:17 23357 ---h--w- c:\program files\folder.htt
2004-08-04 20:00 . 2009-10-31 04:00 159140 --sh--r- c:\windows\SYSTEM32\gnbpbgl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTRegRun"="c:\windows\CTRegRun.EXE" [2006-10-06 53248]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2005-05-03 64512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\MAINAPP.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8129:TCP"= 8129:TCP:tkekshsp

S2 edlltmzh;Manager Monitor;c:\windows\system32\svchost.exe -k netsvcs [10/30/2009 8:01 PM 14336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
edlltmzh
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\system32\OOBE\oobebaln.exe [2009-10-31 00:12]
.
.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\update
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 18:38
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\edlltmzh]
"ServiceDll"="c:\windows\system32\gnbpbgl.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(360)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(300)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\Rundll32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-11-10 18:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 02:42

Pre-Run: 128,174,194,688 bytes free
Post-Run: 128,314,114,048 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - DA9910EA76FF123EE3168ABC98F4068A

(a note: it says under "other running processes" that program files\Microsoft Security Essentials\MsMpEng.exe however i turned it off. if this makes a difference)

thanks NW

0

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\gnbpbgl.dll

That's the baddie - I'm going to go ahead and pull it out of there....:)

NW:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this.

-- Let Combofix run as before and post me that log. Let us know if that helps.
I'll be gone until Tuesday Evening EST - Perhaps crunchie will check back sooner.

Cheers :)
PP

0

jottis said it was empty 0 bytes

viruatotal = 0 bytes size received / Se ha recibido un archivo vacio

0

jottis said it was empty 0 bytes

viruatotal = 0 bytes size received / Se ha recibido un archivo vacio

Go ahead and follow my post and let's see what happens.

Gotta run - Will check back Tuesday.

PP:)

0

PP
sorry it took so long but i forgot to save log and had to do over.
it appears to have fixed the problem
is that odd it was there after replacing the hard drive and clean install?
well here is the log, ill keep checking it till i hear back and see how it goes.
heres the last log:
ComboFix 09-11-09.01 - Gateway User 11/09/2009 21:35.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.103 [GMT -8:00]
Running from: c:\documents and settings\Gateway User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gateway User\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\gnbpbgl.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EDLLTMZH


((((((((((((((((((((((((( Files Created from 2009-10-10 to 2009-11-10 )))))))))))))))))))))))))))))))
.

