please help, desktop and icons disappeared

GameMaster · 05-20-2008, 10:37 AM

You don't have to delete it, but just log in as administrator and perform the ComboFix scan again ( run it again and post a new log ).

fmonte · 05-20-2008, 02:36 PM

I'm still not sure what you are asking. I don't know what you mean as sign on as administrator. In any event, what I did is boot the computer to the welcome screen where there are the 3 icons that I mentioned above. I clicked on the one that said Frank and then I clicked on the desktop icon Combofix to run the scan. After completion the text doc popped up. Here are the results:

ComboFix 08-05-15.3 - Frank 2008-05-20 8:25:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1363 [GMT -4:00]
Running from: J:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\JjlSBJlm.ini
C:\WINDOWS\system32\JjlSBJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-19 14:24 . 2008-05-19 14:25 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.da t.LOG
2008-05-19 07:26 . 2008-05-19 07:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Panasonic
2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\Panasonic
2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\AVG7
2008-05-18 18:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-18 18:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-18 18:47 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-18 18:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-18 18:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-18 18:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-18 15:24 . 2008-05-18 15:24 1,390,340 --a------ C:\SmitfraudFix.exe
2008-05-18 13:40 . 2008-05-18 18:48 3,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-18 13:28 . 2008-05-18 13:28 <DIR> d-------- C:\Documents and Settings\Guest
2008-05-18 13:28 . 2008-05-20 08:29 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-05-18 13:20 . 2006-02-28 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-18 13:19 . 2008-05-18 13:19 <DIR> d-------- C:\Documents and Settings\Problem correction
2008-05-18 13:19 . 2008-05-20 08:29 1,024 --ah----- C:\Documents and Settings\Problem correction\ntuser.dat.LOG
2008-05-18 10:53 . 2008-05-18 10:53 319,872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll
2008-05-18 10:48 . 2008-05-18 10:48 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-18 10:48 . 2008-05-17 17:14 286,720 --a------ C:\WINDOWS\pxgdslro.dll
2008-05-18 10:48 . 2008-05-17 17:15 245,760 --a------ C:\WINDOWS\nldfmtappek.dll
2008-05-18 10:48 . 2008-05-18 10:48 28,800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll
2008-05-07 17:43 . 2008-05-08 13:51 <DIR> d-------- C:\Program Files\Avalon Health Care
2008-05-03 11:53 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-03 11:52 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Real
2008-04-28 11:21 . 2008-04-28 11:21 <DIR> d-------- C:\Program Files\SiteChallenge
2008-04-28 11:21 . 2007-05-03 10:15 68,496 --a------ C:\WINDOWS\system32\MLSecurityCOM.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-20 04:02 --------- d-----w C:\Program Files\LogMeIn
2008-05-18 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-17 13:12 --------- d-----w C:\Program Files\COMODO
2008-05-17 13:12 --------- d-----w C:\Documents and Settings\Frank\Application Data\Comodo
2008-05-12 15:34 --------- d-----w C:\Documents and Settings\Frank\Application Data\AdobeUM
2008-04-15 12:09 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG
2008-04-02 15:27 --------- d-----w C:\Program Files\Microsoft Works
2008-03-30 14:44 --------- d-----w C:\Program Files\2nd Story Software
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_14.30.16.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 18:28:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 12:29:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}]
2008-05-18 10:48 28800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2937F69-9299-4609-AD57-536278226A08}]
2008-05-18 10:53 319872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:15 579584]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26 217088]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 01:16 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 01:35 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"Panasonic Device Monitor Wakeup"="C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 15:54 303104]
"Panasonic Device Manager for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 13:46 126976]
"Panasonic PCFAX for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\KmPcFax.exe" [2007-05-29 11:31 757760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 11:52 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-02 11:19 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-12-16 02:47:49 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 05:54 38400]
"{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\cbXQkhFu.dll [2008-05-18 10:48 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQkhFu]
cbXQkhFu.dll 2008-05-18 10:48 28800 C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-01-07 18:30 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 12:43 8466432 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2007-12-05 11:47 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 18:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-01 09:48 16208384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 18:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 14:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2000-02-14 18:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sy s [2007-08-03 16:09]
R2 Panasonic Local Printer Service;Panasonic Local Printer Service;C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 05:33]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 18:39]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 18:36]

