Machine is naked to internet malware

[relampico]

I browsed some strange sites and wound up with a machine full of trojans rootkits and other malware. I think I may have gotten rid of somesuch as vunclo.aq and tidserv!inf but theres plenty left to slow down my machine. I'm currently running in safe mode. Periodically the cursor freezes necessitating several enter strokes to get things going again. Also, the first screen in IE 7 will say that the web page is unavailable because I am offline. Deleting this screen will reveal another one that has successfully loaded. I found your site and have downloaded, run, and saved the log files you asked for. This would be bad enough if it were my personal computer but it's the one I use at work! Boy, I really screwed up. Here are the files. I'd appreciate anything you folks can do by way of helping me.
JJ
DDS Text

[sUBs]

Sorry but I don't see the DDS report anywhere

[relampico]

Quote:

Originally Posted by sUBs

Sorry but I don't see the DDS report anywhere

Sorry. I thought I'd sent all the files requested by the forum. I will rerun everything and resubmit. I'm also going to blow away Norton as I have lost faith in it and replace it with Comodo Pro which I have on my machine at home for a while.

[sUBs]

Are you still with us?

[relampico]

Quote:

Originally Posted by sUBs

Are you still with us?

Yes. I am back at work today. I've just uninstalled Norton, installed Comodo pro and am in the middle of a complete system scan. Following that, I'll be following your new instructions and submitting the requisite files.

[relampico]

Wed 12/10 - I uninstalled Norton and installed Comodo firewall/a/v and ran a complete system scan. It found about 5 small nuisance programs which were deleted by the application manually.
I then ran all 3 programs and following instructions have pasted the DDS results below and submitted attach.txt and ark.txt ( attark.zip) as zip files. I would appreciate any help you could give. Thanks. JJ Rooney.

Quote:

Originally Posted by relampico

Sorry. I thought I'd sent all the files requested by the forum. I will rerun everything and resubmit. I'm also going to blow away Norton as I have lost faith in it and replace it with Comodo Pro which I have on my machine at home for a while.

DDS (Version 1.0) - NTFSx86
Run by John at 12:47:35.82 on Wed 12/10/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.495 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\srvany.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\COMODO\SafeSurf\cssurf.exe
C:\Program Files\Sage Software\Peachtree\peachw.exe
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\downloads\security\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comodo.com/search/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {475D5825-3965-40F7-AF10-0F9C5BDFD691} - c:\windows\system32\geBTnkiG.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\yayabYqQ.dll
BHO: {71246cb7-cba2-4854-bdc9-080a3ed3fbc9} - c:\windows\system32\wlqiwk.dll
BHO: {C25298FE-A779-436E-885A-BC5C6DC12121} - c:\windows\system32\xxyXoPgh.dll
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: {BB670D0B-5C46-40C7-B38B-40DD26987723} - c:\program files\linkedin\jobsinsider\2.7.0.1043\LinkedinIEToolbar.dll
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: {F2C96FF5-E7BD-4FC5-9B71-1D3BD0B6BF82} - c:\program files\npr_radio\tbNPR_.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [LWBMOUSE] c:\program files\browser mouse\browser mouse\1.0\lwbwheel.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [PrinTray] c:\windows\system32\spool\drivers\w32x86\2\printray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CTEMON.EXE] "" /h
mRun: [COMODO SafeSurf] "c:\program files\comodo\safesurf\cssurf.exe" -s
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [ALUAlert] c:\program files\symantec\liveupdate\ALuNotify.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
uPolicies-explorer: HideClock = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 0 (0x0)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {76C90D90-3D80-4431-B12C-DB5B1C6C24AD} = 208.67.220.220,208.67.222.222
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
Notify: yayabYqQ - yayabYqQ.dll
AppInit_DLLs: qxjbgy.dll,abzzir.dll,szqldx.dll wlqiwk.dll c:\windows\system32\guard32.dll c:\windows\system32\cssdll32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\yayabYqQ.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyXoPgh

============= SERVICES / DRIVERS ===============

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-12-10 101776]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-12-10 31504]
R2 cmdAgent;COMODO Internet Security Helper Service;"c:\program files\comodo\comodo internet security\cmdagent.exe" [2008-12-10 618232]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2006-8-10 8192]
S1 is-LBCUQdrv;is-LBCUQdrv;c:\windows\system32\drivers\33125180.sys []
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys []
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 RFKEBZTKRMSCW;RFKEBZTKRMSCW;c:\docume~1\john\locals~1\temp\RFKEBZTKRMSCW.exe [2008-12-1 375680]
S4 is-LBCUQ;is-LBCUQ;"c:\documents and settings\all users\desktop\kaspersky lab tool\is-lbcuq\is-LBCUQ.exe" -r []