2009-11-08 21:08 . 2009-11-08 21:08 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-08 19:28 . 2009-11-08 19:28 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Malwarebytes
2009-11-08 19:27 . 2009-09-10 22:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 19:27 . 2009-11-08 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-08 19:27 . 2009-09-10 22:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 19:27 . 2009-11-08 19:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 08:52 . 2009-08-29 07:36 52224 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-11-08 08:52 . 2009-08-29 07:36 459264 ------w- c:\windows\system32\dllcache\msfeeds.dll
2009-11-08 08:52 . 2009-08-29 07:36 268288 ------w- c:\windows\system32\dllcache\iertutil.dll
2009-11-08 08:52 . 2009-08-29 07:36 380928 ------w- c:\windows\system32\dllcache\ieapfltr.dll
2009-11-08 08:52 . 2009-08-29 07:36 63488 ------w- c:\windows\system32\dllcache\icardie.dll
2009-11-08 08:52 . 2009-08-28 10:29 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-11-08 08:52 . 2009-06-29 08:33 2452872 ------w- c:\windows\system32\dllcache\ieapfltr.dat
2009-11-08 08:52 . 2009-08-29 07:36 6067200 ------w- c:\windows\system32\dllcache\ieframe.dll
2009-11-08 08:19 . 2009-11-08 08:19 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-11-08 07:59 . 2009-11-08 07:59 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-08 07:59 . 2008-10-16 22:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-11-08 07:59 . 2008-10-16 22:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-11-08 07:04 . 2009-11-03 04:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-08 06:14 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-11-08 06:06 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-11-08 06:06 . 2009-06-25 08:25 730112 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-11-08 06:06 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-11-08 06:06 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-11-08 06:06 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-11-08 06:06 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-11-08 06:06 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-11-08 06:06 . 2009-08-04 15:13 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-11-08 06:06 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-11-08 06:06 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-11-08 06:06 . 2009-08-05 04:44 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-11-08 06:06 . 2009-08-04 14:20 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-11-08 06:03 . 2008-05-01 14:33 331776 ------w- c:\windows\system32\dllcache\msadce.dll
2009-11-08 06:02 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\system32\scripting
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\l2schemas
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\system32\en
2009-11-08 05:50 . 2009-11-08 05:50 -------- d-----w- c:\windows\system32\bits
2009-11-08 05:49 . 2009-11-08 05:49 -------- d-----w- c:\windows\ServicePackFiles
2009-11-08 05:45 . 2009-11-08 05:45 -------- d-----w- c:\windows\EHome
2009-11-08 05:42 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-11-07 06:23 . 2009-11-07 06:23 -------- d-----w- c:\windows\system32\NtmsData
2009-11-07 04:23 . 2009-11-07 04:23 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Uniblue
2009-11-07 00:17 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-07 00:17 . 2004-08-04 08:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-07 00:17 . 2008-04-13 18:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-11-06 04:28 . 2009-11-06 04:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 04:24 . 2009-10-10 09:07 38208 ----a-w- c:\documents and settings\Gateway User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-06 04:24 . 2009-10-10 09:07 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-06 04:24 . 2009-11-06 04:24 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-06 04:21 . 2009-11-06 04:21 -------- d-----w- c:\program files\Google
2009-11-06 04:20 . 2009-11-06 04:20 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Adobe
2009-11-06 04:20 . 2009-11-06 04:20 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-06 04:20 . 2009-11-06 04:20 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-06 04:05 . 2009-11-06 04:05 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-11-03 13:35 . 2009-11-03 13:35 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Downloaded Installations
2009-11-02 03:06 . 2009-11-02 03:06 -------- d-----w- c:\program files\Common Files\Motive
2009-11-02 03:06 . 2009-11-02 03:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-11-02 02:37 . 2009-11-02 02:37 -------- d-----w- c:\program files\Verizon Online DSL
2009-10-31 18:01 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-31 18:01 . 2008-02-06 04:21 23832 ----a-r- c:\windows\system32\drivers\lvuvcflt.sys
2009-10-31 18:01 . 2009-10-31 18:01 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-10-31 18:01 . 2009-10-31 18:01 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Leadertech
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\windows\system32\DRVSTORE
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Logishrd
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\program files\Common Files\LogiShrd
2009-10-31 18:00 . 2009-10-31 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-10-31 08:04 . 2009-10-31 08:04 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Yahoo
2009-10-31 08:03 . 2009-10-31 08:03 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Yahoo!
2009-10-31 08:01 . 2009-10-31 08:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-31 08:01 . 2009-05-27 03:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-10-31 08:01 . 2009-10-31 08:01 -------- d-----w- c:\program files\Yahoo!
2009-10-31 05:54 . 2009-10-31 05:54 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-10-31 05:54 . 2009-10-31 05:54 -------- d--h--r- c:\documents and settings\Gateway User\Application Data\SecuROM
2009-10-31 05:30 . 2009-10-31 05:30 -------- d-----w- c:\program files\EA SPORTS
2009-10-31 05:30 . 2005-05-26 23:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-10-31 05:07 . 2008-05-08 16:02 203136 ------w- c:\windows\system32\dllcache\rmcast.sys