.
************************************************** ************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files:

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXQkhFu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
************************************************** ************************
.
Completion time: 2008-05-20 8:31:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-20 12:31:08
ComboFix2.txt 2008-05-19 18:30:33

Pre-Run: 280,088,997,888 bytes free
Post-Run: 280,074,104,832 bytes free

237 --- E O F --- 2008-05-18 19:42:34

fmonte · 05-20-2008, 02:51 PM

I just noticed after running that last combofix, the problem seems to be gone. My icons are not disappearing anymore and the performance seems normal. I will continue to monitor things and let you know. Not that I am complaining but what happened. Also, is it now safe to get back on the internet with this computer? Thanks again.

fmonte · 05-20-2008, 03:29 PM

Problem returned, please help. Thank you.

Punk · 05-20-2008, 06:11 PM

Yes, There is still a few malicious files that are downloading the deleted files. I'm really busy right now until mid-June, got my SAT exams (the BAC in France).

If either GameMaster or Ceewi1 wants to continue on disinfecting you, they can.

GameMaster · 05-20-2008, 09:19 PM

Well seems that I'm online the most.
Since I couldn't find any nasties in your HijackThis log and since ComboFix log shows some random files, we can try couple more scans. But before that I want to make sure it's not some XP setting problem.

1. Please right click on Desktop>Properties>General tab>uncheck the Run wizard every xx days

2. If that doesn't help, open your Task manager ( Ctrl+Alt+Del) and find a process sysu.exe

If found, stop it.
After, delete this folder: ddm if found. It should be in C:/Programs/ddm

3. If didn't help:

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.

Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

fmonte · 05-21-2008, 12:59 AM

1. I could not do. I right clicked on an open spot on the desktop and left clicked on properties but there was no general tab.

2. In task manager processes there was no sysu.exe

3. i could not get to ddm.I clicked on c drive and then program files but by that time my screen goes blank so I did not have time to search for ddm.

Finally, here is the report you asked for:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 20, 2008 6:47:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/05/2008
Kaspersky Anti-Virus database records: 788626
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
J:\

Scan Statistics:
Total number of scanned objects: 95541
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 01:10:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Frank\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Frank\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Frank\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frank\ntuser.dat Object is locked skipped
C:\Documents and Settings\Frank\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG Object is locked skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RAR: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP196\A0049551.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\nldfmtappek.dll Object is locked skipped
C:\WINDOWS\pxgdslro.dll Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStor e.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cbXQkhFu.dll Infected: Trojan.Win32.Inject.cdi skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_778.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

GameMaster · 05-21-2008, 11:43 AM

Hello!
Please search for this file : C:\WINDOWS\system32\cbXQkhFu.dll and delete it.
To find it, go to Start>Search>All files and folders> on advanced options, check all: Search hidden files and folders, search subfolders, search system files and folders...

Then type cbXQkhFu.dll when found, delete it.

AFter you've deleted it, reboot your computer and post a fresh HijackThis log.

fmonte · 05-21-2008, 03:30 PM

Sorry, can't do. Did what you said but when I clicked on the file to delete it a message pops up that says cannot delete, this file is being used by another person or program. Close any programs that might be using the file and try again.

fmonte · 05-21-2008, 03:37 PM

FYI, earlier I told you I could not get into safe mode. I figured out a way. First I run combofix and when it reboots I click on F8 and get into safe mode okay. Please note: At the welcome screen I now see a button that is called "Administrator". On a normal boot I don't see that button but it shows up in the safe mode. The other day you asked me to create a log as the admisistrator. Would it still be helpful if I do that now? Thank you.

