Combofix didnt give you anything… it is a malware removal tool, not a virus.
You shouldnt use combofix unless it is under supervision …it can hose a machine if used incorrectly. Those files are files that I use to clean infections and they aren’t suited for general use by people wanting to clean their pcs. Malware removal tools can do more harm than good if you are not trained in using them!
The reason I uploaded them to rapidshare is because the dnschanger infections will block access to the original security sites where they are hosted.
Baz, I finally got a successful download from rapidshare. I could not disable AVG and kept getting warnings. I tried to uninstall it, but no luck. When I opened combfix, it went right to scanning and do have a finished scan on notepad, but never found any attaching options to zip. Thank you so much for your patience. Can I send the scan results any other method?
ComboFix 09-01-17.02 – Owner 2009-01-17 20:22:46.1 – NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.61 [GMT -6:00]
Running from: c:\docume~1\Owner\LOCALS~1\Temp\Rar$EX05.375\CombFix.exe
AV: AVG Anti-Virus Free On-access scanning enabled (Outdated)
- Created a new restore point
.
[color=purple]The following files were disabled during the run:[/color]
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Cookies\hpothb07.dat
c:\documents and settings\Owner\Cookies\hpothb07.tif
C:\SMARTDRV.PIF
.
((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.
2009-01-16 21:35 . 2009-01-16 21:35 <DIR> d—h——- C:\$AVG8.VAULT$
2009-01-16 18:35 . 2009-01-16 18:35 <DIR> d———— c:\windows\system32\drivers\Avg
2009-01-16 18:35 . 2009-01-16 18:35 <DIR> d———— c:\program files\AVG
2009-01-16 18:35 . 2009-01-17 20:35 <DIR> d———— c:\documents and settings\All Users\Application Data\avg8
2009-01-16 18:35 . 2009-01-16 18:35 97,928 —a——— c:\windows\system32\drivers\avgldx86.sys
2009-01-16 18:35 . 2009-01-16 18:35 76,040 —a——— c:\windows\system32\drivers\avgtdix.sys
2009-01-16 18:35 . 2009-01-16 18:35 10,520 —a——— c:\windows\system32\avgrsstx.dll
2009-01-16 13:19 . 2009-01-16 13:19 <DIR> d———— c:\program files\Malwarebytes’ Anti-Malware
2009-01-16 13:19 . 2009-01-16 13:19 <DIR> d———— c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-16 13:19 . 2009-01-16 13:19 <DIR> d———— c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 13:19 . 2009-01-14 16:11 38,496 —a——— c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 13:19 . 2009-01-14 16:11 15,504 —a——— c:\windows\system32\drivers\mbam.sys
2009-01-09 13:50 . 2009-01-09 13:49 73,728 —a——— c:\windows\system32\javacpl.cpl
2009-01-09 13:49 . 2009-01-15 14:19 <DIR> d———— c:\program files\Java
2009-01-06 12:15 . 2009-01-06 12:15 <DIR> d———— c:\program files\Sun
2009-01-06 12:01 . 2009-01-06 12:01 <DIR> d———— C:\TEMP
2009-01-06 12:00 . 2009-01-06 12:00 <DIR> d———— C:\Sun
2009-01-02 22:15 . 2009-01-02 22:15 <DIR> d———— c:\windows\Profiles
2009-01-02 22:15 . 2009-01-02 22:15 <DIR> d———— c:\documents and settings\Owner\Application Data\InterTrust
2008-12-23 16:03 . 2008-12-23 16:03 <DIR> d———— c:\program files\Common Files\Adobe AIR
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 03:18 ————- d—h—w c:\program files\InstallShield Installation Information
2009-01-07 14:09 ————- d——-w c:\documents and settings\Owner\Application Data\spweng
2009-01-03 04:15 ————- d——-w c:\program files\Common Files\Adobe
2008-12-23 23:28 ————- d——-w c:\program files\Microsoft Works
2008-12-23 23:22 ————- d——-w c:\program files\Microsoft Picture It! 2002
2008-12-15 22:30 ————- d——-w c:\documents and settings\Owner\Application Data\ArcSoft
2008-12-15 22:25 ————- d——-w c:\documents and settings\All Users\Application Data\ArcSoft
2008-12-15 22:23 ————- d——-w c:\program files\Common Files\ArcSoft
2008-12-15 22:23 ————- d——-w c:\program files\ArcSoft
2008-12-15 22:14 ————- d——-w c:\program files\OVT
2008-12-09 02:04 54,632 -c—a-w c:\documents and settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2002-04-18 11:03 1,569 ——a-w c:\program files\2KHDD.BAT
2004-08-04 07:56 165,840 —sha-r c:\windows\system32\iwebcsf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SPYKILLER"="c:\program files\Anonymizer\sk\SpyWareKiller.exe" [2004-02-12 110592]
"ANONYMIZER_SPYWAREKILLER"="c:\program files\Anonymizer\sk\spywarekiller.exe" [2004-02-12 110592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-12-09 225280]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-12-07 09:33 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-01 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-12-07 489472]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-07-10 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-07-10 114688]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-09 136600]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-16 1261336]
"SMSERIAL"="sm56hlpr.exe" [2003-10-07 c:\windows\sm56hlpr.exe]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk – c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2007-02-28 147456]
hpoddt01.exe.lnk – c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2007-02-28 28672]
Install Pending Files.LNK – c:\program files\SIFXINST\SIFXINST.EXE [2003-06-13 569344]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:198.200.173.74/255.255.255.255,198.200.173.139/255.255.255.255:Enabled:Streamer
"443:TCP"= 443:TCP:204.58.27.34/255.255.255.255,204.58.27.43/255.255.255.255,204.58.27.51/255.255.255.255,204.58.27.60/255.255.255.255:Enabled:streamer
"6822:TCP"= 6822:TCP:ddcjej
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 97928]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-16 76040]
S3 APL531;OVT Scanner;c:\windows\system32\drivers\ov550i.sys [2006-07-31 580992]
S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys <del>-> c:\windows\SYSTEM32\DRIVERS\iscflash.sys [?]
