Norton has found Infostealer with the0040.dll

Symantec Norton anti-virus corporate edi...
March 27, 2010 at 07:33:05
Specs: Windows 24.09.2009
Subject Virus and file have been found by Norton AV. I think this is a relatively new version of infostealer based on search results. I think I've had it for a few weeks, but I think this week's update to Norton finally discovered it. HELP!!!

See More: Norton has found Infostealer with the0040.dll

Report •


#1
March 27, 2010 at 08:14:01
Download DDS and save it to your desktop.
DDS.scr


Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt

Save both reports to your desktop then post them please.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download Combofix with internet explorer instead of any other browser if possible.

Remember..your Nortons antivirus and any realtime antispyware programs that you may have must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#2
March 27, 2010 at 14:44:28
Wow, that's alot of instructions. First of all, thank you very much for your time on this. Ok, here are the 2 logs. I believe I understood I was supposed to cut and paste the first one and attach the 2nd as a .zip file. So here goes:

DDS (Ver_10-03-17.01) - NTFSx86
Run by B J Sheridan at 17:23:11.51 on Sat 03/27/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.285 [GMT -4:00]

FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdbcoms.exe
C:\WINDOWS\system32\lxdfcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 6500 Series\lxdfamon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Altnet Music Plugin\AMPMDM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\B J Sheridan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://middlegeorgia.cox.net/cci/home
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070130
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [ampmdm] c:\program files\altnet music plugin\AMPMDM.exe
uRun: [cdloader] "c:\documents and settings\b j sheridan\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [bibwvtfy] c:\documents and settings\b j sheridan\local settings\application data\sqjlsb\oeiisftav.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [vptray] c:\program files\navnt\vptray.exe
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.5\masqform.exe -RunOnce
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [LXDBCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXDBtime.dll,_RunDLLEntry@16
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [bibwvtfy] c:\documents and settings\b j sheridan\local settings\application data\sqjlsb\oeiisftav.exe
mRun: [lxdfmon.exe] "c:\program files\lexmark 6500 series\lxdfmon.exe"
mRun: [lxdfamon] "c:\program files\lexmark 6500 series\lxdfamon.exe"
mRun: [Lexmark 6500 Series Fax Server] "c:\program files\lexmark 6500 series\fm3032.exe" /s
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://thelearningplace.no-ip.biz/ActiveView.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\0040.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-2 64288]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-2-22 353672]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1263728]
R2 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service --> c:\windows\system32\lxdfcoms.exe -service [?]
R2 NAVAPEL;NAVAPEL;c:\program files\navnt\Navapel.sys [2001-9-24 9232]
R2 Norton AntiVirus Server;Norton AntiVirus Client;c:\program files\navnt\rtvscan.exe [2001-9-24 454656]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 NAVAP;NAVAP;c:\program files\navnt\navap.sys [2001-9-24 176208]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100325.002\NAVENG.sys [2010-3-26 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100325.002\NAVEX15.sys [2010-3-26 1324720]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdfserv.exe [2010-3-14 99248]
S2 navapsvc;Norton AntiVirus Auto-Protect Service;"c:\program files\norton internet security\norton antivirus\navapsvc.exe" --> c:\program files\norton internet security\norton antivirus\navapsvc.exe [?]

