please help, desktop and icons disappeared

fmonte · 05-21-2008, 02:45 PM

Earlier in the disscussion, Cohen asked me to run a log as the administrator. I just located it as I mentioned above. Here is the loc requested. I hope it helps give you the additional info you need. Thank you.

ComboFix 08-05-15.3 - Frank 2008-05-21 9:21:16.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1358 [GMT -4:00]
Running from: J:\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\JjlSBJlm.ini
C:\WINDOWS\system32\JjlSBJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 08:57 . 2007-12-02 00:10 <DIR> d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-21 08:57 . 2007-12-02 00:13 <DIR> dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-21 08:57 . 2007-12-02 00:16 <DIR> d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-21 08:57 . 2007-12-13 09:38 <DIR> d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-21 08:57 . 2007-12-01 19:03 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-21 08:57 . 2008-05-21 08:57 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-21 08:57 . 2008-05-21 09:25 524,288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-21 08:57 . 2008-05-21 09:25 65,536 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-20 16:59 . 2008-05-20 16:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 16:59 . 2008-05-20 16:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 08:51 . 2008-05-20 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-05-19 14:24 . 2008-05-21 09:25 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.da t.LOG
2008-05-19 07:26 . 2008-05-19 07:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Panasonic
2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\Panasonic
2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\AVG7
2008-05-18 18:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-18 18:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-18 18:47 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-18 18:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-18 18:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-18 18:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-18 15:24 . 2008-05-18 15:24 1,390,340 --a------ C:\SmitfraudFix.exe
2008-05-18 13:40 . 2008-05-18 18:48 3,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-18 13:28 . 2008-05-20 09:36 <DIR> d-------- C:\Documents and Settings\Guest
2008-05-18 13:28 . 2008-05-21 09:25 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-05-18 13:20 . 2006-02-28 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-18 13:19 . 2008-05-20 09:36 <DIR> d-------- C:\Documents and Settings\Problem correction
2008-05-18 13:19 . 2008-05-21 09:25 1,024 --ah----- C:\Documents and Settings\Problem correction\ntuser.dat.LOG
2008-05-18 10:53 . 2008-05-18 10:53 319,872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll
2008-05-18 10:48 . 2008-05-20 20:34 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-18 10:48 . 2008-05-18 10:48 28,800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll
2008-05-07 17:43 . 2008-05-08 13:51 <DIR> d-------- C:\Program Files\Avalon Health Care
2008-05-03 11:53 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-03 11:52 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Real
2008-04-28 11:21 . 2008-04-28 11:21 <DIR> d-------- C:\Program Files\SiteChallenge
2008-04-28 11:21 . 2007-05-03 10:15 68,496 --a------ C:\WINDOWS\system32\MLSecurityCOM.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-21 12:49 --------- d-----w C:\Program Files\LogMeIn
2008-05-20 12:51 --------- d-----w C:\Program Files\COMODO
2008-05-20 12:51 --------- d-----w C:\Documents and Settings\Frank\Application Data\Comodo
2008-05-18 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-12 15:34 --------- d-----w C:\Documents and Settings\Frank\Application Data\AdobeUM
2008-04-15 12:09 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG
2008-04-02 15:27 --------- d-----w C:\Program Files\Microsoft Works
2008-03-30 14:44 --------- d-----w C:\Program Files\2nd Story Software
.

((((((((((((((((((((((((((((( snapshot@2008-05-19_14.30.16.78 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 18:28:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 13:24:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 02:11:28 441,402 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Professio nal_32_1033.dat
+ 2008-05-20 02:11:28 441,402 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Professio nal_32_1033.dat.bak
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-18 15:46:37 8,712 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-05-20 13:36:47 184,196 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}]
2008-05-18 10:48 28800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FA630BA-0B92-42A2-9485-4634ACE73682}]
2008-05-18 10:53 319872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:15 579584]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26 217088]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 01:16 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 01:35 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"Panasonic Device Monitor Wakeup"="C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 15:54 303104]
"Panasonic Device Manager for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 13:46 126976]
"Panasonic PCFAX for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\KmPcFax.exe" [2007-05-29 11:31 757760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 11:52 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-02 11:19 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-12-16 02:47:49 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 05:54 38400]
"{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\cbXQkhFu.dll [2008-05-18 10:48 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQkhFu]
cbXQkhFu.dll 2008-05-18 10:48 28800 C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-01-07 18:30 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 12:43 8466432 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2007-12-05 11:47 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 18:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-01 09:48 16208384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 18:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 14:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2000-02-14 18:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sy s [2007-08-03 16:09]
S2 Panasonic Local Printer Service;Panasonic Local Printer Service;C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 05:33]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 18:39]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 18:36]

