POS temp files

Gigabyte / Awrdacpi
January 24, 2009 at 14:22:03
Specs: Microsoft Windows XP Professional, 3.014 GHz / 1023 MB
I just deleted over 5000 POS tmp files from my C drive. What else do I need to do to make sure this problem is taken care of?
Thanks for any help!!!

See More: POS temp files

Report •


#1
January 24, 2009 at 16:46:50
Run the following scans and post their logs please.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This

Rename the setup file, HJTInstall.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename HJTInstall.exe to tools.exe> click save.
1. Save " tools.exe" to your desktop.
2. Double click on tools.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 25, 2009 at 04:59:52
Malwarebytes' Anti-Malware 1.33
Database version: 1691
Windows 5.1.2600 Service Pack 3

1/25/2009 7:46:51 AM
mbam-log-2009-01-25 (07-46-51).txt

Scan type: Quick Scan
Objects scanned: 108326
Time elapsed: 21 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3a2ff3c5-edff-46ce-bba0-7a68b2499dba} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1c2e5d27-a17c-4d89-85dd-3553c189380d} (Adware.RABCO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a95b2816-1d7e-4561-a202-68c0de02353a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3a2ff3c5-edff-46ce-bba0-7a68b2499dba} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RABCO (Adware.RABCO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xb8 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ff3 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cms4 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iDlo18 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\' (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\dzrdairw.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\RABCO\un_RABCOSetup_16230.exe (Adware.RABCO) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\regedit.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cmd.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ping.com (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\n.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netstat.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tasklist.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tracert.com (Worm.Alcra) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM632dda3d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM632dda3d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nqtwa.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeffrey\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lura\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:05 AM, on 1/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxdicoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
D:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
D:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
D:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Research In Motion\AppLoader\Loader.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\Jeffrey\Desktop\tools.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: (no name) - {4CF818E3-7EC9-4DCF-81DB-9490914FCA51} - (no file)
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - D:\Program Files\SysShield Tools\Internet Eraser\pkext.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - D:\Program Files\SysShield Tools\Internet Eraser\AbsoluteBar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Carbonite Backup] "C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe"
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] "C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKCU\..\Run: [RIMDeviceManager] "C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" -RunServer
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - Startup: AbsoluteShield Internet Eraser.lnk = D:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
O4 - Startup: Desktop Manager.lnk = D:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Startup: HotSync Manager.lnk = D:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/instal...
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccomm...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/instal...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: dzrdairw - dzrdairw.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINDOWS\system32\lxdicoms.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 10711 bytes

Thanks so much for looking at this!!
Jeff


Report •

#3
January 25, 2009 at 07:30:15
I does not look like you have an antivirus program install unless you have web roots antivirus install along with Spy Sweeper.

If you do not have an antivirus installed, you only need one antivirus, you need to install one before you continue or you will be reinfected in a short time.

You can download the free version of AVG antivirus at this link:
AVG Free Antivirus

Update it once you get it installed.

We will need to disable the antivirus program to run some scans. To do this click the AVG icon in the systray (bottom right of your screen)> then click exit.

Your java is out of date and may have been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 11 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG antivirus, and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to toolb.exe> click save.

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your AVG or Web Root antivirus, Spy Sweeper and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

Related Solutions

#4
January 25, 2009 at 12:14:04
ComboFix 09-01-21.04 - Jeffrey 2009-01-25 14:25:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.613 [GMT -5:00]
Running from: c:\documents and settings\Jeffrey\Desktop\toolb.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeffrey\Application Data\inst.exe
c:\program files\winupdates
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\isgTi19
c:\temp\isgTi19\lPig.log
c:\temp\sanR24
c:\temp\sanR24\lDii.log
c:\windows\system32\bszip.dll
c:\windows\system32\dikjejqe.ini
c:\windows\system32\inxxsofq.ini
c:\windows\system32\legycbnk.ini
c:\windows\system32\lljkeitj.ini
c:\windows\system32\mtfiaijm.ini
c:\windows\system32\nGpxx18
c:\windows\system32\nqtwa.ini2
c:\windows\system32\rfmribok.ini
c:\windows\system32\taskkill.com
I:\services.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-25 to 2009-01-25 )))))))))))))))))))))))))))))))
.