=============== Created Last 30 ================

2010-03-21 20:06:55 0 d-----w- c:\program files\common files\ODBC
2010-03-19 01:43:05 25088 ------w- c:\windows\system32\0040.DLL
2010-03-18 23:45:53 1409 ----a-w- c:\windows\system32\tmp6E3D4.FOT
2010-03-18 23:45:53 1409 ----a-w- c:\windows\system32\tmp434D4.FOT
2010-03-18 23:45:53 1409 ----a-w- c:\windows\system32\tmp284D4.FOT
2010-03-18 23:35:32 1409 ----a-w- c:\windows\system32\tmpC4E40.FOT
2010-03-18 23:35:32 1409 ----a-w- c:\windows\system32\tmpA9E40.FOT
2010-03-18 23:35:32 1409 ----a-w- c:\windows\system32\tmp8EE40.FOT
2010-03-18 23:35:32 1409 ----a-w- c:\windows\system32\tmp63F40.FOT
2010-03-18 23:35:32 1409 ----a-w- c:\windows\system32\tmp48F40.FOT
2010-03-18 23:35:31 1409 ----a-w- c:\windows\system32\tmpEED40.FOT
2010-03-18 23:33:36 1409 ----a-w- c:\windows\system32\tmp53A8E.FOT
2010-03-18 23:33:36 1409 ----a-w- c:\windows\system32\tmp3AA8E.FOT
2010-03-18 23:33:36 1409 ----a-w- c:\windows\system32\tmp02B8E.FOT
2010-03-15 00:44:55 40960 ----a-w- c:\windows\system32\lxdfvs.dll
2010-03-15 00:44:36 348160 ----a-w- c:\windows\system32\lxdfcoin.dll
2010-03-15 00:42:03 692224 ----a-w- c:\windows\system32\lxdfdrs.dll
2010-03-15 00:42:03 65536 ----a-w- c:\windows\system32\lxdfcaps.dll
2010-03-15 00:42:02 69632 ----a-w- c:\windows\system32\lxdfcnv4.dll
2010-03-15 00:39:23 45056 ----a-w- c:\windows\system32\LXDFPMON.DLL
2010-03-15 00:39:23 32768 ----a-w- c:\windows\system32\LXDFFXPU.DLL
2010-03-15 00:39:02 69632 ----a-w- c:\windows\system32\lxdfoem.dll
2010-03-15 00:38:39 0 d-----w- c:\docume~1\alluse~1\applic~1\6500 Series
2010-03-15 00:32:52 1645320 ----a-w- c:\windows\system32\gdiplus.dll
2010-03-15 00:32:07 60 ---ha-w- c:\windows\system32\lxdfrwrd.ini
2010-03-15 00:30:59 860160 ----a-w- c:\windows\system32\lxdfcomc.dll
2010-03-15 00:30:58 77906 ----a-w- c:\windows\system32\lxdfcfg.dll
2010-03-15 00:30:58 365488 ----a-w- c:\windows\system32\lxdfcfg.exe
2010-03-15 00:30:57 2003 ----a-w- c:\windows\system32\lxdf.loc
2010-03-15 00:30:28 0 d-----w- c:\program files\Lexmark 6500 Series
2010-03-13 19:41:14 1409 ----a-w- c:\windows\system32\tmpF5DA8.FOT
2010-03-13 19:41:13 1409 ----a-w- c:\windows\system32\tmpEEAA8.FOT
2010-03-13 19:41:13 1409 ----a-w- c:\windows\system32\tmpB6BA8.FOT
2010-03-13 19:41:13 1409 ----a-w- c:\windows\system32\tmp8EBA8.FOT
2010-03-13 19:41:13 1409 ----a-w- c:\windows\system32\tmp54CA8.FOT
2010-03-13 19:41:13 1409 ----a-w- c:\windows\system32\tmp2ECA8.FOT
2010-03-11 16:47:04 0 ---ha-w- c:\windows\system32\wupd.dat
2010-03-11 16:46:37 6898 ----a-w- c:\windows\system32\WORK.DAT
2010-03-10 18:41:22 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-02-22 21:30:13 76752 ----a-w- c:\docume~1\bjsher~1\applic~1\GDIPFONTCACHEV1.DAT
2010-02-20 16:20:31 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-20 16:20:27 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-04 15:53:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 70656 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-03-02 23:17:04 34543112 ----a-w- c:\program files\Ad-AwareAE.exe
2008-02-18 17:44:26 186713874 ----a-w- c:\program files\MahjonggMaster4.exe
2008-02-10 12:32:10 432576 ----a-w- c:\program files\MySpaceIM_Setup.exe
2007-04-28 07:20:50 10227070 ----a-w- c:\program files\Viewer_6_5_Download.zip
2008-08-28 13:57:11 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 17:28:15.93 ===============


Ok, I can't figure out how to attach the "attach" file, so I'm gonna need some help with that.

In the meantime, I'm running Malwayrebytes' Anit-Malware. So I'll be back on later. Thanks again.


Report •

#3
March 27, 2010 at 16:32:18
Just copy/paste the attach.txt log please.

Report •

Related Solutions

#4
March 27, 2010 at 17:26:05
Okay, well since the file still won't paste, here is the log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 2/21/2007 3:22:05 PM
System Uptime: 3/25/2010 7:12:28 AM (58 hours ago)

