Could my PC be infected?

S

shrine

New Member
Hi everyone, I'm new to the forum and, well, to computers in general, so I was wondering if someone would be kind enough to go over a HijackThis log with me to see if I have any infections on my PC?

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:36 AM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.laurawinters.com
O15 - Trusted Zone: *.sablemoon.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 3604 bytes


Basically, I know next to nothing about computers, so this looks like gibberish to me. My mother used to be the one who took care of our home PC, but when she passed away last month, the task somehow fell to me. I would very much appreciate any help in determining if there are any infections on my computer, and how to remove them if so.

Also, if anyone has any website or book recommendations on how to spot malware, or just learning more about computers in general, please feel free to share.

Thanks very much for your time,

Vee
 
Hello,

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your reply:
  • Post the combo fix log
  • Post a Fresh Hijackthis log

Thankyou
 
Hi cohen, thanks for the help. Here's the ComboFix log:

ComboFix 08-09-01.01 - Default 2008-09-02 3:26:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.177 [GMT -4:00]
Running from: C:\Documents and Settings\Default\My Documents\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Default\Application Data\inst.exe
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\bin.clearspring.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\bin.clearspring.com\ws\wan\wanLib.swf\4734f148a6404f26.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\bin.clearspring.com\ws\wan\wanLib.swf\475d8c19467b867d.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\interclick.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\interclick.com\ud.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\static.youku.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\static.youku.com\v1.0.0199\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\#SharedObjects\KKJ4XXRV\static.youku.com\v1.0.0204\v\swf\qplayer.swf\youku.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com
C:\Documents and Settings\Default\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\dbfb.dll
C:\WINDOWS\system32\install.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_NTMLSVC


((((((((((((((((((((((((( Files Created from 2008-08-02 to 2008-09-02 )))))))))))))))))))))))))))))))
.

2008-09-02 00:24 . 2008-09-02 00:24 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-01 19:28 . 2008-09-01 19:29 <DIR> d-------- C:\944c7dbbf9068bd4b56eaa275a
2008-08-22 19:08 . 2008-08-22 22:00 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-02 07:31 --------- d-----w C:\Documents and Settings\Default\Application Data\WTablet
2008-09-02 01:16 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-23 10:19 --------- d-----w C:\Program Files\eMule
2008-07-23 06:51 --------- d-----w C:\Program Files\PeerGuardian2
2008-07-23 06:48 --------- d-----w C:\Documents and Settings\Default\Application Data\Azureus
2008-07-22 19:33 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2007-10-20 02:09 47,360 ----a-w C:\Documents and Settings\Default\Application Data\pcouffin.sys
2007-03-25 22:18 87,608 ----a-w C:\Documents and Settings\Default\Application Data\ezpinst.exe
2006-10-28 23:11 89,088 ----a-w C:\Documents and Settings\Default\Application Data\GDIPFONTCACHEV1.DAT
2006-02-11 05:47 0 ----a-w C:\Documents and Settings\Default\Application Data\wklnhst.dat
2008-01-12 05:57 2 --shatr C:\WINDOWS\winstart.bat
2006-11-19 03:18 56 --sh--r C:\WINDOWS\system32\5C691F14EC.sys
2002-04-16 15:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
2006-10-06 16:23 88 --sh--r C:\WINDOWS\system32\EC141F695C.sys
2006-11-19 03:18 6,580 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lexmark 3100 Series"="C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-09-03 22:33 106496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-09-17 14:32 7204864]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-09-17 14:32 86016]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 12:06 1443072]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 17:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"nwiz"="nwiz.exe" [2005-09-17 14:32 1519616 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\Default\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-02-04 19:41:00 475136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXBRKsk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FLEXnet Licensing Service"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 12:11]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [2007-01-15 17:11]
R3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 03:00]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2006-02-14 17:18]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2006-11-15 15:55]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);C:\WINDOWS\system32\DRIVERS\alcan5ln.sys [2001-03-23 05:58]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys [2005-06-08 19:44]
S3 RapFile;RapFile;C:\WINDOWS\system32\drivers\RapFile.sys [2003-02-25 19:26]
S3 RapNet;RapNet;C:\WINDOWS\system32\drivers\RapNet.sys [2003-02-25 19:26]
S3 ZD1211BU(SMC);802.11g Wireless USB2.0 Adapter Driver(SMC);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 06:44]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2006-08-24 06:44]
.
- - - - ORPHANS REMOVED - - - -

Notify-WBSrv - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Default\Application Data\Mozilla\Firefox\Profiles\1shw0h1e.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-02 03:33:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\Tablet.exe
.
**************************************************************************
.
Completion time: 2008-09-02 3:42:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-02 07:42:01

Pre-Run: 120,511,057,920 bytes free
Post-Run: 120,429,674,496 bytes free

149 --- E O F --- 2008-09-01 23:29:20
 
And here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:39 AM, on 9/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.laurawinters.com
O15 - Trusted Zone: *.sablemoon.com
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 4049 bytes
 
I don't know if it's worth mentioning, but there are a few changes to my computer after running these apps:

Notable changes

-Desktop icons have been rearranged.
-Computer kicked off during ComboFix reboot and had to be restarted manually.
-Popup appeared stating that tablet driver wasn't working, even though it appears to be.
-Alert appeared stating that Norton Internet Worm protection is turned off--which seems strange, considering that I only use ESET NOD32.
-Warning popped up from ESET NOD32 that "Eicar test file" had been quarantined and deleted.