2009-01-25 14:16 . 2009-01-25 14:16 <DIR> d-------- c:\program files\Java
2009-01-25 14:16 . 2009-01-25 14:16 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-25 14:16 . 2009-01-25 14:16 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 09:28 . 2009-01-25 09:28 <DIR> d-------- c:\program files\Windows Resource Kits
2009-01-25 09:19 . 2009-01-25 09:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Research In Motion
2009-01-24 22:12 . 2009-01-24 22:12 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\Malwarebytes
2009-01-24 22:12 . 2009-01-24 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-24 22:12 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-24 22:12 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-24 18:21 . 2009-01-24 18:21 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\InstallShield
2009-01-24 18:15 . 2009-01-24 18:16 <DIR> d-------- c:\program files\Roxio
2009-01-24 18:15 . 2009-01-24 18:15 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2009-01-24 16:35 . 2009-01-25 15:06 256 --a------ c:\documents and settings\Jeffrey\pool.bin
2009-01-24 14:28 . 2009-01-24 14:28 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\Research In Motion
2009-01-24 14:28 . 2009-01-25 14:00 256 --a------ c:\windows\system32\pool.bin
2009-01-24 10:26 . 2009-01-24 10:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2009-01-24 10:26 . 2009-01-24 10:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-24 10:20 . 2009-01-24 18:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2009-01-24 10:19 . 2009-01-24 18:17 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2009-01-24 10:12 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-24 10:10 . 2009-01-24 17:53 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-16 08:37 . 2009-01-16 08:37 <DIR> d-------- c:\documents and settings\KC\Application Data\Logitech
2009-01-15 09:22 . 2009-01-15 09:22 <DIR> d-------- c:\documents and settings\Lura\Application Data\Logitech
2009-01-14 21:31 . 2009-01-14 21:31 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\Logitech
2009-01-14 21:30 . 2009-01-14 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2009-01-14 21:30 . 2008-09-26 09:52 10,384 --a------ c:\windows\system32\drivers\LBeepKE.sys
2009-01-14 21:29 . 2009-01-14 21:29 <DIR> d-------- c:\program files\Common Files\Logishrd
2009-01-14 21:29 . 2009-01-14 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2009-01-14 21:29 . 2008-11-07 16:37 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-01-14 21:29 . 2008-11-07 16:38 170,512 --a------ c:\windows\system32\kemutb.dll
2009-01-14 21:29 . 2008-11-07 16:38 145,936 --a------ c:\windows\system32\KemUtil.dll
2009-01-14 21:29 . 2008-11-07 16:38 117,264 --a------ c:\windows\system32\KemWnd.dll
2009-01-14 21:29 . 2008-11-07 16:38 84,496 --a------ c:\windows\system32\KemXML.dll
2009-01-04 18:53 . 2009-01-25 07:44 65 --a------ c:\windows\iTouch.ini
2009-01-04 18:50 . 2009-01-04 18:50 81,920 -r------- c:\windows\bwUnin-6.1.4.61-8876480L.exe
2009-01-04 18:49 . 2003-11-14 09:50 155,648 --a------ c:\windows\system32\ifc21.dll
2009-01-04 18:49 . 2003-11-07 04:50 152,064 --------- c:\windows\system32\lmoufrc.dll
2009-01-04 18:49 . 2003-11-14 09:50 104,960 --a------ c:\windows\system32\COMNCTR.DLL
2009-01-04 18:49 . 2003-11-14 09:50 97,792 --a------ c:\windows\system32\LGUICOM.DLL
2009-01-04 18:49 . 2003-11-14 09:50 94,208 --a------ c:\windows\system32\FEELIT.DLL
2009-01-04 18:49 . 2003-11-07 04:50 70,798 --a------ c:\windows\system32\drivers\LMouFlt2.Sys
2009-01-04 18:49 . 2003-11-07 04:50 51,486 --------- c:\windows\system32\drivers\L8042PR2.SYS
2009-01-04 18:49 . 2003-11-07 04:50 25,502 --a------ c:\windows\system32\drivers\LHidFlt2.Sys
2009-01-04 18:49 . 2003-11-07 04:50 23,372 --------- c:\windows\system32\LCOINST.DLL
2009-01-04 18:49 . 2003-11-07 04:50 19,968 --------- c:\windows\LOGI_MWX.EXE
2009-01-04 18:49 . 2003-11-14 09:50 16,896 --a------ c:\windows\system32\LMOUSE32.DLL
2009-01-04 18:49 . 2003-11-14 09:50 3,568 --a------ c:\windows\system32\LMOUSE16.DLL
2009-01-04 18:48 . 2009-01-04 18:48 <DIR> d-------- c:\program files\Common Files\Logitech
2009-01-04 18:48 . 2002-01-05 04:38 54,784 --a------ c:\windows\system32\MSVCI70.DLL
2009-01-04 18:48 . 2003-11-07 04:50 37,884 --a------ c:\windows\system32\drivers\LHidUsb.sys
2009-01-04 18:48 . 2003-11-07 04:50 14,092 --a------ c:\windows\system32\drivers\LCcfltr.sys
2009-01-04 18:48 . 2003-11-08 17:24 12,953 --------- c:\windows\system32\drivers\itchfltr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 22:18 --------- d-----w c:\program files\Google
2009-01-24 22:17 47,360 ----a-w c:\documents and settings\Jeffrey\Application Data\pcouffin.sys
2009-01-24 22:17 --------- d-----w c:\documents and settings\Jeffrey\Application Data\Vso
2009-01-24 15:20 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-24 14:01 --------- d-----w c:\documents and settings\KC\Application Data\FaxCtr
2009-01-18 17:35 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-15 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 02:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 11:48 --------- d-----w c:\program files\Webroot
2008-12-20 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-17 01:32 --------- d-----w c:\documents and settings\Jeffrey\Application Data\LimeWire
2008-12-17 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\1C29F
2008-12-16 01:08 --------- d-----w c:\program files\Creative
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-02-26 02:03 77 ----a-w c:\documents and settings\Jeffrey\6882.bat
2008-02-25 00:09 77 ----a-w c:\documents and settings\Jeffrey\7416.bat
2008-02-23 16:35 77 ----a-w c:\documents and settings\Jeffrey\5782.bat
2008-08-21 07:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-08-18 08:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-08-18 08:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-08-18 08:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RIMDeviceManager"="c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe" [2008-07-31 1422608]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-08-18 600008]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 139264]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2008-11-04 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-10-12 6272888]