Motherboard: Dell Inc. | | 0MG532
Processor: Genuine Intel(R) CPU T2050 @ 1.60GHz | Microprocessor | 1596/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 40.218 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP933: 12/28/2009 9:00:22 AM - System Checkpoint
RP934: 12/29/2009 9:43:20 AM - System Checkpoint
RP935: 12/30/2009 9:46:23 AM - System Checkpoint
RP936: 12/31/2009 10:01:31 AM - System Checkpoint
RP937: 1/1/2010 12:06:32 PM - System Checkpoint
RP938: 1/2/2010 1:01:26 PM - System Checkpoint
RP939: 1/3/2010 1:02:47 PM - System Checkpoint
RP940: 1/4/2010 2:01:42 PM - System Checkpoint
RP941: 1/5/2010 2:12:23 PM - System Checkpoint
RP942: 1/6/2010 2:54:36 PM - System Checkpoint
RP943: 1/7/2010 2:56:00 PM - System Checkpoint
RP944: 1/8/2010 3:33:47 PM - System Checkpoint
RP945: 1/9/2010 3:47:40 PM - System Checkpoint
RP946: 1/10/2010 3:56:51 PM - System Checkpoint
RP947: 1/11/2010 4:09:15 PM - System Checkpoint
RP948: 1/12/2010 4:32:34 PM - System Checkpoint
RP949: 1/13/2010 5:02:16 PM - System Checkpoint
RP950: 1/13/2010 8:00:23 PM - Software Distribution Service 3.0
RP951: 1/14/2010 9:42:53 PM - System Checkpoint
RP952: 1/15/2010 10:27:40 PM - System Checkpoint
RP953: 1/16/2010 10:32:20 PM - System Checkpoint
RP954: 1/17/2010 11:43:04 PM - System Checkpoint
RP955: 1/18/2010 11:50:20 PM - System Checkpoint
RP956: 1/20/2010 12:49:12 AM - System Checkpoint
RP957: 1/20/2010 5:31:02 PM - Software Distribution Service 3.0
RP958: 1/21/2010 5:50:17 PM - System Checkpoint
RP959: 1/22/2010 5:56:24 PM - Software Distribution Service 3.0
RP960: 1/23/2010 6:13:22 PM - System Checkpoint
RP961: 1/24/2010 7:04:11 PM - System Checkpoint
RP962: 1/25/2010 7:11:58 PM - System Checkpoint
RP963: 1/26/2010 7:18:17 PM - System Checkpoint
RP964: 1/27/2010 7:47:10 PM - System Checkpoint
RP965: 1/28/2010 8:46:03 PM - System Checkpoint
RP966: 1/29/2010 8:47:05 PM - System Checkpoint
RP967: 1/30/2010 9:12:53 PM - System Checkpoint
RP968: 1/31/2010 9:39:32 PM - System Checkpoint
RP969: 2/1/2010 10:18:26 PM - System Checkpoint
RP970: 2/2/2010 10:55:55 PM - System Checkpoint
RP971: 2/3/2010 10:56:16 PM - System Checkpoint
RP972: 2/4/2010 11:54:12 PM - System Checkpoint
RP973: 2/5/2010 11:55:21 PM - System Checkpoint
RP974: 2/7/2010 12:54:06 AM - System Checkpoint
RP975: 2/8/2010 1:20:07 AM - System Checkpoint
RP976: 2/9/2010 2:20:07 AM - System Checkpoint
RP977: 2/10/2010 7:11:23 AM - System Checkpoint
RP978: 2/10/2010 8:02:49 PM - Software Distribution Service 3.0
RP979: 2/11/2010 8:27:52 PM - System Checkpoint
RP980: 2/12/2010 8:37:25 PM - System Checkpoint
RP981: 2/13/2010 11:33:45 PM - System Checkpoint
RP982: 2/14/2010 11:51:31 PM - System Checkpoint
RP983: 2/16/2010 1:29:28 AM - System Checkpoint
RP984: 2/17/2010 1:47:41 AM - System Checkpoint
RP985: 2/18/2010 2:47:41 AM - System Checkpoint
RP986: 2/19/2010 3:47:37 AM - System Checkpoint
RP987: 2/20/2010 3:48:50 AM - System Checkpoint
RP988: 2/21/2010 4:27:53 AM - System Checkpoint
RP989: 2/22/2010 5:27:53 AM - System Checkpoint
RP990: 2/23/2010 6:25:08 AM - System Checkpoint
RP991: 2/23/2010 8:00:26 PM - Software Distribution Service 3.0
RP992: 2/24/2010 4:48:04 PM - Removed iTunes
RP993: 2/25/2010 5:04:32 PM - System Checkpoint
RP994: 2/26/2010 6:05:32 PM - System Checkpoint
RP995: 2/27/2010 7:17:16 PM - System Checkpoint
RP996: 2/28/2010 7:46:29 PM - System Checkpoint
RP997: 3/1/2010 8:02:28 PM - System Checkpoint
RP998: 3/2/2010 8:46:46 PM - System Checkpoint
RP999: 3/3/2010 9:46:44 PM - System Checkpoint
RP1000: 3/4/2010 10:46:43 PM - System Checkpoint
RP1001: 3/5/2010 11:28:57 PM - System Checkpoint
RP1002: 3/7/2010 12:28:56 AM - System Checkpoint
RP1003: 3/8/2010 1:30:00 AM - System Checkpoint
RP1004: 3/9/2010 6:35:19 AM - System Checkpoint
RP1005: 3/10/2010 7:42:48 AM - System Checkpoint
RP1006: 3/10/2010 6:36:19 PM - Software Distribution Service 3.0
RP1007: 3/11/2010 8:28:17 PM - System Checkpoint
RP1008: 3/12/2010 8:40:26 PM - System Checkpoint
RP1009: 3/13/2010 10:06:32 PM - System Checkpoint
RP1010: 3/14/2010 8:40:33 PM - Printer Driver Fax Lexmark 6500 Series Printer Installed
RP1011: 3/15/2010 9:13:38 PM - System Checkpoint
RP1012: 3/16/2010 10:08:58 PM - System Checkpoint
RP1013: 3/17/2010 10:19:32 PM - System Checkpoint
RP1014: 3/18/2010 10:45:01 PM - System Checkpoint
RP1015: 3/19/2010 10:55:34 PM - System Checkpoint
RP1016: 3/20/2010 11:59:59 PM - System Checkpoint
RP1017: 3/22/2010 12:24:39 AM - System Checkpoint
RP1018: 3/23/2010 12:51:13 AM - System Checkpoint
RP1019: 3/24/2010 1:51:17 AM - System Checkpoint
RP1020: 3/25/2010 2:51:17 AM - System Checkpoint
RP1021: 3/26/2010 3:17:12 AM - System Checkpoint
RP1022: 3/27/2010 4:17:14 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe® Photoshop® Album Starter Edition 3.2
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Bonus Content - Owens Corning Roofing Materials
Broadcom Management Programs
BufferChm
CameraDrivers
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Dell Driver Reset Tool
Dell Photo Printer 720
Dell Support 3.2.1
Dell System Restore
Dell Wireless WLAN Card
Destinations
DeviceManagementQFolder
Digital Content Portal
Digital Line Detect
Dr Lynch Grave Secrets
EarthLink Setup Files
eSupportQFolder
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
Home Designer Manufacturer Libraries
Home Designer Suite 8
Home Designer Tutorial Training Videos
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Extended Capabilities 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Essential
HP Product Assistant
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
InstallMgr
Intel(R) Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
KaZaA Music Plugin
Learn2 Player (Uninstall Only)
Lexmark 6500 Series
Lexmark 840 Series
LimeWire 4.18.3
LiveUpdate 2.7 (Symantec Corporation)
Mahjong Towers Eternity (remove only)
MarketResearch
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync 3.7
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mixer
Modem Helper
Move Media Player
MSN
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music Manager
My Wal-Mart Digital Photo Center
MySpaceIM
Mystery Case Files - Huntsville (remove only)
Mystery Case Files - Ravenhearst (remove only)
NetWaiting
Norton AntiVirus Corporate Edition
OpenOffice.org Installer 1.0
OutlookAddinSetup
PS380
PSPrinters08
PSTAPlugin
PureEdge Viewer 6.5
QuickSet
QuickTime
RealPlayer Basic
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SearchAssist
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SolutionCenter
Sonic Activation Module
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB Demo
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Status
Synaptics Pointing Device Driver
TrayApp
Undiscovered World The Incan Sun
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
VC 9.0 Runtime
Viewpoint Media Player
Virtual Earth 3D (Beta)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! BrowserPlus
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Music Jukebox
Yahoo! Search Protection
Yahoo! Toolbar
ZoneAlarm
ZoneAlarm Spy Blocker