.
************************************************** ************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files:

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXQkhFu.dll
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
************************************************** ************************
.
Completion time: 2008-05-21 9:27:16 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-21 13:27:10
ComboFix2.txt 2008-05-20 23:52:10
ComboFix3.txt 2008-05-20 23:11:06
ComboFix4.txt 2008-05-20 14:59:33
ComboFix5.txt 2008-05-20 14:20:07

Pre-Run: 279,975,116,800 bytes free
Post-Run: 279,957,970,944 bytes free

256 --- E O F --- 2008-05-18 19:42:34

GameMaster · 05-21-2008, 08:07 PM

It's OK, don't worry. Delete this file in the safe mofe. Search same, when found delete the file. It won't show you an error.
It's very important that you delete that file, it's a Trojan virus that neither me or Punk found in your ComboFix and HijackThis logs.

fmonte · 05-21-2008, 08:37 PM

I am trying to delete it in safe mode but I do get the error message.

GameMaster · 05-21-2008, 08:59 PM

Impossible. Allright then, this will surely do it:

Download Avenger, and unzip it to your desktop or somewhere you can find it.Â (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

Open a Notepad file by clicking Start > RunÂ and typing Notepad.exe in the box, click OK.
Click Format, and ensure Word Wrap is unchecked.
Copy and Paste the text in the box below into Notepad.
Now save the file as RemoveFiles.txt in a location where you can find it.

Quote:

Drivers to unload:
C:\WINDOWS\system32\cbXQkhFu.dll

Files to delete:
C:\WINDOWS\system32\cbXQkhFu.dll
C:\WINDOWS\system32\mlJBSljJ.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:
Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
Double click it to enter it into Avenger.
Click the green traffic light symbol.
You will be asked if you want to execute the script, answer Yes.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer Yes, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created C:\avenger.txt.
Copy and Paste it into your next post please.

fmonte · 05-21-2008, 09:50 PM

Here is the text you requested but when the notepad came up over top of it came a error message that said Windows no disk: Exception Processing Message c0000013 Parameters 75b6b9c 4 75b6b9c 75b6bf9c. Is there anything I should do with that or just reboot?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\C:\WINDOWS\system32\cbXQkhFu.dll" not found!
Deletion of driver "C:\WINDOWS\system32\cbXQkhFu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\cbXQkhFu.dll" deleted successfully.
File "C:\WINDOWS\system32\mlJBSljJ.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

GameMaster · 05-21-2008, 09:57 PM

Well you're Trojanless now, lol.
I'd like to have one more scan though, to make sure. I don't know what that error means...can you tell me what's the situation with your desktop and icons?

Please go HERE to run Panda ActiveScan 2.0

Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply

fmonte · 05-21-2008, 10:02 PM

Just a short note to let you know, I cancelled that error message and rebooted and things seem back to normal. Could this nightmare be over? If so, please let me know if it is safe to get back online? I use AVG virus scan(free edition) and the Windows firewall although many times upon booting up I get an annoying error message that says my firewall did not start. It says click here to put it on but when I do that it won't allow me to change it so I have to reboot hoping it comes on the next time.

fmonte · 05-21-2008, 10:04 PM

Just got your message about Panda, will do it now. Thank you.

GameMaster · 05-21-2008, 10:24 PM

Hi, yeah , looking forward your scan results. It's possible that the nightmare is overm but I want to be sure and if you're still infected, the log you post will certanly help me.

fmonte · 05-21-2008, 11:29 PM

Here you go, I hope this is what you need. Just to let you know, it took about an hour for the scan to say 20% complete and then I opened up another browser so that I could surf the net while it was finishing and then 5 minutes later I go back and the scan is done. Did I do something wrong that would affect the results. Should I repeat the scan and do nothing while it is running.