c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\
AbsoluteShield Internet Eraser.lnk - d:\program files\SysShield Tools\Internet Eraser\cseraser.exe [2008-03-23 594432]
Desktop Manager.lnk - d:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2008-11-04 1545488]
HotSync Manager.lnk - d:\program files\Palm\HOTSYNC.EXE [2003-09-25 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timex Data Link USB Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timex Data Link USB Launcher.lnk
backup=c:\windows\pss\Timex Data Link USB Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^Disney_Pixar Finding Nemo_ Learning with Nemo Registration.lnk]
path=c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\Disney_Pixar Finding Nemo_ Learning with Nemo Registration.lnk
backup=c:\windows\pss\Disney_Pixar Finding Nemo_ Learning with Nemo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2008-09-19 10:37 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-04 08:18 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 d:\program files\Logitech\iTouch\iTouch.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"d:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\Diagnostics\\lxdicdw.exe"=
"d:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-11-21 203264]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2009-01-04 14092]
R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-01-14 10384]
R4 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-11-12 1066360]
S4 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-01-19 99248]
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\wrSpySweeper_LC13F57486D404A5DAD50165955EF0C63.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-12 13:18]

2009-01-25 c:\windows\Tasks\wrSpySweeper_LC13F57486D404A5DAD50165955EF0C63.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-12 13:18]

2009-01-25 c:\windows\Tasks\wrSpySweeper_LC13F57486D404A5DAD50165955EF0C63.job
- A:\ []
.
- - - - ORPHANS REMOVED - - - -

BHO-{4CF818E3-7EC9-4DCF-81DB-9490914FCA51} - (no file)
Notify-dzrdairw - dzrdairw.dll
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 15:05:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1088)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxdicoms.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\searchindexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\devldr32.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-25 15:09:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-25 20:09:26

Pre-Run: 1,181,810,688 bytes free
Post-Run: 3,081,711,616 bytes free

268 --- E O F --- 2009-01-15 02:43:14


Thanks again!!
Jeff


Report •

#5
January 25, 2009 at 17:03:17
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\documents and settings\Jeffrey\6882.bat
c:\documents and settings\Jeffrey\7416.bat
c:\documents and settings\Jeffrey\5782.bat

DIRLOOK::
c:\documents and settings\All Users\Application Data\1C29F

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run". Post a new Combofix log following the previous directions.