==== Event Viewer Messages From Past Week ========

3/27/2010 5:19:20 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
3/27/2010 5:19:20 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\MFC80.DLL. Reference error message: The operation completed successfully. .
3/27/2010 5:19:19 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
3/22/2010 5:42:59 PM, error: Print [6161] - The document Test Page owned by B J Sheridan failed to print on printer Lexmark 6500 Series. Data type: LEMF. Size of the spool file in bytes: 1048080. Number of bytes printed: 1048080. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\BERNICE. Win32 error code returned by the print processor: 0 (0x0).
3/20/2010 2:40:08 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxdfCATSCustConnectService service to connect.
3/20/2010 2:40:08 PM, error: Service Control Manager [7000] - The Norton AntiVirus Auto-Protect Service service failed to start due to the following error: The system cannot find the path specified.
3/20/2010 2:40:08 PM, error: Service Control Manager [7000] - The lxdfCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

==== End Of File ===========================


Also, I ran the malware program and that went well. After restart there aren't anymore Norton pop-ups for the infostealer.


So here is the MBAM log:

Malwarebytes' Anti-Malware 1.44
Database version: 3922
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

3/27/2010 6:07:16 PM
mbam-log-2010-03-27 (18-06-57).txt

Scan type: Quick Scan
Objects scanned: 144458
Time elapsed: 31 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\0040.DLL (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> No action taken.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bibwvtfy (Trojan.FakeAlert.Gen) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bibwvtfy (Trojan.FakeAlert.Gen) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appinit_dlls (Trojan.Witkinat) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\crntdll (Trojan.Witkinat) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\0040.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: system32\0040.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\0040.DLL (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\WORK.DAT (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\wupd.dat (Malware.Trace) -> No action taken.


I'm about to run combo-fix. My next posting will be an update after that is done.

Thanks again.


Report •

#5
March 27, 2010 at 18:16:43
Well, Combo fix is done. Here is the log:

ComboFix 10-03-27.02 - B J Sheridan 03/27/2010 20:42:33.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.495 [GMT -4:00]
Running from: c:\documents and settings\B J Sheridan\Desktop\Combo-Fix.exe
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-27 21:32 . 2010-03-27 21:32 -------- d-----w- c:\documents and settings\B J Sheridan\Application Data\Malwarebytes
2010-03-27 21:32 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-27 21:32 . 2010-03-27 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-27 21:32 . 2010-03-27 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-27 21:32 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 00:44 . 2006-08-01 05:53 40960 ----a-w- c:\windows\system32\lxdfvs.dll
2010-03-15 00:44 . 2007-05-03 19:50 348160 ----a-w- c:\windows\system32\lxdfcoin.dll
2010-03-15 00:44 . 2007-05-25 17:42 113664 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdfdrpp.dll
2010-03-15 00:42 . 2007-05-24 20:24 692224 ----a-w- c:\windows\system32\lxdfdrs.dll
2010-03-15 00:42 . 2007-05-22 14:09 65536 ----a-w- c:\windows\system32\lxdfcaps.dll
2010-03-15 00:42 . 2007-04-17 14:17 69632 ----a-w- c:\windows\system32\lxdfcnv4.dll
2010-03-15 00:39 . 2007-05-24 11:41 45056 ----a-w- c:\windows\system32\LXDFPMON.DLL
2010-03-15 00:39 . 2007-05-24 11:41 32768 ----a-w- c:\windows\system32\LXDFFXPU.DLL
2010-03-15 00:39 . 2007-04-09 14:59 69632 ----a-w- c:\windows\system32\lxdfoem.dll
2010-03-15 00:38 . 2010-03-15 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\6500 Series
2010-03-15 00:32 . 2006-10-26 14:10 1645320 ----a-w- c:\windows\system32\gdiplus.dll
2010-03-15 00:30 . 2007-05-17 17:56 860160 ----a-w- c:\windows\system32\lxdfcomc.dll
2010-03-15 00:30 . 2007-05-29 10:06 365488 ----a-w- c:\windows\system32\lxdfcfg.exe
2010-03-15 00:30 . 2007-05-11 01:52 77906 ----a-w- c:\windows\system32\lxdfcfg.dll
2010-03-15 00:30 . 2010-03-15 01:52 -------- d-----w- c:\program files\Lexmark 6500 Series
2010-03-10 18:41 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-03-06 14:58 . 2010-03-13 04:00 -------- d-----w- c:\documents and settings\B J Sheridan\Local Settings\Application Data\sqjlsb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-27 22:15 . 2009-10-26 23:56 -------- d-----w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp
2010-03-27 22:12 . 2007-06-18 04:04 7930061 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-22 17:27 . 2008-01-24 14:54 -------- d-----w- c:\program files\Mystery Case Files - Ravenhearst
2010-03-19 22:12 . 2009-06-22 02:23 885736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-03-18 23:45 . 2008-10-10 16:22 -------- d-----w- c:\program files\Mahjong Towers Eternity
2010-03-18 23:35 . 2008-01-24 14:38 -------- d-----w- c:\program files\Mystery Case Files - Huntsville
2010-03-15 00:24 . 2007-01-31 01:37 -------- d-----w- c:\program files\Yahoo!
2010-03-15 00:24 . 2009-11-28 21:05 -------- d-----w- c:\program files\QuickTime
2010-03-15 00:23 . 2007-01-31 01:27 -------- d-----w- c:\program files\Modem Helper
2010-03-15 00:23 . 2007-02-23 17:25 -------- d-----w- c:\program files\Lavasoft
2010-03-15 00:23 . 2009-04-29 05:14 -------- d-----w- c:\program files\FMC
2010-03-15 00:23 . 2007-01-31 01:24 -------- d-----w- c:\program files\Dell
2010-03-15 00:22 . 2007-01-31 01:29 -------- d-----w- c:\program files\Common Files\aolshare
2010-03-15 00:18 . 2007-01-31 01:29 -------- d-----w- c:\program files\America Online 9.0
2010-03-08 20:28 . 2010-03-09 00:24 2343936 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-03-08 14:07 . 2010-03-08 15:53 2346496 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-03-05 18:23 . 2007-12-19 21:28 -------- d-----w- c:\program files\lx_Cats
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-27 22:15 6870864 ---ha-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\in00000\setup.exe
2010-02-26 23:51 . 2010-03-02 14:36 6870864 ---ha-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\Upgrade\setup1.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-27 22:15 743872 ---ha-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\ar00000\install.exe
2010-02-26 23:45 . 2010-03-02 14:36 743872 ---ha-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\Upgrade\install1.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp\cdloader2.exe
2010-02-24 21:52 . 2009-11-28 21:02 -------- d-----w- c:\program files\Common Files\Apple
2010-02-23 15:15 . 2010-02-23 16:06 2331136 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-02-20 16:20 . 2009-10-27 18:57 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-20 16:20 . 2009-10-27 18:57 95024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2010-02-20 16:20 . 2010-02-20 16:20 598368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScanner.dll
2010-02-20 16:20 . 2009-10-27 18:56 566608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\sbap.dll
2010-02-20 16:20 . 2009-05-30 17:03 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-20 16:20 . 2009-03-03 11:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-20 16:20 . 2009-10-27 18:55 1230160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBTE.dll
2010-02-20 16:20 . 2009-10-27 18:55 247120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\SBRE.dll
2010-02-20 16:20 . 2009-06-22 02:23 6330848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-20 16:20 . 2010-02-20 16:20 17480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\EmailScannerBridge.dll
2010-02-20 16:14 . 2010-02-20 16:13 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-14 01:03 . 2009-11-28 21:10 -------- d-----w- c:\documents and settings\B J Sheridan\Application Data\Apple Computer
2010-02-12 21:46 . 2010-02-12 21:47 2302976 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-02-10 03:49 . 2010-02-10 11:55 2295808 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-02-09 23:13 . 2007-04-03 18:59 -------- d-----w- c:\program files\IncrediMail
2010-02-04 23:52 . 2010-02-04 23:54 2283520 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-02-04 19:51 . 2009-09-21 22:25 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-04 15:53 . 2010-02-20 16:13 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-02-04 15:53 . 2009-03-02 23:25 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-04 13:26 . 2010-02-04 14:39 2278400 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-02-03 13:35 . 2010-02-03 15:52 2277888 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2010-01-30 15:03 . 2010-01-30 15:12 2272256 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2010-01-27 13:51 . 2009-06-22 02:23 8 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Savapibridge.dll
2010-01-26 13:03 . 2010-01-26 16:05 2268672 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2010-01-05 10:00 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-14 10:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 23:49 . 2010-01-04 23:56 2238464 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-12-31 16:50 . 2004-08-10 18:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-03-02 23:17 . 2009-03-02 22:07 34543112 ----a-w- c:\program files\Ad-AwareAE.exe
2008-02-18 17:44 . 2008-02-18 17:43 186713874 ----a-w- c:\program files\MahjonggMaster4.exe
2008-02-10 12:32 . 2008-02-10 12:32 432576 ----a-w- c:\program files\MySpaceIM_Setup.exe
2007-04-28 07:20 . 2007-04-28 07:20 10227070 ----a-w- c:\program files\Viewer_6_5_Download.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ampmdm"="c:\program files\Altnet Music Plugin\AMPMDM.exe" [2009-03-27 423016]
"cdloader"="c:\documents and settings\B J Sheridan\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-31 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"LXDBCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll" [2006-10-20 73728]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-19 818256]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\lxdbcoms.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\WINDOWS\\system32\\lxdfcoms.exe"=
"c:\\WINDOWS\\system32\\lxdfcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfwbgw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\B J Sheridan\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2009 7:25 PM 64288]
R2 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service --> c:\windows\system32\lxdfcoms.exe -service [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1263728]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdfserv.exe [3/14/2010 8:44 PM 99248]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NAVENG
*NewlyCreated* - NAVEX15
.
Contents of the 'Scheduled Tasks' folder