;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2008-05-21 18:23:11
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 0
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
AVG 7.5.524 7.5.524 Yes Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon
00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP193\A0049098.exe
00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050304.exe
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@7search[2].txt
00167665 Cookie/Clicktracks TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@stats1.clicktracks[1].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@perf.overture[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@burstnet[2].txt
00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@hc2.humanclick[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@overture[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@go[2].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@searchportal.informat ion[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@target[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@did-it[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@atwola[2].txt
00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@citi.bridgetrack[2].txt
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050266.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP203\A0050186.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP194\A0049399.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP206\A0050369.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP195\A0049512.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\A0050131.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP201\A0050060.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP198\A0049907.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP200\A0050008.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP199\A0049959.EXE
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@enhance[2].txt
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Reboot.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP196\A0049551.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\A0050122.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP201\A0050053.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP203\A0050179.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP194\A0049391.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050258.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP199\A0049952.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP200\A0050001.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP198\A0049900.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP206\A0050359.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP195\A0049504.sys
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location Ek
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description Ek
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Annoying problem with desktop Icon's...	palefountain	General Computer Chat	1	01-10-2008 09:11 PM
changing the size of desktop icons only	karjaneth	General Software	3	05-31-2006 08:04 PM
Desktop Icons	jquinlan	Operating Systems	4	09-23-2005 12:38 AM
Spinning icons on desktop??????	R_ACE1	General Software	5	06-15-2005 05:24 AM
Custom desktop icons...	saiya00	Desktop Computers	2	02-16-2005 07:48 AM