Report •

#6
January 25, 2009 at 18:12:47
ComboFix 09-01-21.04 - Jeffrey 2009-01-25 21:00:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.619 [GMT -5:00]
Running from: c:\documents and settings\Jeffrey\Desktop\toolb.exe
Command switches used :: c:\documents and settings\Jeffrey\Desktop\CFScript.txt
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\documents and settings\Jeffrey\5782.bat
c:\documents and settings\Jeffrey\6882.bat
c:\documents and settings\Jeffrey\7416.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jeffrey\5782.bat
c:\documents and settings\Jeffrey\6882.bat
c:\documents and settings\Jeffrey\7416.bat

.
((((((((((((((((((((((((( Files Created from 2008-12-26 to 2009-01-26 )))))))))))))))))))))))))))))))
.

2009-01-25 20:45 . 2009-01-25 20:45 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\Research In Motion
2009-01-25 20:12 . 2009-01-25 20:15 <DIR> d-------- c:\program files\Roxio
2009-01-25 20:12 . 2009-01-25 20:16 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2009-01-25 20:06 . 2009-01-25 20:12 <DIR> d-------- c:\program files\Common Files\InstallShield
2009-01-25 20:03 . 2009-01-25 20:03 <DIR> d-------- c:\program files\Research In Motion
2009-01-25 20:03 . 2009-01-25 20:04 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-25 18:08 . 2009-01-25 18:08 <DIR> d-------- c:\program files\Windows Resource Kits
2009-01-25 14:16 . 2009-01-25 14:16 <DIR> d-------- c:\program files\Java
2009-01-25 14:16 . 2009-01-25 14:16 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-25 14:16 . 2009-01-25 14:16 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 09:19 . 2009-01-25 09:19 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Research In Motion
2009-01-24 22:12 . 2009-01-24 22:12 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\Malwarebytes
2009-01-24 22:12 . 2009-01-24 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-24 22:12 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-24 22:12 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-24 18:21 . 2009-01-24 18:21 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\InstallShield
2009-01-24 16:35 . 2009-01-25 15:06 256 --a------ c:\documents and settings\Jeffrey\pool.bin
2009-01-24 14:28 . 2009-01-25 21:05 256 --a------ c:\windows\system32\pool.bin
2009-01-24 10:26 . 2009-01-24 10:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2009-01-24 10:26 . 2009-01-24 10:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-01-24 10:20 . 2009-01-25 20:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2009-01-24 10:19 . 2009-01-25 20:13 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2009-01-24 10:12 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-16 08:37 . 2009-01-16 08:37 <DIR> d-------- c:\documents and settings\KC\Application Data\Logitech
2009-01-15 09:22 . 2009-01-15 09:22 <DIR> d-------- c:\documents and settings\Lura\Application Data\Logitech
2009-01-14 21:31 . 2009-01-14 21:31 <DIR> d-------- c:\documents and settings\Jeffrey\Application Data\Logitech
2009-01-14 21:30 . 2009-01-14 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\LogiShrd
2009-01-14 21:30 . 2008-09-26 09:52 10,384 --a------ c:\windows\system32\drivers\LBeepKE.sys
2009-01-14 21:29 . 2009-01-14 21:29 <DIR> d-------- c:\program files\Common Files\Logishrd
2009-01-14 21:29 . 2009-01-14 21:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Logitech