S3 PCDRDRV;Pcdr CPU Helper Driver;c:\windows\system32\drivers\PCDRDRV.sys -</del>> c:\windows\system32\drivers\PCDRDRV.sys [?]
S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-16 875288]
S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 231704]
S4 ykahj;Network Helper;c:\windows\system32\svchost.exe -k netsvcs [1979-12-31 14336]
NewlyCreated – NMSCFG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost – NetSvcs
ykahj
.
Contents of the ‘Scheduled Tasks’ folder
2005-01-02 c:\windows\Tasks\SpyWareKiller.job
- c:\program files\Anonymizer\sk\SpyWareKiller.exe [2004-02-12 12:31]
.
- – - – ORPHANS REMOVED – - – -
HKCU-Run-Microsoft Works Update Detection – c:\program files\Microsoft Works\WkDetect.exe
HKCU-Run-Yahoo! Pager – c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
HKCU-Run-MsnMsgr – c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-PRIVANAL – (no file)
HKLM-Run-MCUpdateExe – c:\progra~1\mcafee.com\agent\mcupdate.exe
HKLM-Run-MCAgentExe – c:\progra~1\mcafee.com\agent\mcagent.exe
HKLM-Run-Ink Monitor – c:\program files\EPSON\Ink Monitor\InkMonitor.exe
HKLM-Run-IncredimailDownloader – c:\windows\DOWNLO~1\imloader.exe
HKLM-RunOnce-DELDIR0.EXE – c:\docume~1\Owner\LOCALS~1\Temp\DELDIR0.EXE
MSConfigStartUp-avast! – c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
.
<del>-</del>—— Supplementary Scan <del>-</del>——
.
uStart Page = hxxp://www.mycopper.net/
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
Trusted Zone: *.ameritrade.com
Trusted Zone: .www.ameritrade.com
Trusted Zone: *.streamer.com
Trusted Zone: *.tdameritrade.com
Trusted Zone: www.tdameritrade.com
TCP: {FD0DC44B-CEEB-4A84-9FB6-CF09BDB89E67} = 66.6.176.10 66.6.191.10
FF – ProfilePath – c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\fnkep8fo.default\
FF – component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
.
catchme 0.3.1367 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 20:37:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes …
scanning hidden autostart entries …
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
DELDIR0.EXE = "c:\docume~1\Owner\LOCALS~1\Temp\DELDIR0.EXE" "c:\program files\McAfee\McAfee Shared Components\Guardian\"?? ????|??H?l|q|???|??$? ??|???|x|??q|?o?w`????|h?,?Q|?? ?m|p???????????v?C?:?\?P?r?o?g?r?a?m? ?F?i?l?e?s?\?M?c?A?f?e?e?\?M?c?e?e? ?S?h?a?r?e?d? ?C?o?m?p?o?n?e?n? ?\?G?u?a?r?d?i?a?n?\???p?p????|p|??m|??x?~y?wT????
scanning hidden files …
scan completed successfully
hidden files: 0
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ykahj]
"ServiceDll"="c:\windows\system32\iwebcsf.dll"
.
<del>-</del>————————— LOCKED REGISTRY KEYS <del>-</del>—————————
[HKEY_USERS\S-1-5-21-1417001333-484061587-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
<del>-</del>——————————- Other Running Processes <del>-</del>——————————-
.
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\windows\system32\NMSSvc.Exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\windows\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2009-01-17 20:40:02 – machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 02:39:47
Pre-Run: 73,930,811,904 bytes free
Post-Run: 74,315,341,824 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
174 —- E O F —- 2008-08-20 18:28:02