Don't know if any of that is significant, but I thought I ought to include it just in case.
 
OK, well pls wait for a pro like ceewi1 to come along, he will be able to help you a lot more.

Thanks.
 
Ouch, is it really that bad? Sigh. Well, hopefully I can get it all fixed with some help.

Oh, and I found a ComboFix txt document with some quarantined files that were listed as follows:

1998-04-27 04:00:00 570,128 C:\Qoobox\Quarantine\C\WINDOWS\system32\dao350.dll.vir
2001-01-31 21:25:16 53,248 C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\Msimg32.dll.vir
2004-04-23 13:36:42 298,496 C:\Qoobox\Quarantine\C\WINDOWS\system32\dbfb.dll.vir
2004-06-09 14:57:12 118,784 C:\Qoobox\Quarantine\C\WINDOWS\system32\Install.exe.vir
2007-02-14 21:30:50 144 C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\setup.inf.vir
2007-10-20 02:09:46 87,608 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\inst.exe.vir
2007-11-26 16:57:57 89 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol.vir
2007-12-28 03:18:10 86 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol.vir
2007-12-28 05:01:34 85 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\#SharedObjects\KKJ4XXRV\static.youku.com\v1.0.0199\v\swf\qplayer.swf\youku.sol.vir
2008-01-21 18:27:10 85 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\#SharedObjects\KKJ4XXRV\static.youku.com\v1.0.0204\v\swf\qplayer.swf\youku.sol.vir
2008-01-27 23:22:17 84 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol.vir
2008-03-22 00:16:07 62 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\#SharedObjects\KKJ4XXRV\bin.clearspring.com\ws\wan\wanLib.swf\4734f148a6404f26.sol.vir
2008-04-01 03:44:34 139 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\#SharedObjects\KKJ4XXRV\interclick.com\ud.sol.vir
2008-04-05 21:53:24 61 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\#SharedObjects\KKJ4XXRV\bin.clearspring.com\ws\wan\wanLib.swf\475d8c19467b867d.sol.vir
2008-09-01 06:59:34 1,380 C:\Qoobox\Quarantine\C\Documents and Settings\Default\Application Data\Macromedia\Flash Player\#SharedObjects\KKJ4XXRV\bin.clearspring.com\clearspring.sol.vir
2008-09-02 07:30:08 11,657 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-09-02 07:30:17 276 C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2008-09-02 07:30:17 798 C:\Qoobox\Quarantine\Registry_backups\Legacy_NTMLSVC.reg.dat
2008-09-02 07:30:25 54 C:\Qoobox\Quarantine\catchme.log
2008-09-02 07:41:45 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-09-02 07:41:45 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-09-02 07:41:45 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-09-02 07:41:52 362 C:\Qoobox\Quarantine\Registry_backups\Notify-WBSrv.reg.dat


Looks ugly and I have a bad feeling about anything with a .vir at the end of it....


Thanks again for your help cohen, and I hope one of the pros will be kind enough to help me get this all fixed. :)
 
Last edited:
The file listed there have already been moved to quarantine by ComboFix. There are only a few leftover registry entries showing in those logs.

Please run Notepad and paste the contents of the codebox into a new file. Please do not include the word Code:
Code: 
REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"=-
"Mn@mlrf"=-
"MnOndNeg"=-
"MnQtm"=-

Save the file to the desktop as fix.reg and make sure the Save as Type field says All Files. Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Do you know and trust the sites in the following entries?:
O15 - Trusted Zone: *.laurawinters.com
O15 - Trusted Zone: *.sablemoon.com

If not, run HijackThis again, select Do a system scan only, place a check next to those entries and choose Fix checked.

With regards to the Norton Internet Worm Protection, there are Norton related entries showing in that log. Was it installed at one point?

Try downloading and running the Norton Removal tool from http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

How is your system running now?
 
Thanks ceewi1, my computer seems to be running much more smoothly now. I really appreciate the help. :D Yes, I think my mom had installed then deleted Norton at one point, but I guess it didn't uninstall entirely. Should I remove it from my PC, or am I better off just leaving it?

I'm curious though--should I delete the files in the Qoobox folder, or is it safe to just leave them alone? Also, I know that Combofix is updated regularly, so how should I go about uninstalling & deleting it from my computer in order to reinstall it again at a later date?

Thanks again for all your help.

-Vee
 
I would suggest running the Norton Removal Tool to get rid of Norton completely.

Please click on Start -> Run. Type ComboFix /u and click OK.
Note the space between the ComboFix and the /u
This will remove the backups that ComboFix has created (the Qoobox folder) as well as the program itself.

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
hey ceewi1,

I was wondering if you would explain the notepad document you had shrine create.

If im not mistaken that will make the entries blank, why those entries?

also in the lines

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

does this mean that these apps are not authorized?
 
You must log in or register to reply here.
Back
Top