2009-01-14 21:29 . 2008-11-07 16:37 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-01-14 21:29 . 2008-11-07 16:38 170,512 --a------ c:\windows\system32\kemutb.dll
2009-01-14 21:29 . 2008-11-07 16:38 145,936 --a------ c:\windows\system32\KemUtil.dll
2009-01-14 21:29 . 2008-11-07 16:38 117,264 --a------ c:\windows\system32\KemWnd.dll
2009-01-14 21:29 . 2008-11-07 16:38 84,496 --a------ c:\windows\system32\KemXML.dll
2009-01-04 18:53 . 2009-01-25 07:44 65 --a------ c:\windows\iTouch.ini
2009-01-04 18:50 . 2009-01-04 18:50 81,920 -r------- c:\windows\bwUnin-6.1.4.61-8876480L.exe
2009-01-04 18:49 . 2003-11-14 09:50 155,648 --a------ c:\windows\system32\ifc21.dll
2009-01-04 18:49 . 2003-11-07 04:50 152,064 --------- c:\windows\system32\lmoufrc.dll
2009-01-04 18:49 . 2003-11-14 09:50 104,960 --a------ c:\windows\system32\COMNCTR.DLL
2009-01-04 18:49 . 2003-11-14 09:50 97,792 --a------ c:\windows\system32\LGUICOM.DLL
2009-01-04 18:49 . 2003-11-14 09:50 94,208 --a------ c:\windows\system32\FEELIT.DLL
2009-01-04 18:49 . 2003-11-07 04:50 70,798 --a------ c:\windows\system32\drivers\LMouFlt2.Sys
2009-01-04 18:49 . 2003-11-07 04:50 51,486 --------- c:\windows\system32\drivers\L8042PR2.SYS
2009-01-04 18:49 . 2003-11-07 04:50 25,502 --a------ c:\windows\system32\drivers\LHidFlt2.Sys
2009-01-04 18:49 . 2003-11-07 04:50 23,372 --------- c:\windows\system32\LCOINST.DLL
2009-01-04 18:49 . 2003-11-07 04:50 19,968 --------- c:\windows\LOGI_MWX.EXE
2009-01-04 18:49 . 2003-11-14 09:50 16,896 --a------ c:\windows\system32\LMOUSE32.DLL
2009-01-04 18:49 . 2003-11-14 09:50 3,568 --a------ c:\windows\system32\LMOUSE16.DLL
2009-01-04 18:48 . 2009-01-04 18:48 <DIR> d-------- c:\program files\Common Files\Logitech
2009-01-04 18:48 . 2002-01-05 04:38 54,784 --a------ c:\windows\system32\MSVCI70.DLL
2009-01-04 18:48 . 2003-11-07 04:50 37,884 --a------ c:\windows\system32\drivers\LHidUsb.sys
2009-01-04 18:48 . 2003-11-07 04:50 14,092 --a------ c:\windows\system32\drivers\LCcfltr.sys
2009-01-04 18:48 . 2003-11-08 17:24 12,953 --------- c:\windows\system32\drivers\itchfltr.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 22:18 --------- d-----w c:\program files\Google
2009-01-24 22:17 47,360 ----a-w c:\documents and settings\Jeffrey\Application Data\pcouffin.sys
2009-01-24 22:17 --------- d-----w c:\documents and settings\Jeffrey\Application Data\Vso
2009-01-24 15:20 --------- d-----w c:\program files\Common Files\InstallShieldOld
2009-01-24 14:01 --------- d-----w c:\documents and settings\KC\Application Data\FaxCtr
2009-01-18 17:35 --------- d-----w c:\program files\Common Files\Palo Alto Software
2009-01-15 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 02:29 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 11:48 --------- d-----w c:\program files\Webroot
2008-12-20 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2008-12-17 01:32 --------- d-----w c:\documents and settings\Jeffrey\Application Data\LimeWire
2008-12-17 01:27 --------- d-----w c:\documents and settings\All Users\Application Data\1C29F
2008-12-16 01:08 --------- d-----w c:\program files\Creative
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-08-21 07:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Application Data\1C29F ----

2008-11-19 04:55 4501 --a------ c:\documents and settings\All Users\Application Data\1C29F\{BE04CBD2-AE8B-4D89-9269-FE926370CE13}.swf


