ravensheat

hey guys having problems here.. ive tried the LSP thing and the other one but no luck.. must of had something deleted during combofix. Heres the Log



ComboFix 08-09-20.05 - Iota 2008-09-21 18:12:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.196 [GMT 12:00]
Running from: C:\Documents and Settings\Iota\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Iota\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiMalwareGuard.lnk
C:\Documents and Settings\Guest\Application Data\rhc93tj0epb3
C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[2].txt
C:\Documents and Settings\Guest\Cookies\guest@adsfac[1].txt
C:\Documents and Settings\Guest\Cookies\guest@serving-sys[2].txt
C:\Documents and Settings\Guest\err.log
C:\Documents and Settings\Iota\Application Data\rhc93tj0epb3
C:\Documents and Settings\Iota\Cookies\iota@ad.yieldmanager[1].txt
C:\Documents and Settings\Iota\Cookies\iota@adsfac[2].txt
C:\Documents and Settings\Iota\Cookies\iota@fatbraintoys[1].txt
C:\Documents and Settings\Iota\Cookies\iota@serving-sys[1].txt
C:\Documents and Settings\Iota\Cookies\iota@specificclick[1].txt
C:\Documents and Settings\Iota\err.log
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\system32\bthser.dll
C:\WINDOWS\system32\cryptex.dll
C:\WINDOWS\system32\drivers\nrplfomj.dat
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\seneka.dll
C:\WINDOWS\system32\senekadf.dll
C:\WINDOWS\system32\senekapop.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PJEADVHI
-------\Service_pjeadvhi


((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.