2010-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 22:11]

2010-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-28 c:\windows\Tasks\User_Feed_Synchronization-{14207B9A-20D9-4A2E-A58B-577DD41EF930}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:58]

2010-03-26 c:\windows\Tasks\{13C34822-A2C1-40E3-A1BF-F8422136621C}_BERNICE_B J Sheridan.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]

2010-03-26 c:\windows\Tasks\{2B137463-BC8F-40CF-93D3-A2045E49292B}_BERNICE_B J Sheridan.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]

2010-03-26 c:\windows\Tasks\{9E84B429-CDCE-4EF7-9C9B-9FB3D2EE2C02}_BERNICE_B J Sheridan.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://middlegeorgia.cox.net/cci/home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://thelearningplace.no-ip.biz/ActiveView.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-lxdfmon.exe - c:\program files\Lexmark 6500 Series\lxdfmon.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-27 21:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDBCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\NavLogon.dll
.
Completion time: 2010-03-27 21:10:33
ComboFix-quarantined-files.txt 2010-03-28 01:10

Pre-Run: 43,133,247,488 bytes free
Post-Run: 43,424,014,336 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 0D03A9D7E22F4AC46E23DFC6621DD024

Everything else seems fine. I'm gonna re-start and check for follow-up instructions.

Thanks,


Report •

#6
March 27, 2010 at 19:59:02
Looks like a fox still in the hen house.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
Folder::
c:\documents and settings\B J Sheridan\Local Settings\Application Data\sqjlsb

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.


Report •

#7
March 28, 2010 at 07:41:36
Well, I ran Combo Fix by dropping the text file onto it per previous instructions, but when I was logging onto this page, I got the blue screen of death. I think it said something about a paged error in a non-paged area.
But restart went well. Here is the log from combo-fix:

ComboFix 10-03-27.03 - B J Sheridan 03/28/2010 9:46.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.310 [GMT -4:00]
Running from: c:\documents and settings\B J Sheridan\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\B J Sheridan\Desktop\CFScript.txt
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\B J Sheridan\Local Settings\Application Data\sqjlsb

.
((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))
.