============== File Associations ===============

inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
piffile="%1" %*"

=============== Created Last 30 ================

2008-12-10 11:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\_comodo_
2008-12-10 09:26 249,592 a------- c:\windows\system32\cssdll32.dll
2008-12-10 09:26 <DIR> --d----- c:\program files\AskBarDis
2008-12-10 09:25 147,192 a------- c:\windows\system32\guard32.dll
2008-12-10 09:25 101,776 a------- c:\windows\system32\drivers\cmdguard.sys
2008-12-10 09:25 31,504 a------- c:\windows\system32\drivers\cmdhlp.sys
2008-12-10 09:25 <DIR> --d----- c:\program files\COMODO
2008-12-10 09:02 <DIR> --d----- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-03 18:09 123,904 a------- c:\windows\system32\wlqiwk.dll
2008-12-03 18:09 123,904 a------- c:\windows\system32\hlhpcqvu.dll
2008-12-03 18:08 875,185 a--sh--- c:\windows\system32\hgPoXyxx.ini2
2008-12-03 18:08 875,319 a--sh--- c:\windows\system32\hgPoXyxx.ini
2008-12-03 18:08 295,424 a------- c:\windows\system32\xxyXoPgh.dll
2008-12-03 17:31 250 a------- c:\windows\gmer.ini
2008-12-03 17:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2008-12-03 13:18 899,330 a--sh--- c:\windows\system32\GiknTBeg.ini2
2008-12-02 18:04 6,144 a--sh--- c:\windows\system32\Thumbs.db
2008-12-02 17:51 124,416 a------- c:\windows\system32\szqldx.dll
2008-12-02 17:51 124,416 a------- c:\windows\system32\konxstwq.dll
2008-12-02 13:48 41,122,448 a------- C:\docs.ZIP
2008-12-02 13:46 66,972,789 a------- C:\spreadsheets.ZIP
2008-12-02 13:38 <DIR> --d----- C:\Aereon
2008-12-02 11:33 124,416 a------- c:\windows\system32\lvvoluhw.dll
2008-12-02 11:33 124,416 a------- c:\windows\system32\abzzir.dll
2008-12-02 11:15 2,206 a------- c:\windows\system32\wpa.dbl
2008-12-02 11:01 879,041 a--sh--- c:\windows\system32\GiknxTBeg.ini2
2008-12-01 11:48 59,392 a------- c:\windows\system32\svñshost.exe
2008-12-01 11:31 124,928 a------- c:\windows\system32\qxjbgy.dll
2008-12-01 11:31 124,928 a------- c:\windows\system32\mybvdbsr.dll
2008-12-01 11:27 899,330 a--sh--- c:\windows\system32\GiknTBeg.ini
2008-12-01 11:27 879,041 a--sh--- c:\windows\system32\GiknxTBeg.ini
2008-12-01 11:23 11,776 a--sh--- c:\windows\Thumbs.db
2008-12-01 11:22 59,909 a------- c:\docume~1\alluse~1\applic~1\winlogon.exe
2008-12-01 11:22 2,274 a------- c:\windows\system32\TDSSlxwp.dll
2008-12-01 11:22 527 a------- c:\windows\system32\TDSSrsvd.dat
2008-12-01 11:22 40,448 a------- c:\windows\system32\yayabYqQ.dll
2008-12-01 11:22 <DIR> --d----- c:\program files\Microsoft Common
2008-11-26 16:49 <DIR> --d-h--- c:\program files\Zero G Registry
2008-11-26 16:48 <DIR> --d-h--- c:\documents and settings\john\InstallAnywhere
2008-11-26 11:44 <DIR> --d----- c:\program files\QUAD Utilities
2008-11-20 18:05 <DIR> --d----- c:\program files\Conduit
2008-11-20 18:05 <DIR> --d----- c:\program files\NPR_Radio
2008-11-20 12:04 <DIR> --d----- c:\windows\system32\Adobe
2008-11-19 11:05 <DIR> --d----- c:\docume~1\john\applic~1\Macrovision
2008-11-19 11:05 <DIR> --d----- c:\docume~1\john\applic~1\Business Objects
2008-11-19 10:57 <DIR> --d----- c:\program files\Business Objects
2008-11-13 18:21 14,336 a--sh--- C:\Thumbs.db
2008-11-12 14:29 <DIR> --d----- c:\docume~1\john\applic~1\Nvu