((((((((((((((((((((((((((((( snapshot@2009-01-25_15.08.16.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-26 00:34:27 69,632 ----a-r c:\windows\Installer\{034E061B-B3A3-4123-842E-10C1B6B3C8C7}\DesktopMgr.exe
+ 2009-01-26 01:17:08 38,400 ----a-r c:\windows\Installer\{0ADEA8E1-B211-41B8-8DD4-D9A5FB04A5FA}\RoxioCentral.exe
+ 2009-01-26 01:04:54 69,632 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\DesktopMgr.exe
+ 2009-01-26 01:04:54 26,694 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-01-26 01:04:54 26,694 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-01-26 01:04:54 26,694 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-01-26 01:04:54 26,694 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-01-26 01:04:54 26,694 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-01-26 01:04:54 26,694 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-01-26 01:04:54 26,694 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2009-01-26 01:04:54 6,502 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2009-01-26 01:04:54 6,502 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2009-01-26 01:04:54 6,502 ----a-r c:\windows\Installer\{0D048BE8-AE02-4CB5-A428-616B9848E4A7}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2009-01-26 01:16:35 38,400 ----a-r c:\windows\Installer\{267D350E-51AB-40B8-AF9F-DA7ED5687044}\RoxioCentral.exe
+ 2009-01-26 01:16:19 25,214 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\ARPPRODUCTICON.exe
+ 2009-01-26 01:16:19 25,214 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\EmailWizardShortcut_8E832933A07340209FB8DBADC480B69B.exe
+ 2009-01-26 01:16:19 25,214 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\MediaManager8.exe_8E832933A07340209FB8DBADC480B69B.exe
- 2009-01-24 22:11:55 25,214 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\NewShortcut24_8E832933A07340209FB8DBADC480B69B_1.exe
+ 2009-01-26 01:16:19 25,214 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\NewShortcut24_8E832933A07340209FB8DBADC480B69B_1.exe
+ 2009-01-26 01:16:19 25,214 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\NewShortcut33_8E832933A07340209FB8DBADC480B69B.exe
- 2009-01-24 22:11:55 3,638 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\NewShortcut38_8E832933A07340209FB8DBADC480B69B.exe
+ 2009-01-26 01:16:19 3,638 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\NewShortcut38_8E832933A07340209FB8DBADC480B69B.exe
+ 2009-01-26 01:16:19 25,214 ----a-r c:\windows\Installer\{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}\NewShortcut4_8E832933A07340209FB8DBADC480B69B.exe
+ 2009-01-26 01:17:20 38,400 ----a-r c:\windows\Installer\{7A9DC8F6-2466-4E04-BF51-BE499C5D02BD}\RoxioCentral.exe
- 2009-01-24 15:25:44 38,400 ----a-r c:\windows\Installer\{85BD5F12-49EF-4B40-B1E0-77D85F6E99BF}\RoxioCentral.exe
+ 2009-01-26 01:16:58 38,400 ----a-r c:\windows\Installer\{85BD5F12-49EF-4B40-B1E0-77D85F6E99BF}\RoxioCentral.exe
+ 2009-01-26 01:16:30 38,400 ----a-r c:\windows\Installer\{C628EC93-8E17-4114-BCE7-2D181B93FA0F}\RoxioCentral.exe
+ 2009-01-26 01:17:02 38,400 ----a-r c:\windows\Installer\{EA9741F6-A7F2-497B-BBE4-2ED0136649BE}\RoxioCentral.exe
- 2009-01-25 19:10:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-26 01:20:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-25 19:10:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-26 01:20:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-25 19:10:04 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-26 01:20:12 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-21 00:33:50 22,784 ----a-w c:\windows\system32\drivers\RimUsb.sys
+ 2007-05-31 18:39:50 22,656 ----a-w c:\windows\system32\drivers\RimUsb.sys
- 2009-01-25 12:49:51 446,800 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-26 01:20:09 446,800 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2007-05-09 14:15:18 129,784 ----a-w c:\windows\system32\PxAFS.DLL
+ 2007-05-09 14:15:20 1,628,920 ----a-w c:\windows\system32\PxSFS.DLL
- 2007-04-04 22:08:56 158,456 ----a-w c:\windows\system32\pxwma.dll
+ 2007-05-09 14:15:24 158,456 ----a-w c:\windows\system32\pxwma.dll
+ 2007-01-18 15:24:58 26,496 ----a-r c:\windows\system32\ReinstallBackups\[u]0[/u]025\DriverFiles\RimSerial.sys
+ 2007-01-18 15:24:58 26,496 ----a-r c:\windows\system32\ReinstallBackups\[u]0[/u]026\DriverFiles\RimSerial.sys
+ 2007-01-18 15:24:58 26,496 ----a-r c:\windows\system32\ReinstallBackups\[u]0[/u]027\DriverFiles\RimSerial.sys
+ 2009-01-26 02:04:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_754.dat
- 2009-01-25 20:06:32 4,182 ----a-w c:\windows\Temp\wrstemp\S-1-5-19.dat
+ 2009-01-26 02:05:33 4,182 ----a-w c:\windows\Temp\wrstemp\S-1-5-19.dat
- 2009-01-25 20:06:32 4,250 ----a-w c:\windows\Temp\wrstemp\S-1-5-20.dat
+ 2009-01-26 02:05:33 4,250 ----a-w c:\windows\Temp\wrstemp\S-1-5-20.dat
- 2009-01-25 20:06:32 5,268 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-1003.dat
+ 2009-01-26 02:05:33 5,282 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-1003.dat
- 2009-01-25 20:06:32 4,508 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-1004.dat
+ 2009-01-26 02:05:33 4,508 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-1004.dat
- 2009-01-25 20:06:32 4,270 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-1005.dat
+ 2009-01-26 02:05:33 4,270 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-1005.dat
- 2009-01-25 20:06:32 4,216 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-500.dat
+ 2009-01-26 02:05:33 4,216 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1292428093-299502267-839522115-500.dat
- 2009-01-24 23:16:51 1,233,920 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2009-01-26 01:12:55 1,233,920 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2009-01-26 01:12:55 82,432 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2008-08-18 08:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2008-08-18 08:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2008-08-18 08:51 527304 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"GrooveMonitor"="d:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-08-18 600008]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-10-27 139264]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-10-12 6272888]