2010-03-28 00:35 . 2010-03-28 01:10 -------- d-----w- C:\Combo-Fix
2010-03-27 21:32 . 2010-03-27 21:32 -------- d-----w- c:\documents and settings\B J Sheridan\Application Data\Malwarebytes
2010-03-27 21:32 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-27 21:32 . 2010-03-27 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-27 21:32 . 2010-03-27 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-27 21:32 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-15 00:44 . 2006-08-01 05:53 40960 ----a-w- c:\windows\system32\lxdfvs.dll
2010-03-15 00:44 . 2007-05-03 19:50 348160 ----a-w- c:\windows\system32\lxdfcoin.dll
2010-03-15 00:44 . 2007-05-25 17:42 113664 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxdfdrpp.dll
2010-03-15 00:42 . 2007-05-24 20:24 692224 ----a-w- c:\windows\system32\lxdfdrs.dll
2010-03-15 00:42 . 2007-05-22 14:09 65536 ----a-w- c:\windows\system32\lxdfcaps.dll
2010-03-15 00:42 . 2007-04-17 14:17 69632 ----a-w- c:\windows\system32\lxdfcnv4.dll
2010-03-15 00:39 . 2007-05-24 11:41 45056 ----a-w- c:\windows\system32\LXDFPMON.DLL
2010-03-15 00:39 . 2007-05-24 11:41 32768 ----a-w- c:\windows\system32\LXDFFXPU.DLL
2010-03-15 00:39 . 2007-04-09 14:59 69632 ----a-w- c:\windows\system32\lxdfoem.dll
2010-03-15 00:38 . 2010-03-15 00:38 -------- d-----w- c:\documents and settings\All Users\Application Data\6500 Series
2010-03-15 00:32 . 2006-10-26 14:10 1645320 ----a-w- c:\windows\system32\gdiplus.dll
2010-03-15 00:30 . 2007-05-17 17:56 860160 ----a-w- c:\windows\system32\lxdfcomc.dll
2010-03-15 00:30 . 2007-05-29 10:06 365488 ----a-w- c:\windows\system32\lxdfcfg.exe
2010-03-15 00:30 . 2007-05-11 01:52 77906 ----a-w- c:\windows\system32\lxdfcfg.dll
2010-03-15 00:30 . 2010-03-15 01:52 -------- d-----w- c:\program files\Lexmark 6500 Series
2010-03-10 18:41 . 2009-10-23 15:28 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-28 13:19 . 2008-10-10 16:22 -------- d-----w- c:\program files\Mahjong Towers Eternity
2010-03-27 22:15 . 2009-10-26 23:56 -------- d-----w- c:\documents and settings\B J Sheridan\Application Data\mjusbsp
2010-03-27 22:12 . 2007-06-18 04:04 7930061 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-03-22 17:27 . 2008-01-24 14:54 -------- d-----w- c:\program files\Mystery Case Files - Ravenhearst
2010-03-18 23:35 . 2008-01-24 14:38 -------- d-----w- c:\program files\Mystery Case Files - Huntsville
2010-03-15 00:24 . 2007-01-31 01:37 -------- d-----w- c:\program files\Yahoo!
2010-03-15 00:24 . 2009-11-28 21:05 -------- d-----w- c:\program files\QuickTime
2010-03-15 00:23 . 2007-01-31 01:27 -------- d-----w- c:\program files\Modem Helper
2010-03-15 00:23 . 2007-02-23 17:25 -------- d-----w- c:\program files\Lavasoft
2010-03-15 00:23 . 2009-04-29 05:14 -------- d-----w- c:\program files\FMC
2010-03-15 00:23 . 2007-01-31 01:24 -------- d-----w- c:\program files\Dell
2010-03-15 00:22 . 2007-01-31 01:29 -------- d-----w- c:\program files\Common Files\aolshare
2010-03-15 00:18 . 2007-01-31 01:29 -------- d-----w- c:\program files\America Online 9.0
2010-03-08 20:28 . 2010-03-09 00:24 2343936 ----a-w- c:\windows\Internet Logs\xDB24.tmp
2010-03-08 14:07 . 2010-03-08 15:53 2346496 ----a-w- c:\windows\Internet Logs\xDB23.tmp
2010-03-05 18:23 . 2007-12-19 21:28 -------- d-----w- c:\program files\lx_Cats
2010-02-24 21:52 . 2009-11-28 21:02 -------- d-----w- c:\program files\Common Files\Apple
2010-02-23 15:15 . 2010-02-23 16:06 2331136 ----a-w- c:\windows\Internet Logs\xDB22.tmp
2010-02-20 16:20 . 2009-10-27 18:57 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-02-20 16:20 . 2009-03-03 11:43 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-20 16:14 . 2010-02-20 16:13 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-02-14 01:03 . 2009-11-28 21:10 -------- d-----w- c:\documents and settings\B J Sheridan\Application Data\Apple Computer
2010-02-12 21:46 . 2010-02-12 21:47 2302976 ----a-w- c:\windows\Internet Logs\xDB21.tmp
2010-02-10 03:49 . 2010-02-10 11:55 2295808 ----a-w- c:\windows\Internet Logs\xDB20.tmp
2010-02-09 23:13 . 2007-04-03 18:59 -------- d-----w- c:\program files\IncrediMail
2010-02-04 23:52 . 2010-02-04 23:54 2283520 ----a-w- c:\windows\Internet Logs\xDB1F.tmp
2010-02-04 15:53 . 2009-03-02 23:25 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-04 13:26 . 2010-02-04 14:39 2278400 ----a-w- c:\windows\Internet Logs\xDB1E.tmp
2010-02-03 13:35 . 2010-02-03 15:52 2277888 ----a-w- c:\windows\Internet Logs\xDB1D.tmp
2010-01-30 15:03 . 2010-01-30 15:12 2272256 ----a-w- c:\windows\Internet Logs\xDB1C.tmp
2010-01-26 13:03 . 2010-01-26 16:05 2268672 ----a-w- c:\windows\Internet Logs\xDB1B.tmp
2010-01-05 10:00 . 2004-08-10 18:51 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-07-14 10:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 23:49 . 2010-01-04 23:56 2238464 ----a-w- c:\windows\Internet Logs\xDB1A.tmp
2009-12-31 16:50 . 2004-08-10 18:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-03-02 23:17 . 2009-03-02 22:07 34543112 ----a-w- c:\program files\Ad-AwareAE.exe
2008-02-18 17:44 . 2008-02-18 17:43 186713874 ----a-w- c:\program files\MahjonggMaster4.exe
2008-02-10 12:32 . 2008-02-10 12:32 432576 ----a-w- c:\program files\MySpaceIM_Setup.exe
2007-04-28 07:20 . 2007-04-28 07:20 10227070 ----a-w- c:\program files\Viewer_6_5_Download.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"ampmdm"="c:\program files\Altnet Music Plugin\AMPMDM.exe" [2009-03-27 423016]
"cdloader"="c:\documents and settings\B J Sheridan\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-22 1392640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2005-02-23 57344]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2007-01-31 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-05-02 184320]
"vptray"="c:\program files\NavNT\vptray.exe" [2001-09-24 73728]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"LXDBCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll" [2006-10-20 73728]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-19 818256]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"lxdfamon"="c:\program files\Lexmark 6500 Series\lxdfamon.exe" [2007-06-01 20480]
"Lexmark 6500 Series Fax Server"="c:\program files\Lexmark 6500 Series\fm3032.exe" [2007-06-11 308144]
"ISUSPM Startup"="c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-02-01 8699904]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\WINDOWS\\system32\\lxdbcoms.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\WINDOWS\\system32\\lxdfcoms.exe"=
"c:\\WINDOWS\\system32\\lxdfcfg.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdftime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdfwbgw.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\B J Sheridan\\Application Data\\mjusbsp\\magicJack.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/2/2009 7:25 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1263728]
R2 lxdb_device;lxdb_device;c:\windows\system32\lxdbcoms.exe -service --> c:\windows\system32\lxdbcoms.exe -service [?]
R2 lxdf_device;lxdf_device;c:\windows\system32\lxdfcoms.exe -service --> c:\windows\system32\lxdfcoms.exe -service [?]
S2 lxdfCATSCustConnectService;lxdfCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdfserv.exe [3/14/2010 8:44 PM 99248]
.
Contents of the 'Scheduled Tasks' folder