05-21-2008, 02:45 PM	#21 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 126	Earlier in the disscussion, Cohen asked me to run a log as the administrator. I just located it as I mentioned above. Here is the loc requested. I hope it helps give you the additional info you need. Thank you. ComboFix 08-05-15.3 - Frank 2008-05-21 9:21:16.9 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1358 [GMT -4:00] Running from: J:\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\JjlSBJlm.ini C:\WINDOWS\system32\JjlSBJlm.ini2 . ((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 ))))))))))))))))))))))))))))))) . 2008-05-21 08:57 . 2007-12-02 00:10 <DIR> d--h----- C:\Documents and Settings\Administrator\Templates 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> dr------- C:\Documents and Settings\Administrator\Start Menu 2008-05-21 08:57 . 2007-12-02 00:13 <DIR> dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Recent 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\NetHood 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d-------- C:\Documents and Settings\Administrator\My Documents 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d-------- C:\Documents and Settings\Administrator\Favorites 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> d-------- C:\Documents and Settings\Administrator\Desktop 2008-05-21 08:57 . 2007-12-02 00:16 <DIR> d---s---- C:\Documents and Settings\Administrator\Cookies 2008-05-21 08:57 . 2007-12-13 09:38 <DIR> d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-05-21 08:57 . 2007-12-01 19:03 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-05-21 08:57 . 2008-05-21 08:57 <DIR> d-------- C:\Documents and Settings\Administrator 2008-05-21 08:57 . 2008-05-21 09:25 524,288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT 2008-05-21 08:57 . 2008-05-21 09:25 65,536 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG 2008-05-20 16:59 . 2008-05-20 16:59 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-05-20 16:59 . 2008-05-20 16:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-20 08:51 . 2008-05-20 09:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo 2008-05-19 14:24 . 2008-05-21 09:25 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.da t.LOG 2008-05-19 07:26 . 2008-05-19 07:26 <DIR> d-------- C:\Program Files\Trend Micro 2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Panasonic 2008-05-18 21:47 . 2008-05-18 21:47 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7 2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\Panasonic 2008-05-18 21:42 . 2008-05-18 21:42 <DIR> d-------- C:\Documents and Settings\Problem correction\Application Data\AVG7 2008-05-18 18:47 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2008-05-18 18:47 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2008-05-18 18:47 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe 2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe 2008-05-18 18:47 . 2008-04-28 08:03 82,944 --a------ C:\WINDOWS\system32\404Fix.exe 2008-05-18 18:47 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2008-05-18 18:47 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2008-05-18 18:47 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2008-05-18 15:24 . 2008-05-18 15:24 1,390,340 --a------ C:\SmitfraudFix.exe 2008-05-18 13:40 . 2008-05-18 18:48 3,050 --a------ C:\WINDOWS\system32\tmp.reg 2008-05-18 13:28 . 2008-05-20 09:36 <DIR> d-------- C:\Documents and Settings\Guest 2008-05-18 13:28 . 2008-05-21 09:25 1,024 --ah----- C:\Documents and Settings\Guest\ntuser.dat.LOG 2008-05-18 13:20 . 2006-02-28 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-05-18 13:19 . 2008-05-20 09:36 <DIR> d-------- C:\Documents and Settings\Problem correction 2008-05-18 13:19 . 2008-05-21 09:25 1,024 --ah----- C:\Documents and Settings\Problem correction\ntuser.dat.LOG 2008-05-18 10:53 . 2008-05-18 10:53 319,872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll 2008-05-18 10:48 . 2008-05-20 20:34 <DIR> dr-h----- C:\$VAULT$.AVG 2008-05-18 10:48 . 2008-05-18 10:48 28,800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll 2008-05-07 17:43 . 2008-05-08 13:51 <DIR> d-------- C:\Program Files\Avalon Health Care 2008-05-03 11:53 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\xing shared 2008-05-03 11:52 . 2008-05-03 11:53 <DIR> d-------- C:\Program Files\Common Files\Real 2008-05-03 11:50 . 2008-05-03 11:50 <DIR> d-------- C:\Program Files\Real 2008-04-28 11:21 . 2008-04-28 11:21 <DIR> d-------- C:\Program Files\SiteChallenge 2008-04-28 11:21 . 2007-05-03 10:15 68,496 --a------ C:\WINDOWS\system32\MLSecurityCOM.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-05-21 12:49 --------- d-----w C:\Program Files\LogMeIn 2008-05-20 12:51 --------- d-----w C:\Program Files\COMODO 2008-05-20 12:51 --------- d-----w C:\Documents and Settings\Frank\Application Data\Comodo 2008-05-18 14:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7 2008-05-12 15:34 --------- d-----w C:\Documents and Settings\Frank\Application Data\AdobeUM 2008-04-15 12:09 1,880 ----a-w C:\WINDOWS\AUTOLNCH.REG 2008-04-02 15:27 --------- d-----w C:\Program Files\Microsoft Works 2008-03-30 14:44 --------- d-----w C:\Program Files\2nd Story Software . ((((((((((((((((((((((((((((( snapshot@2008-05-19_14.30.16.78 ))))))))))))))))))))))))))))))))))))))))) . - 2008-05-19 18:28:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-21 13:24:55 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-05-20 02:11:28 441,402 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Professio nal_32_1033.dat + 2008-05-20 02:11:28 441,402 ----a-w C:\WINDOWS\pchealth\helpctr\Config\Cache\Professio nal_32_1033.dat.bak + 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll + 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe + 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll - 2008-05-18 15:46:37 8,712 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat + 2008-05-20 13:36:47 184,196 ----a-w C:\WINDOWS\system32\Restore\rstrlog.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}] 2008-05-18 10:48 28800 --a------ C:\WINDOWS\system32\cbXQkhFu.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FA630BA-0B92-42A2-9485-4634ACE73682}] 2008-05-18 10:53 319872 --a------ C:\WINDOWS\system32\mlJBSljJ.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:15 579584] "HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26 217088] "nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 01:16 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 01:35 40960] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432] "Panasonic Device Monitor Wakeup"="C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 15:54 303104] "Panasonic Device Manager for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 13:46 126976] "Panasonic PCFAX for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\KmPcFax.exe" [2007-05-29 11:31 757760] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 11:52 185896] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-02 11:19 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-12-16 02:47:49 114688] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer] "NoResolveSearch"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 05:54 38400] "{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\cbXQkhFu.dll [2008-05-18 10:48 28800] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQkhFu] cbXQkhFu.dll 2008-05-18 10:48 28800 C:\WINDOWS\system32\cbXQkhFu.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.YV12"= yv12vfw.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0] --------- 2005-01-07 18:30 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] --a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] --a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] --a------ 2007-06-28 12:43 8466432 C:\WINDOWS\system32\NvCpl.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm] --a------ 2007-12-05 11:47 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc] --a------ 2003-07-18 18:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility] --a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL] --a------ 2006-06-01 09:48 16208384 C:\WINDOWS\RTHDCPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt] --------- 2004-11-11 18:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] --a------ 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate] --a------ 2006-09-28 14:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter] --a------ 2000-02-14 18:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "BITS"=2 (0x2) "WZCSVC"=2 (0x2) "W32Time"=2 (0x2) "CiSvc"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"= "C:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"= "C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09] S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sy s [2007-08-03 16:09] S2 Panasonic Local Printer Service;Panasonic Local Printer Service;C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 05:33] S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12] S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12] S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 14:12] S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 18:39] S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 18:36] . ************************************************ ******************** disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ please note that you need administrator rights to perform deep scan disk not found C:\ scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ disk not found C:\ scan completed successfully hidden files: ********************************************** ******************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\cbXQkhFu.dll -> C:\WINDOWS\system32\tsd32.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe . ********************************************** ********************** . Completion time: 2008-05-21 9:27:16 - machine was rebooted [Administrator] ComboFix-quarantined-files.txt 2008-05-21 13:27:10 ComboFix2.txt 2008-05-20 23:52:10 ComboFix3.txt 2008-05-20 23:11:06 ComboFix4.txt 2008-05-20 14:59:33 ComboFix5.txt 2008-05-20 14:20:07 Pre-Run: 279,975,116,800 bytes free Post-Run: 279,957,970,944 bytes free 256 --- E O F --- 2008-05-18 19:42:34