05-20-2008, 06:11 PM	#15 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 18 Posts: 5,001	Yes, There is still a few malicious files that are downloading the deleted files. I'm really busy right now until mid-June, got my SAT exams (the BAC in France). If either GameMaster or Ceewi1 wants to continue on disinfecting you, they can. __________________ Punk's anti-hackers website Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Annoying problem with desktop Icon's...	palefountain	General Computer Chat	1	01-10-2008 09:11 PM
changing the size of desktop icons only	karjaneth	General Software	3	05-31-2006 09:05 PM
Desktop Icons	jquinlan	Operating Systems	4	09-23-2005 01:38 AM
Spinning icons on desktop??????	R_ACE1	General Software	5	06-15-2005 06:24 AM
Custom desktop icons...	saiya00	Desktop Computers	2	02-16-2005 07:48 AM

05-20-2008, 02:36 PM	#12 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 132	I'm still not sure what you are asking. I don't know what you mean as sign on as administrator. In any event, what I did is boot the computer to the welcome screen where there are the 3 icons that I mentioned above. I clicked on the one that said Frank and then I clicked on the desktop icon Combofix to run the scan. After completion the text doc popped up. Here are the results: ComboFix 08-05-15.3 - Frank 2008-05-20 8:25:36.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1363 [GMT -4:00] Running from: J:\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\JjlSBJlm.ini C:\WINDOWS\system32\JjlSBJlm.ini2 . ((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 ))))))))))))))))))))))))))))))) . 2008-05-19 14:24 . 2008-05-19 14:25 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.da t.LOG 2008-05-19 07:26 . 2008-05-19 07:26 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Panasonic 2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7 2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\Panasonic 2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\AVG7 2008-05-18 18:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-05-18 18:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-05-18 18:47 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe 2008-05-18 18:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-05-18 18:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-05-18 18:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-05-18 15:24 . 2008-05-18 15:24 1,390,340 --a------ C:\SmitfraudFix.exe 2008-05-18 13:40 . 2008-05-18 18:48 3,050 --a------ C:\WINDOWS\system32\tmp.reg 2008-05-18 13:28 . 2008-05-18 13:28 <DIR> d-------- C:\Documents and Settings\Guest 2008-05-18 13:28 . 2008-05-20 08:29 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG 2008-05-18 13:20 . 2006-02-28 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-05-18 13:19 . 2008-05-18 13:19 <DIR> d-------- C:\Documents and Settings\Problem correction 2008-05-18 13:19 . 2008-05-20 08:29 1,024 --ah----- C:\Documents and Settings\Problem correction\ntuser.dat.LOG 2008-05-18 10:53 . 2008-05-18 10:53 319,872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll 2008-05-18 10:48 . 2008-05-18 10:48 <DIR> dr-h----- C:\$VAULT$.AVG 2008-05-18 10:48 . 2008-05-17 17:14 286,720 --a------ C:\WINDOWS\pxgdslro.dll 2008-05-18 10:48 . 2008-05-17 17:15 245,760 --a------ C:\WINDOWS\nldfmtappek.dll 2008-05-18 10:48 . 2008-05-18 10:48 28,800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll 2008-05-07 17:43 . 2008-05-08 13:51 <DIR> d-------- C:\Program Files\Avalon Health Care 2008-05-03 11:53 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-05-03 11:52 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\Real 2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Real 2008-04-28 11:21 . 2008-04-28 11:21 <DIR> d-------- C:\Program Files\SiteChallenge 2008-04-28 11:21 . 2007-05-03 10:15 68,496 --a------ C:\WINDOWS\system32\MLSecurityCOM.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-05-20 04:02 --------- d-----w C:\Program Files\LogMeIn 2008-05-18 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-05-17 13:12 --------- d-----w C:\Program Files\COMODO 2008-05-17 13:12 --------- d-----w C:\Documents and Settings\Frank\Application Data\Comodo 2008-05-12 15:34 --------- d-----w C:\Documents and Settings\Frank\Application Data\AdobeUM 2008-04-15 12:09 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG 2008-04-02 15:27 --------- d-----w C:\Program Files\Microsoft Works 2008-03-30 14:44 --------- d-----w C:\Program Files\2nd Story Software . ((((((((((((((((((((((((((((( snapshot@2008-05-19_14.30.16.78 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-19 18:28:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-20 12:29:04 2,048 --s-a-w C:\WINDOWS\bootstat.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}] 2008-05-18 10:48 28800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2937F69-9299-4609-AD57-536278226A08}] 2008-05-18 10:53 319872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:15 579584] "HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26 217088] "nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 01:16 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 01:35 40960] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432] "Panasonic Device Monitor Wakeup"="C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 15:54 303104] "Panasonic Device Manager for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 13:46 126976] "Panasonic PCFAX for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\KmPcFax.exe" [2007-05-29 11:31 757760] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 11:52 185896] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-02 11:19 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-12-16 02:47:49 114688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 05:54 38400] "{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\cbXQkhFu.dll [2008-05-18 10:48 28800] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQkhFu] cbXQkhFu.dll 2008-05-18 10:48 28800 C:\WINDOWS\system32\cbXQkhFu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0] --------- 2005-01-07 18:30 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] --a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-06-28 12:43 8466432 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm] --a------ 2007-12-05 11:47 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --a------ 2003-07-18 18:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] --a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] --a------ 2006-06-01 09:48 16208384 C:\WINDOWS\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt] --------- 2004-11-11 18:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] --a------ 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] --a------ 2006-09-28 14:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter] --a------ 2000-02-14 18:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "BITS"=2 (0x2) "WZCSVC"=2 (0x2) "W32Time"=2 (0x2) "CiSvc"=3 (0x3) [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "C:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"= "C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sy s [2007-08-03 16:09] R2 Panasonic Local Printer Service;Panasonic Local Printer Service;C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 05:33] S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12] S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12] S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 14:12] S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 18:39] S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 18:36] . ************************************************ ******************** disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ scan completed successfully hidden files: ********************************************** ******************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\cbXQkhFu.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\BRSS01A.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\BrmfBAgS.exe C:\Program Files\LogMeIn\x86\ramaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe . ********************************************** ********************** . Completion time: 2008-05-20 8:31:13 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-20 12:31:08 ComboFix2.txt 2008-05-19 18:30:33 Pre-Run: 280,088,997,888 bytes free Post-Run: 280,074,104,832 bytes free 237 --- E O F --- 2008-05-18 19:42:34