c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\
AbsoluteShield Internet Eraser.lnk - d:\program files\SysShield Tools\Internet Eraser\cseraser.exe [2008-03-23 594432]
HotSync Manager.lnk - d:\program files\Palm\HOTSYNC.EXE [2003-09-25 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2007-11-12 1447184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 16:41 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"aux1"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Timex Data Link USB Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Timex Data Link USB Launcher.lnk
backup=c:\windows\pss\Timex Data Link USB Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^Disney_Pixar Finding Nemo_ Learning with Nemo Registration.lnk]
path=c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\Disney_Pixar Finding Nemo_ Learning with Nemo Registration.lnk
backup=c:\windows\pss\Disney_Pixar Finding Nemo_ Learning with Nemo Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jeffrey^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jeffrey\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 04:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
--a------ 2007-08-16 08:56 236016 c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-04 08:18 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2003-12-01 11:38 892928 d:\program files\Logitech\iTouch\iTouch.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxdicoms.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdiamon.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\App4R.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\lxdimon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdipswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxditime.exe"=
"d:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdijswx.exe"=
"e:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"d:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Lexmark 3500-4500 Series\\Diagnostics\\lxdicdw.exe"=
"d:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R3 BENDER;Pinnacle DV/AV Capture;c:\windows\system32\drivers\bender.sys [2006-11-21 203264]
R3 LCcfltr;Logitech USB Filter Driver;c:\windows\system32\drivers\LCcfltr.sys [2009-01-04 14092]
R4 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-01-14 10384]
R4 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service --> c:\windows\system32\lxdicoms.exe -service [?]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2008-11-12 1066360]
S4 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdiserv.exe [2008-01-19 99248]
.
Contents of the 'Scheduled Tasks' folder

2009-01-25 c:\windows\Tasks\wrSpySweeper_LC13F57486D404A5DAD50165955EF0C63.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-12 13:18]

2009-01-25 c:\windows\Tasks\wrSpySweeper_LC13F57486D404A5DAD50165955EF0C63.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-10-12 13:18]

2009-01-25 c:\windows\Tasks\wrSpySweeper_LC13F57486D404A5DAD50165955EF0C63.job
- A:\ []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
DPF: PackageCab - hxxp://ak.imgag.com/imgag/cp/install/AxCtp2.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-25 21:04:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
r Running Proce
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\devldr32.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxdicoms.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\searchindexer.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
c:\program files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-25 21:08:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-26 02:08:48
ComboFix2.txt 2009-01-25 20:09:32

Pre-Run: 1,984,040,960 bytes free
Post-Run: 2,040,168,448 bytes free

325 --- E O F --- 2009-01-15 02:43:14


Again, I appreciate the time you're taking.
Thanks!
Jeff


Report •

#7
January 25, 2009 at 18:24:00
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •


Ask Question