2009-10-31 05:07 . 2008-10-24 13:21 455296 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-10-31 05:07 . 2008-12-11 12:57 333952 ------w- c:\windows\system32\dllcache\srv.sys
2009-10-31 05:07 . 2009-07-10 15:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-10-31 05:04 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2009-10-31 05:04 . 2001-08-17 21:48 12160 ----a-w- c:\windows\system32\dllcache\mouhid.sys
2009-10-31 05:04 . 2008-09-04 19:15 1106944 ------w- c:\windows\system32\dllcache\msxml3.dll
2009-10-31 05:04 . 2008-04-13 18:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2009-10-31 05:03 . 2008-05-03 13:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-31 05:03 . 2008-04-21 14:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-10-31 05:03 . 2009-10-31 05:03 -------- d-----w- c:\program files\Common Files\Logitech
2009-10-31 05:03 . 2005-04-13 03:21 22240 ----a-w- c:\windows\system32\drivers\WmFilter.sys
2009-10-31 05:03 . 2005-04-13 03:21 5600 ----a-w- c:\windows\system32\drivers\WmVirHid.sys
2009-10-31 05:03 . 2005-04-13 03:21 10144 ----a-w- c:\windows\system32\drivers\WmBEnum.sys
2009-10-31 05:03 . 2005-04-13 03:21 45504 ----a-w- c:\windows\system32\drivers\WmXlCore.sys
2009-10-31 05:02 . 2009-10-31 05:02 -------- d-----w- c:\program files\Logitech
2009-10-31 05:01 . 2008-04-13 18:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2009-10-31 05:00 . 2007-07-27 18:41 26488 ----a-w- c:\windows\system32\spupdsvc.exe
2009-10-31 05:00 . 2009-10-31 05:00 -------- d--h--w- c:\windows\$hf_mig$
2009-10-31 04:56 . 2009-10-31 04:56 -------- d-sh--w- c:\documents and settings\Gateway User\UserData
2009-10-31 04:51 . 2008-10-15 18:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-10-31 04:48 . 2005-03-23 05:05 516096 ------w- c:\windows\system32\ati2sgag.exe
2009-10-31 04:47 . 2009-10-31 04:47 -------- d-----w- c:\program files\ATI Technologies
2009-10-31 04:44 . 2009-10-31 04:44 -------- d-----w- c:\documents and settings\Gateway User\Application Data\Creative
2009-10-31 04:44 . 2009-10-31 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-10-31 04:42 . 2006-10-06 08:17 53248 ------w- c:\windows\Ctregrun.exe
2009-10-31 04:41 . 1999-12-12 19:01 44032 ------w- c:\windows\system32\CTSVCCDA.EXE
2009-10-31 04:41 . 1999-11-17 19:00 25088 ------w- c:\windows\system32\CTSVCCTL.EXE
2009-10-31 04:40 . 2009-10-31 04:40 -------- d-----w- c:\program files\Common Files\Creative
2009-10-31 04:40 . 2009-10-31 04:40 -------- d--h--w- c:\program files\Creative Installation Information
2009-10-31 04:40 . 2000-05-11 09:00 90112 ------w- c:\windows\Updreg.EXE
2009-10-31 04:37 . 2009-10-31 04:37 -------- d-----w- c:\program files\Creative
2009-10-31 04:36 . 2009-10-31 04:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-31 04:36 . 2009-10-31 04:36 -------- d-----w- c:\program files\Common Files\InstallShield
2009-10-31 04:31 . 2009-10-31 04:31 -------- d-----w- c:\documents and settings\Gateway User\Local Settings\Application Data\Microsoft
2009-10-31 04:27 . 2001-08-18 06:36 12288 ----a-w- c:\windows\system32\dllcache\EXCH_smtpctrs.dll
2009-10-31 04:26 . 2004-08-04 14:00 70656 ----a-w- c:\windows\system32\dllcache\korwbrkr.dll
2009-10-31 04:25 . 2008-04-14 00:09 13463552 ----a-w- c:\windows\system32\dllcache\hwxjpn.dll
2009-10-31 04:24 . 2004-08-04 20:00 10752 ----a-w- c:\windows\system32\dllcache\c_iscii.dll
2009-10-31 04:24 . 2004-08-04 20:00 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll
2009-10-31 04:24 . 2001-08-18 06:36 45056 ----a-w- c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-10-31 04:24 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\dllcache\EXCH_adsiisex.dll
2009-10-31 04:22 . 2009-10-31 04:22 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft
2009-10-31 04:21 . 2009-10-31 04:21 -------- d-sh--w- c:\documents and settings\All Users\DRM
2009-10-31 04:19 . 2009-10-31 04:19 -------- d-----w- c:\windows\system32\wbem\AutoRecover
2009-10-31 04:19 . 2009-10-31 04:19 -------- d-----w- c:\windows\system32\wbem\Performance
2009-10-31 04:16 . 2001-08-17 21:59 3072 ----a-w- c:\windows\system32\drivers\audstub.sys
2009-10-31 04:16 . 2008-04-13 18:40 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2009-10-31 04:16 . 2001-08-17 21:28 907456 ----a-w- c:\windows\system32\drivers\HCF_MSFT.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 05:42 . 2009-10-31 18:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-10 05:42 . 2009-10-31 18:01 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-11-08 05:52 . 2009-10-31 04:21 76487 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-10-31 04:23 . 2009-10-31 04:23 -------- d-----w- c:\program files\microsoft frontpage
2009-10-31 04:23 . 2009-10-31 04:23 478 ----a-w- c:\windows\LnkStub.dat
2009-10-31 04:23 . 2009-10-31 04:23 162304 ----a-w- c:\windows\system32\migicons.exe
2009-10-31 04:20 . 2009-10-31 04:20 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-10 09:07 . 2009-11-07 06:13 38208 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-09-11 14:18 . 2009-10-31 04:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2009-10-31 04:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2009-10-31 04:01 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2009-10-31 04:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2009-10-31 03:59 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 10:00 . 2009-10-31 04:03 247326 ----a-w- c:\windows\system32\strmdll.dll
2004-04-13 04:18 . 2004-04-13 04:17 23357 ---h--w- c:\program files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"CTRegRun"="c:\windows\CTRegRun.EXE" [2006-10-06 53248]
"CreativeTaskScheduler"="c:\program files\Creative\Shared Files\CTSched.exe" [2006-11-17 53341]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-14 1048392]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 339968]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"P17Helper"="P17.dll" - c:\windows\SYSTEM32\P17.dll [2005-05-03 64512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\mmc.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\Updater.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA SPORTS\\Madden NFL 08\\MAINAPP.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=