==================== Find3M ====================

2008-12-02 16:53 107,224 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-10-31 16:33 253,139 a------- c:\windows\PDFCreator_Toolbar_Uninstaller_4093.exe
2008-10-24 06:10 453,632 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 06:10 453,632 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-15 11:57 332,800 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-03 12:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-09-15 06:57 1,846,016 -------- c:\windows\system32\dllcache\win32k.sys
2008-02-07 17:34 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-09-13 10:36 498 a------- c:\program files\Setup.log

============= FINISH: 12:50:01.21 ===============





0.-++

[sUBs]

Make sure Comodo is totally disabled when you do this ....


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

[relampico]

I downloaded combofix and the microsoft executable for XP Pro SP2 both to the desktop. I then dragged the latter over the former and got an error message about couldn't find the path and may not have administrator rights. I then logged on using an administrative id and repeated the whole process. Same result. Here's the error message received. PS, I disabled COMODO, my security package both times.

[relampico]

Quote:

Originally Posted by sUBs

Make sure Comodo is totally disabled when you do this ....


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

Post the log from ComboFix when you've accomplished that.

I just checked my files directory and found that the directory referenced in the error message does exist. I am also sure the id I used contains administrative privileges as the owner has long ago left the company and I use his id occasionally. I'm about out of options here so I'd really like your continued expert advice, thanks

[relampico]

Quote:

Originally Posted by relampico

I just checked my files directory and found that the directory referenced in the error message does exist. I am also sure the id I used contains administrative privileges as the owner has long ago left the company and I use his id occasionally. I'm about out of options here so I'd really like your continued expert advice, thanks

I forgot the screen print to my last message. Here it is.

[sUBs]

Please run ComboFix from safe mode.

[relampico]

Quote:

Originally Posted by sUBs

Please run ComboFix from safe mode.

If fortune ever permits, I will buy you all the beer you can hold. Thank you very much for your patience. I ran ComboFix and it performed pretty much like the bleepingcomputer instructions with a couple of exceptions. I initlally ran it with COMODO totally off and using an administrative id. I clicked on the Combofix icon and it took right off. I got an 'installation failed' message probably from the windows executable not executing. ComboFix continued. It backed up 3 registry entries. Another message received ' you do not appear to be connected to the internet'. I assume the network isn't available in safe mode? Another message ' failed to d/l files' but program continued.
It then went through a series of states and deleted a bunch of dll files etc. It continued running ok until ComboFix rebooted Windows. I assumed at that point that it was done so I entered my user id under the Windows logon screen. This resulted in 16 lines of 'access denied'. Also, my firewall, COMODO turned back on. (I'm not sure how I could have prevented this unless logging on with my id was responsible). I then got a series of error messages such as 'nircmd.com not recognizable as an internal or external command and a couple of other similar errors. Then it wrote the log file which I've pasted here and included as an attachment. I DO want to thank you profusely for your time and patience.
JJ Rooney