2008-09-21 17:39 . 2008-09-21 17:39 577,024 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-09-21 17:37 . 2008-09-21 17:37 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-21 17:36 . 2008-09-21 17:59 <DIR> d-------- C:\SDFix
2008-09-21 09:41 . 2008-09-21 09:41 <DIR> d-------- C:\Autoruns
2008-09-21 09:00 . 2008-09-21 09:00 900,015 --a------ C:\WINDOWS\system32\TmpA1698842
2008-09-21 08:45 . 2008-09-21 08:58 <DIR> d-------- C:\Program Files\FlashFXP
2008-09-21 08:45 . 2008-09-21 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FlashFXP
2008-09-20 13:20 . 2008-09-20 13:21 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-09-20 13:04 . 2008-09-20 13:04 716,272 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-09-20 12:06 . 2008-09-20 12:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-20 12:06 . 2008-09-20 12:06 <DIR> d-------- C:\Documents and Settings\Iota\Application Data\Malwarebytes
2008-09-20 12:06 . 2008-09-20 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-20 12:06 . 2008-09-10 00:07 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-20 12:06 . 2008-09-10 00:07 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-20 11:48 . 2008-09-21 18:23 1,262 --a------ C:\WINDOWS\system32\Config.MPF
2008-09-20 11:18 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-09-20 11:17 . 2006-12-22 16:02 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-09-20 11:17 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-09-20 11:17 . 2006-12-22 16:02 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-09-20 11:17 . 2006-12-22 16:02 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-09-20 11:17 . 2006-12-22 16:02 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-09-20 11:17 . 2006-12-22 16:02 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-09-20 11:16 . 2008-09-20 11:16 <DIR> d-------- C:\Program Files\McAfee.com
2008-09-20 11:16 . 2008-09-20 11:23 <DIR> d-------- C:\Program Files\McAfee
2008-09-20 11:16 . 2008-09-20 11:18 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-09-20 11:14 . 2008-09-20 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-09-20 10:59 . 2008-09-20 10:59 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-19 09:49 . 2008-09-19 09:49 21,200 --a------ C:\WINDOWS\system32\__c00E6499.jpg
2008-09-19 09:49 . 2008-09-19 09:49 21,200 --a------ C:\WINDOWS\m0_glkP_150908.dll
2008-09-19 09:48 . 2008-09-19 09:48 2,435 --a------ C:\WINDOWS\system32\senekadf.dat
2008-09-19 09:48 . 2008-09-19 09:48 42 --a------ C:\WINDOWS\system32\seneka.dat
2008-09-19 09:43 . 2008-09-19 09:43 38,455 --a------ C:\WINDOWS\system32\drivers\seneka.sys
2008-09-19 09:43 . 2008-09-19 09:49 3,294 --a------ C:\WINDOWS\system32\senekaul.dat
2008-09-19 09:43 . 2008-09-19 09:43 87 --a------ C:\WINDOWS\system32\senekakl.dat
2008-09-19 08:35 . 2008-09-19 08:35 94,208 --a------ C:\WINDOWS\system32\bqpopmti.exe
2008-09-18 20:47 . 2008-09-18 20:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DscSysUtil
2008-09-18 20:36 . 2008-09-18 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\difkrehk
2008-09-18 20:36 . 2008-09-18 09:00 165,888 --a------ C:\WINDOWS\system32\sav.cpl
2008-09-18 20:36 . 2008-09-18 20:36 86,016 --a------ C:\WINDOWS\system32\pshwhczc.exe
2008-09-16 10:18 . 2008-09-16 10:18 119,300 --a------ C:\WINDOWS\system32\mshtml90.dll
2008-09-13 14:00 . 2008-09-13 14:00 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\System Doctor Free
2008-09-13 12:37 . 2008-09-13 12:37 <DIR> d-------- C:\Documents and Settings\Iota\Application Data\PCPrivacyCleaner
2008-09-13 10:23 . 2008-09-13 10:23 <DIR> d-------- C:\Documents and Settings\Iota\Application Data\System Doctor Free
2008-09-13 10:17 . 2008-09-13 10:17 5,120 --a------ C:\WINDOWS\system32\drivers\rhdmclqn.dat
2008-09-08 19:56 . 2008-09-08 19:56 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PCPrivacyCleaner
2008-09-08 19:12 . 2003-03-19 09:20 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-09-08 19:12 . 2003-03-19 06:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-08-31 13:54 . 2002-07-08 10:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-08-31 13:54 . 2006-06-20 20:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-08-31 13:53 . 2008-08-31 13:53 <DIR> d-------- C:\Program Files\Outsim
2008-08-31 13:51 . 2008-09-21 09:02 <DIR> d-------- C:\Program Files\Image-Line
2008-08-31 13:14 . 2008-09-21 08:58 <DIR> d-------- C:\Program Files\Vstplugins
2008-08-31 13:13 . 2008-08-31 13:13 900,015 --a------ C:\WINDOWS\system32\TmpA100855
2008-08-31 11:36 . 2003-06-20 13:28 1,777,664 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-08-30 19:12 . 2008-08-30 19:12 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-08-30 19:11 . 2008-08-30 19:11 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-08-30 19:07 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-08-30 19:06 . 2008-08-30 19:06 <DIR> d-------- C:\Program Files\Microsoft Works
2008-08-30 19:05 . 2008-08-30 19:05 <DIR> d-------- C:\Program Files\MSBuild
2008-08-30 18:59 . 2008-08-30 19:04 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-08-30 18:58 . 2008-08-30 18:58 <DIR> dr-h----- C:\MSOCache
2008-08-30 18:58 . 2008-08-30 19:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-30 18:48 . 2008-08-30 18:56 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-08-30 18:46 . 2008-08-30 18:46 <DIR> d-------- C:\WINDOWS\provisioning
2008-08-30 18:43 . 2008-08-30 18:43 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-30 18:39 . 2004-08-04 00:56 2,897,920 --------- C:\WINDOWS\system32\xpsp2res.dll
2008-08-30 18:36 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002243_.tmp
2008-08-30 18:36 . 2004-08-03 22:42 15,872 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-08-30 18:33 . 2008-08-30 18:33 <DIR> d-------- C:\WINDOWS\EHome
2008-08-29 20:55 . 2004-05-14 16:53 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-08-29 20:55 . 2004-05-14 16:53 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-08-29 20:55 . 2004-05-14 16:53 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2008-08-29 20:55 . 2004-05-14 16:53 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2008-08-29 20:55 . 2004-01-12 02:09 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-08-29 20:55 . 2004-05-14 16:53 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2008-08-29 20:55 . 2003-11-04 15:10 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-08-29 20:55 . 2004-05-14 16:53 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-20 04:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-24 10:53 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-08-04 04:17 --------- d-----w C:\Documents and Settings\Iota\Application Data\MSN6
2008-07-30 06:56 --------- d-----w C:\Documents and Settings\Iota\Application Data\alot
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74EBCFFB-AF2D-4dd4-A9BC-2AC12864B3EC}]
2008-09-16 10:18 119300 --a------ C:\WINDOWS\system32\mshtml90.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NECMFK"="C:\Program Files\necmfk\necmfk.exe" [2004-01-24 62976]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-12-15 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-12-15 118784]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-01-19 1082920]
"AGRSMMSG"="AGRSMMSG.exe" [2003-04-17 C:\WINDOWS\AGRSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\m0_glkP_150908]
2008-09-19 09:49 21200 C:\WINDOWS\m0_glkP_150908.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 MFKGTKEY;MFKGTKEY;C:\WINDOWS\system32\drivers\mfkgtkey.sys [2003-12-03 12672]
R1 Ps2LedIF;Ps2LedIF;C:\WINDOWS\system32\drivers\ps2ledif.sys [2003-01-11 5376]
R3 Ps2Led;NEC Note Keyboard with One-touch start buttons;C:\WINDOWS\system32\DRIVERS\Ps2Led.sys [2004-01-22 8320]
S0 pjeadvhi;pjeadvhi;C:\WINDOWS\system32\drivers\nrplfomj.dat [ ]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0D61655D-197C-47D9-BE7C-08FE21AE0F55} - C:\WINDOWS\system32\cryptex.dll
BHO-{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)
Toolbar-{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://my.alot.com?client_id=57FBD2B001C8BED2008EB8DF&install_time=26-05-2008:13:46&src_id=11069&tb_version=1.2.1.200
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &Search - http://edits.mywebsearch.com/toolbar...p=ZRxdm428YYNZ
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O16 -: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/PopularScreenSaversFWBInitialSetup1.0.1.0.cab
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.1.0.inf