2010-03-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 22:11]

2010-03-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-28 c:\windows\Tasks\User_Feed_Synchronization-{14207B9A-20D9-4A2E-A58B-577DD41EF930}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:58]

2010-03-26 c:\windows\Tasks\{13C34822-A2C1-40E3-A1BF-F8422136621C}_BERNICE_B J Sheridan.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]

2010-03-26 c:\windows\Tasks\{2B137463-BC8F-40CF-93D3-A2045E49292B}_BERNICE_B J Sheridan.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]

2010-03-26 c:\windows\Tasks\{9E84B429-CDCE-4EF7-9C9B-9FB3D2EE2C02}_BERNICE_B J Sheridan.job
- c:\windows\system32\mobsync.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://middlegeorgia.cox.net/cci/home
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} - hxxp://thelearningplace.no-ip.biz/ActiveView.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-28 10:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDBCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDBtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdbcoms.exe
c:\windows\system32\lxdfcoms.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NavNT\rtvscan.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\stsystra.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\MsgSys.EXE
c:\program files\Microsoft ActiveSync\WCESCOMM.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-03-28 10:25:15 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-28 14:25
ComboFix2.txt 2010-03-28 01:10

Pre-Run: 45,053,538,304 bytes free
Post-Run: 45,008,539,648 bytes free

- - End Of File - - B25DD976ED12A7C7E6114493D9364DE6

Awtg further advice.

Thanks again.


Report •

#8
March 28, 2010 at 08:16:44
Hello There

Found this blogg. It has some stuff that might help you.

http://computerhighland.blogspot.co...

Bless thee Keep thee


Report •

#9
March 28, 2010 at 08:36:13
That particular blue screen usually means windows is looking for a driver it cannot find, bad ram (stick of memory), video ram or new hardware

I suspect it is blue screening because of these entries from your event log:

3/27/2010 5:19:20 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
3/27/2010 5:19:20 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.91_x-ww_decbdf0c\MFC80.DLL. Reference error message: The operation completed successfully. .
3/27/2010 5:19:19 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.

Which microsoft says is caused by this:

This problem occurs because the run-time libraries are not installed on the Microsoft Dynamics CRM server. The applications that use side-by-side libraries cannot run without the run-time libraries.

And can be resolved as follows:

To resolve this problem, use the Microsoft Visual C++ 2005 Redistributable Package to install the runtime libraries. For more information about the Microsoft Visual C++ 2005 Redistributable Package, visit the following Microsoft Web site:

Microsoft Download Site


If you do not think this would be the cause of your problem post a new DDS log so we can look at the updated event log entries.


Report •

#10
March 28, 2010 at 09:36:13
Okay, I downloaded and installed the c++ 2005 Redistributable Package and everything seem fine. Of course I only got the blue screen that one time.

So, how did the combo fix log I enetered look?

Any additional advice, or am I done?


Report •

#11
March 28, 2010 at 09:46:50
The Combofix log is clean.

A little clean-up to do.

Delete DDS from your desktop

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next create a new restore point. Go to start> run> type in msconfig> ok> click launch system restore> check the circle beside "create a restore point> next> name it today's date> create > click home > exit the system configuration utility> restart the computer.

You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •

#12
March 28, 2010 at 14:44:51
Ok awesome. I deleted the dds file and uninstalled ComboFix. I've cut and paste the remaining instructions so I can do them later.

I run Spybot and AdAware. Will Spywareblaster conflict with either of them?

Thanks again.


Report •

#13
March 28, 2010 at 14:59:58
No conflicts with Spywareblaster that I am aware of. Happy surfing.

Report •

#14
March 28, 2010 at 15:54:12
Remaining cleanup instructions have been complied with. Spywareblaster seems happy along side the others.

All is well. Thanks again so much for your time!


Report •

#15
March 28, 2010 at 16:21:52
dbsheridan, ... my pleasure...jabuck

Report •

Ask Question