ComboFix 08-12-11.05 - James 2008-12-12 17:13:18.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.808 [GMT -5:00]
Running from: c:\documents and settings\James\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\winlogon.exe
c:\program files\Microsoft Common
c:\windows\Downloaded Program Files\setup.inf
c:\windows\SNMPAPI.DLL
c:\windows\system32\abzzir.dll
c:\windows\system32\bmnrbrkwnogood.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\GiknTBeg.ini
c:\windows\system32\GiknTBeg.ini2
c:\windows\system32\GiknxTBeg.ini
c:\windows\system32\GiknxTBeg.ini2
c:\windows\system32\hgPoXyxx.ini
c:\windows\system32\hgPoXyxx.ini2
c:\windows\system32\hlhpcqvu.dll
c:\windows\system32\hoiiljvmnogood.dll
c:\windows\system32\konxstwq.dll
c:\windows\system32\lvvoluhw.dll
c:\windows\system32\mybvdbsr.dll
c:\windows\system32\packet.dll
c:\windows\system32\qxjbgy.dll
c:\windows\system32\sjypynnogood.dll
c:\windows\system32\szqldx.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSrsvd.dat
c:\windows\system32\TDSStkdv.log
c:\windows\system32\WanPacket.dll
c:\windows\system32\win32.dll
c:\windows\system32\wlqiwk.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\xxyXoPgh.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-12 10:34 . 2008-12-12 10:48 <DIR> d-------- C:\32788R22FWJFW.3.tmp
2008-12-11 17:09 . 2008-12-12 10:34 <DIR> d-------- C:\32788R22FWJFW.2.tmp
2008-12-11 17:08 . 2008-12-11 17:09 <DIR> d-------- C:\32788R22FWJFW.1.tmp
2008-12-11 17:06 . 2008-12-11 17:08 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2008-12-11 11:37 . 2008-12-11 11:37 147,192 --a------ c:\windows\system32\guard32.dll
2008-12-11 11:29 . 2008-12-12 17:26 2,148 --a------ c:\windows\system32\wpa.dbl
2008-12-10 14:08 . 2008-12-10 14:08 120 --ahs---- c:\windows\system32\wkrbrnmb.ini
2008-12-10 11:45 . 2008-12-12 16:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\_comodo_
2008-12-10 09:26 . 2008-12-10 13:56 <DIR> d-------- c:\program files\AskBarDis
2008-12-10 09:26 . 2008-12-10 09:26 249,592 --a------ c:\windows\system32\cssdll32nogood.dll
2008-12-10 09:25 . 2008-12-10 09:26 <DIR> d-------- c:\program files\COMODO
2008-12-10 09:25 . 2008-12-10 09:25 147,192 --a------ c:\windows\system32\guard32nogood.dll
2008-12-10 09:25 . 2008-12-10 09:25 101,776 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-12-10 09:25 . 2008-12-10 09:25 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-12-10 09:02 . 2008-12-10 09:02 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2008-12-03 17:31 . 2008-12-10 12:54 250 --a------ c:\windows\gmer.ini
2008-12-03 17:00 . 2008-12-03 17:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-12-02 18:04 . 2008-12-02 18:04 6,144 --ahs---- c:\windows\system32\Thumbs.db
2008-12-02 13:48 . 2008-12-02 13:48 41,122,448 --a------ C:\docs.ZIP
2008-12-02 13:46 . 2008-12-02 13:46 66,972,789 --a------ C:\spreadsheets.ZIP
2008-12-02 13:38 . 2008-12-11 12:13 <DIR> d-------- C:\Aereon
2008-12-02 11:15 . 2008-12-10 15:57 2,206 --a------ c:\windows\system32\wpanogood.dbl
2008-12-01 11:48 . 2008-12-01 11:48 59,392 --a------ c:\windows\system32\sv¤shost.exe
2008-12-01 11:23 . 2008-12-02 18:04 11,776 --ahs---- c:\windows\Thumbs.db
2008-11-26 16:49 . 2008-11-26 16:49 <DIR> d--h----- c:\program files\Zero G Registry
2008-11-26 16:48 . 2008-11-26 16:48 <DIR> d--h----- c:\documents and settings\John\InstallAnywhere
2008-11-26 11:44 . 2008-12-01 11:41 <DIR> d-------- c:\program files\QUAD Utilities
2008-11-20 18:05 . 2008-11-20 18:05 <DIR> d-------- c:\program files\NPR_Radio
2008-11-20 18:05 . 2008-11-20 18:05 <DIR> d-------- c:\program files\Conduit
2008-11-20 12:04 . 2008-11-20 12:04 <DIR> d-------- c:\windows\system32\Adobe
2008-11-19 11:05 . 2008-11-19 11:05 <DIR> d-------- c:\documents and settings\John\Application Data\Macrovision
2008-11-19 11:05 . 2008-11-19 11:05 <DIR> d-------- c:\documents and settings\John\Application Data\Business Objects
2008-11-19 10:57 . 2008-11-19 10:57 <DIR> d-------- c:\program files\Business Objects
2008-11-19 10:57 . 2008-11-19 10:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Macrovision
2008-11-13 18:21 . 2008-11-13 18:21 14,336 --ahs---- C:\Thumbs.db
2008-11-12 14:29 . 2008-11-12 14:29 <DIR> d-------- c:\documents and settings\John\Application Data\Nvu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 21:53 --------- d-----w c:\documents and settings\John\Application Data\Canon
2008-12-10 16:46 --------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2008-12-10 14:14 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-10 14:02 --------- d-----w c:\program files\Symantec
2008-12-10 14:02 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-03 15:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 22:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 22:47 --------- d-----w c:\documents and settings\John\Application Data\PC Tools
2008-12-02 20:33 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-02 19:58 --------- d-----w c:\program files\Text2PDF v1.5
2008-12-02 19:57 --------- d-----w c:\program files\Opera
2008-12-02 19:37 --------- d-----w c:\program files\FileMaker
2008-12-02 19:35 --------- d-----w c:\program files\Canon
2008-12-02 19:33 --------- d-----w c:\program files\Acro Software
2008-12-02 16:46 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-02 16:45 --------- d-----w c:\program files\SDM
2008-12-02 16:45 --------- d-----w c:\program files\MSNStockQuote
2008-12-02 16:45 --------- d-----w c:\program files\Money Manager Ex
2008-12-02 16:45 --------- d-----w c:\program files\Modem On Hold
2008-12-02 16:45 --------- d-----w c:\program files\DivX
2008-12-02 16:45 --------- d-----w c:\program files\ASAP Utilities
2008-12-02 14:44 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-07 16:33 --------- d-----w c:\documents and settings\John\Application Data\SpywareBot
2008-11-07 16:33 --------- d-----w c:\documents and settings\John\Application Data\AdwareAlert
2008-11-07 15:45 --------- d-----w c:\program files\Lavasoft
2008-11-07 15:45 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-06 16:23 --------- d-----w c:\program files\System Explorer
2008-11-06 16:23 --------- d-----w c:\documents and settings\All Users\Application Data\SystemExplorer
2008-11-06 15:45 --------- d-----w c:\program files\Common Files\Adobe
2008-11-05 16:25 --------- d-----w c:\program files\directx
2008-10-31 21:33 253,139 ----a-w c:\windows\PDFCreator_Toolbar_Uninstaller_4093.exe
2008-10-31 21:33 --------- d-----w c:\program files\PDFCreator Toolbar
2008-10-31 21:30 --------- d-----w c:\documents and settings\John\Application Data\EssentialPIM
2008-10-29 21:12 --------- d-----w c:\documents and settings\John\Application Data\Move Networks
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-02-07 22:34 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-09-13 15:36 498 ----a-w c:\program files\Setup.log
2007-08-03 15:23 1,308,216 ----a-w c:\documents and settings\johnrooney\HiJackThis_v2.exe
2006-10-16 23:12 167,936 ----a-w c:\documents and settings\johnrooney\StartupList.exe
2008-09-11 17:03 177,289,248 --sha-w c:\windows\system32\drivers\fidbox.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2C96FF5-E7BD-4FC5-9B71-1D3BD0B6BF82}"= "c:\program files\NPR_Radio\tbNPR_.dll" [2008-09-15 1784856]