05-20-2008, 02:51 PM	#13 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 132	I just noticed after running that last combofix, the problem seems to be gone. My icons are not disappearing anymore and the performance seems normal. I will continue to monitor things and let you know. Not that I am complaining but what happened. Also, is it now safe to get back on the internet with this computer? Thanks again.

05-20-2008, 03:29 PM	#14 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 132	Problem returned, please help. Thank you.

05-21-2008, 12:59 AM	#17 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 132	1. I could not do. I right clicked on an open spot on the desktop and left clicked on properties but there was no general tab. 2. In task manager processes there was no sysu.exe 3. i could not get to ddm.I clicked on c drive and then program files but by that time my screen goes blank so I did not have time to search for ddm. Finally, here is the report you asked for: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, May 20, 2008 6:47:00 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 20/05/2008 Kaspersky Anti-Virus database records: 788626 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ J:\ Scan Statistics: Total number of scanned objects: 95541 Number of viruses found: 2 Number of infected objects: 7 Number of suspicious objects: 0 Duration of the scan process: 01:10:16 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\Frank\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Frank\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Frank\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Frank\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Frank\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Frank\ntuser.dat Object is locked skipped C:\Documents and Settings\Frank\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf Object is locked skipped C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG Object is locked skipped C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\SmitfraudFix.exe RAR: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP196\A0049551.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\nldfmtappek.dll Object is locked skipped C:\WINDOWS\pxgdslro.dll Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\DataStor e.edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp .edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\cbXQkhFu.dll Infected: Trojan.Win32.Inject.cdi skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_778.dat Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

05-21-2008, 03:30 PM	#19 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 132	Sorry, can't do. Did what you said but when I clicked on the file to delete it a message pops up that says cannot delete, this file is being used by another person or program. Close any programs that might be using the file and try again.

05-21-2008, 03:37 PM	#20 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 132	FYI, earlier I told you I could not get into safe mode. I figured out a way. First I run combofix and when it reboots I click on F8 and get into safe mode okay. Please note: At the welcome screen I now see a button that is called "Administrator". On a normal boot I don't see that button but it shows up in the safe mode. The other day you asked me to create a log as the admisistrator. Would it still be helpful if I do that now? Thank you.