--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\Uninstall Expiration Reminder.job
- c:\windows\system32\OOBE\oobebaln.exe [2009-10-31 00:12]
.
.
------- Supplementary Scan -------
.
Trusted Zone: microsoft.com
Trusted Zone: microsoft.com\update
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso4.cab
DPF: Win32 Classes
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-09 21:43
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(360)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2472)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Rundll32.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2009-11-10 21:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-10 05:47
ComboFix2.txt 2009-11-10 05:21
ComboFix3.txt 2009-11-10 02:42

Pre-Run: 128,238,485,504 bytes free
Post-Run: 128,218,038,272 bytes free

- - End Of File - - 846827D6CCBD0FB7A7A4D28D2AA728E8


NW

0

PP
sorry it took so long but i forgot to save log and had to do over.
it appears to have fixed the problem
is that odd it was there after replacing the hard drive and clean install?

Yeah - that's a bit odd after a fresh install, but not unheard of. People have backed up infected files and reinstalled them. Plus, a few minutes of iffy surfing can do the trick if your security is not up to par...

I find it interesting that combofix removed a few seemingly legit items:
c:\documents and settings\Gateway User\My Documents\backup.reg
c:\documents and settings\Gateway User\My Documents\backupfile.reg
c:\windows\system32\clrviddc.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Web\default.htt

I'm not so sure those are evil. Did you create the registry backups?
I think clrviddc.dll is a video component - maybe it was infected? Do you know if it was part of a legit app that you use?

PP:)

0

Yeah - that's a bit odd after a fresh install, but not unheard of. People have backed up infected files and reinstalled them. Plus, a few minutes of iffy surfing can do the trick if your security is not up to par...

I find it interesting that combofix removed a few seemingly legit items:
c:\documents and settings\Gateway User\My Documents\backup.reg
c:\documents and settings\Gateway User\My Documents\backupfile.reg
c:\windows\system32\clrviddc.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\Web\default.htt

I'm not so sure those are evil. Did you create the registry backups?
I think clrviddc.dll is a video component - maybe it was infected? Do you know if it was part of a legit app that you use?

PP:)

i noticed the 2 backup.reg files were removed and i assumed they were removed when i created the install recovery console i assumed it deleted them because it no longer wanted them around as they were created prior to installing combofix/install recovery console.

i do not know about the other 3 files or even what they are.
i dont know where clrviddc.dll is from but i do know when i play maddennfl online my computer could slow down at the most inopportune times ( i havent lost since cleaning my pc) so maybe it was infected. from what i understand people can hack your computer from online gaming but i am not very knowlegeable at this stuff.
if clrviddc.dll is legit or not i do not know

NW

0

if clrviddc.dll is legit or not i do not know

Apparently it is an outdated codec - clearvideodecoder.

I guess, if everything is working as it should, we should probably leave it at that . . . .

Let's remove Combofix and the files/folders it created:

• Click Start > Run
• Type or Copy&Paste Combofix /u into the Run box. (Be sure there is a space between the x and the / if you type it)
• Click OK

This will remove Combofix and it’s components from your machine.
It will also reset your clock, re-hide System and Hidden Files and hide File Extensions.
Last, but certainly not least, doing this will reset System Restore.

Let me know if there are any more issues we need to address.

Cheers :)
PP

0

ok sounds good. i appreciate all the help. i dont find a link to make a donation? is there one?
for now i want to update all my drivers hopefully with no problems.

you guys are great.
thx a ton
NW

0

you guys are great.
thx a ton

You're welcome!
There's a "donate" linky at the top of the page where you log in.

Frankly, I'm happy if you just "pay it forward" and do a good turn for somebody else sometime down the road....

Cheers :)
PP

0

I like the philosophy "pay it forward" and I live by it. Therefore I am poor, but happy.
that speaks alot of your character, I do alot for people as a mechanic and dont expect anything in return but know someday someone good will return the favor.
Of course I would never take advantage either so next time around I will see what i can do.
You guys are awesome

Happy holidays
NW

0

I like the philosophy "pay it forward" and I live by it. Therefore I am poor, but happy.

Me, too - this world can sometimes be a mean place with a bunch of "I got mine, the rest are out of luck" types. But there are a lot of good people out there as well who are willing to help out of the goodness of their hearts....

Of course I would never take advantage either so next time around I will see what i can do.

You are always welcome here. No worries!

Happy holidays
NW

The same to you :)
PP

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.