[HKEY_CLASSES_ROOT\clsid\{f2c96ff5-e7bd-4fc5-9b71-1d3bd0b6bf82}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTEMON.EXE"="/h" [X]
"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [2001-03-25 429568]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\2\printray.exe" [2000-08-16 36864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"COMODO SafeSurf"="c:\program files\COMODO\SafeSurf\cssurf.exe" [2008-12-10 278264]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-12-10 1797880]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALuNotify.exe" [2007-08-23 152952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SPBBCSvc"=3 (0x3)
"GBPoll"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"WinDefend"=2 (0x2)
"iPod Service"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"igfxpers"=c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\pvsw\\bin\\w3dbsmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-12-10 101776]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-12-10 31504]
S1 is-LBCUQdrv;is-LBCUQdrv;c:\windows\system32\drivers\33125180.sys []
S2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2006-08-10 8192]
S3 AdWatchDrv;AW Realtime Driver;\??\c:\windows\system32\drivers\AWRTPD.sys []
S3 RFKEBZTKRMSCW;RFKEBZTKRMSCW;c:\docume~1\John\LOCALS~1\Temp\RFKEBZTKRMSCW.exe [2008-12-01 375680]
S4 is-LBCUQ;is-LBCUQ;"c:\documents and settings\All Users\Desktop\Kaspersky Lab Tool\is-LBCUQ\is-LBCUQ.exe" -r []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe []

2008-11-28 c:\windows\Tasks\Ace Optimizer Maintenance.job
- c:\program files\Ace Utilities\au.exe []