05-21-2008, 08:37 PM	#23 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 126	I am trying to delete it in safe mode but I do get the error message.

05-21-2008, 09:50 PM	#25 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 126	Here is the text you requested but when the notepad came up over top of it came a error message that said Windows no disk: Exception Processing Message c0000013 Parameters 75b6b9c 4 75b6b9c 75b6bf9c. Is there anything I should do with that or just reboot? Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\C:\WINDOWS\system32\cbXQkhFu.dll" not found! Deletion of driver "C:\WINDOWS\system32\cbXQkhFu.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\Windows\system32\cbXQkhFu.dll" deleted successfully. File "C:\WINDOWS\system32\mlJBSljJ.dll" deleted successfully. Completed script processing. ***************** Finished! Terminate.

05-21-2008, 10:02 PM	#27 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 126	Just a short note to let you know, I cancelled that error message and rebooted and things seem back to normal. Could this nightmare be over? If so, please let me know if it is safe to get back online? I use AVG virus scan(free edition) and the Windows firewall although many times upon booting up I get an annoying error message that says my firewall did not start. It says click here to put it on but when I do that it won't allow me to change it so I have to reboot hoping it comes on the next time.

05-21-2008, 10:04 PM	#28 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 126	Just got your message about Panda, will do it now. Thank you.

05-21-2008, 11:29 PM	#30 (permalink)
fmonte Silver Member Join Date: Nov 2007 Posts: 126	Here you go, I hope this is what you need. Just to let you know, it took about an hour for the scan to say 20% complete and then I opened up another browser so that I could surf the net while it was finishing and then 5 minutes later I go back and the scan is done. Did I do something wrong that would affect the results. Should I repeat the scan and do nothing while it is running. ;*********************************************** ********************************************** ********************************************** ************************** ANALYSIS: 2008-05-21 18:23:11 PROTECTIONS: 1 MALWARE: 19 SUSPECTS: 0 ;********************************************* ********************************************** ********************************************** **************************** PROTECTIONS Description Version Active Updated ;================================================= ================================================== ================================================== ============================== AVG 7.5.524 7.5.524 Yes Yes ;================================================= ================================================== ================================================== ============================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;================================================= ================================================== ================================================== ============================== 00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon 00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Process.exe 00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP193\A0049098.exe 00139535 Application/Processor HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050304.exe 00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@7search[2].txt 00167665 Cookie/Clicktracks TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@stats1.clicktracks[1].txt 00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@perf.overture[1].txt 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@apmebf[1].txt 00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@burstnet[2].txt 00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@hc2.humanclick[2].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@overture[2].txt 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@go[2].txt 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@searchportal.informat ion[2].txt 00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@target[2].txt 00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@did-it[1].txt 00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@atwola[2].txt 00325830 Cookie/Bridgetrack TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@citi.bridgetrack[2].txt 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050266.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP203\A0050186.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP194\A0049399.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP206\A0050369.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP195\A0049512.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\A0050131.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP201\A0050060.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP198\A0049907.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP200\A0050008.EXE 01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP199\A0049959.EXE 01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Frank\Cookies\frank@enhance[2].txt 02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Reboot.exe 02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP196\A0049551.exe 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\A0050122.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP201\A0050053.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP203\A0050179.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP194\A0049391.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050258.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP199\A0049952.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP200\A0050001.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP198\A0049900.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP206\A0050359.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP195\A0049504.sys ;================================================= ================================================== ================================================== ============================== SUSPECTS Sent Location Ek ;================================================= ================================================== ================================================== ============================== ;================================================= ================================================== ================================================== ============================== VULNERABILITIES Id Severity Description Ek ;================================================= ================================================== ================================================== ============================== ;================================================= ================================================== ================================================== ==============================