O16 -: {D1548A26-B8F6-4E86-AE74-E7062CCC2E2A} - hxxp://www.miniclip.com/igloader/igloader.CAB
C:\WINDOWS\Downloaded Program Files\igloader.inf
C:\WINDOWS\Downloaded Program Files\igloader.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 18:33:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\pjeadvhi]
"ImagePath"="system32\drivers\nrplfomj.dat"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\m0_glkP_150908.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\m0_glkP_150908.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\PROGRA~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\msksrver.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
.
**************************************************************************
.
Completion time: 2008-09-21 18:37:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-21 06:37:29

Pre-Run: 24,071,413,760 bytes free
Post-Run: 28,529,733,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

231

Billy O'Neal

Hello, ravensheat
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Finally, please reply using the button in the lower left hand corner of your screen.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We need to create an OTViewIt Report

1. Please download OTViewIt by OldTimer.
2. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Click the "Scan All Users" checkbox.
5. Push the button.
6. Two reports will open, copy and paste them in a reply here:
   • OTViewIt.txt <-- Will be opened
   • Extra.txt <-- Will be minimized

We need to scan for rootkits with GMER

1. Please download gmer.zip and save to your desktop.
   • alternate download site 1
   • alternate download site 2
2. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.)
3. When you have done this, disconnect from the Internet and close all running programs.
   Note: There is a small chance this application may crash your computer so save any work you have open.
4. Double-click on Gmer.exe to start the program.
5. Allow the gmer.sys driver to load if asked.
6. If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
7. Click on "Settings", then check the first five settings:
   • System Protection and Tracing
   • Processes
   • Save created processes to the log
   • Drivers
   • Save loaded drivers to the log
8. You will be prompted to restart your computer. Please do so.
9. Run Gmer again and click on the Rootkit tab.
10. Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
11. Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
    Important! Please do not select the "Show all" checkbox during the scan.
12. Click on the "Scan" and wait for the scan to finish.
    • Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
13. When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
14. Note: If you have any problems, try running GMER in Safe Mode

In your next reply, please include the following:

• OTViewIt.txt
• Extra.txt
• GMER's Log

Billy3

Billy O'Neal

Hello, ravensheat
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Billy3