2008-11-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{135257FB-11BE-41BC-97F4-354D58F4605A} - c:\windows\system32\xxyXoPgh.dll
BHO-{475D5825-3965-40F7-AF10-0F9C5BDFD691} - (no file)
BHO-{e495c978-0753-4f59-a0fe-b76a75d0b9a3} - (no file)
Notify-yayabYqQ - yayabYqQ.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comodo.com/search/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
TCP: {76C90D90-3D80-4431-B12C-DB5B1C6C24AD} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\fxk1j1fi.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10587&gct=&gc=1&q=
FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\fxk1j1fi.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Yahoo!\Common\npyaxmpb.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3096)
c:\program files\Browser Mouse\Browser Mouse\1.0\MOUSEDLL.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [624]
??\c:\windows\system32\csrss.exe [688]
??\c:\windows\system32\winlogon.exe [712]
c:\windows\system32\services.exe [756]
c:\windows\system32\lsass.exe [768]
c:\windows\system32\svchost.exe [924]
c:\windows\system32\svchost.exe [988]
c:\windows\System32\svchost.exe [1084]
c:\windows\system32\svchost.exe [1148]
c:\windows\system32\svchost.exe [1284]
c:\windows\system32\LEXBCES.EXE [1356]
c:\windows\system32\spoolsv.exe [1388]
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe [1520]
c:\windows\System32\svchost.exe [1632]
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [1656]
c:\windows\System32\svchost.exe [1696]
c:\windows\system32\srvany.exe [1776]
c:\pvsw\bin\w3dbsmgr.exe [1788]
c:\windows\System32\svchost.exe [1796]
c:\windows\system32\svchost.exe [1924]
c:\program files\Windows Media Player\WMPNetwk.exe [560]
c:\windows\System32\alg.exe [2508]
c:\windows\system32\CF3023.exe [3584]
c:\program files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe [3748]
c:\windows\system32\hkcmd.exe [3764]
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe [3856]
c:\program files\COMODO\SafeSurf\cssurf.exe [3872]
c:\program files\Symantec\LiveUpdate\ALuNotify.exe [3960]
c:\windows\system32\wuauclt.exe [1936]
c:\windows\system32\msiexec.exe [196]
c:\windows\system32\wbem\wmiprvse.exe [2896]
c:\windows\system32\wuauclt.exe [3304]
c:\windows\explorer.exe [3096]
c:\combofix\catchme.cfexe [3484]
.
**************************************************************************
.
Completion time: 2008-12-12 17:31:59 - machine was rebooted [John]
ComboFix-quarantined-files.txt 2008-12-12 22:31:42

Pre-Run: 52,038,922,240 bytes free
Post-Run: 51,069,366,272 bytes free

293 --- E O F --- 2008-12-12 22:31:01

[sUBs]

Quote:

It continued running ok until ComboFix rebooted Windows. I assumed at that point that it was done so I entered my user id under the Windows logon screen. This resulted in 16 lines of 'access denied'. Also, my firewall, COMODO turned back on. (I'm not sure how I could have prevented this unless logging on with my id was responsible). I then got a series of error messages such as 'nircmd.com not recognizable as an internal or external command and a couple of other similar errors.

Nircmd is tool which is embedded into ComboFix. It's a freeware command-line utility published by Nirsoft (website). Google has many hits of articles about it. Nircmd has multiple features & some malicous software of past has misused it. Thus, some security vendors has listed Nircmd as 'riskware' (potentially unwanted tool). I submitted Nircmd to a comprehensive online scan performed by 36 security vendors. This was the report > http://www.virustotal.com/analisis/3...4e0f0cdfd18275 . 9/36 detected it but 2 falsely identified it as a trojan.

I don't really know how to say this without sounding disparaging. Comodo is supposed to be a protection program. It's akin to rearing a large dog to safeguard the home. While it's good that my large scary dog will deter would-be burglars, it's bad when this 'appointed protector' doesn't listen to it's master's instructs.

ComboFix is a malware removal tool. It's one of the most powerful file removers out there. That's the reason why we don't advocate users running ComboFix on their own initiative. When a user runs ComboFix, it's a bit like launching a nuclear missile in the system. If this missile finds, targets & destroys malware files, then all is well and good. If something messes with the missile's guidance system, we wont know what it will detect/target. ComboFix does have the ability to render machines to doorstops.

Quote:

I then logged on using an administrative id and repeated the whole process. Same result. Here's the error message received. PS, I disabled COMODO, my security package both times.

This is a good example depicting how the guard dog doesn't obey instructs. It hasn't been able to deal with infection currently on the machine but it interferes with another tool from trying to do so. For us to safely continue running ComboFix on this machine, I must request that Comodo be temporarily be uninstalled. I cannot take the risk that Comodo may cause ComboFix to perform a series of false deletions.

Please let me know if you're agreeable to the idea.

[sUBs]

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.