[michaelnikki]

hi i recently downloaded Combo-Fix and had run the file and it created a log report. the malware no matter what i do just doesnt go away. i hope you guys can help me. here is my log...

ComboFix 09-09-03.02 - Administrator 09/05/2009 14:55.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.265 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\RegEx.fnr
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\shell.fne
c:\documents and settings\Administrator\Application Data\.#
c:\documents and settings\Administrator\Local Settings\temp\E_N4\dp1.fne
c:\documents and settings\Administrator\Local Settings\temp\E_N4\eAPI.fne
c:\documents and settings\Administrator\Local Settings\temp\E_N4\HtmlView.fne
c:\documents and settings\Administrator\Local Settings\temp\E_N4\krnln.fnr
c:\documents and settings\Administrator\Local Settings\temp\E_N4\RegEx.fnr
c:\documents and settings\Administrator\Local Settings\temp\E_N4\shell.fne
c:\windows\system32\setting.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2009-08-05 to 2009-09-05 )))))))))))))))))))))))))))))))
.

2015-03-12 13:13 . 2009-08-03 18:22 -------- d-----w- c:\program files\Rapidown
2009-09-05 21:05 . 2009-09-05 21:06 -------- d-----w- c:\program files\DOSBox-0.72
2009-09-05 20:48 . 2009-09-05 21:27 -------- d-----w- C:\TC
2009-09-02 21:34 . 2009-09-02 21:34 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Opera
2009-09-02 21:34 . 2009-09-02 21:34 -------- d-----w- c:\program files\Opera
2009-08-28 18:20 . 2009-08-28 18:20 -------- d-----w- c:\program files\HiDigit
2009-08-25 21:43 . 2009-08-25 21:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-08-23 05:56 . 2009-08-23 06:00 -------- d-----w- c:\program files\LimeWire
2009-08-22 21:37 . 2005-11-19 00:14 65 ----a-w- C:\readconnections.bat
2009-08-22 21:34 . 2009-08-22 21:35 -------- d-----w- c:\temp\SpeedTouch_V1
2009-08-22 21:34 . 2009-08-22 21:34 -------- d-----w- C:\temp
2009-08-22 02:02 . 2009-08-22 02:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-08-22 01:51 . 2009-08-22 01:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple
2009-08-22 01:51 . 2009-08-22 01:51 -------- d-----w- c:\program files\Apple Software Update
2009-08-22 01:51 . 2009-08-22 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-22 01:51 . 2009-08-22 01:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2009-08-22 00:01 . 2009-08-22 13:20 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-21 23:31 . 2009-08-22 13:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-21 23:31 . 2009-08-21 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-21 23:31 . 2009-08-21 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-21 20:30 . 2009-08-21 20:57 -------- d-----w- c:\windows\system32\Adobe
2009-08-11 02:56 . 2009-08-11 03:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2009-08-11 02:55 . 2009-08-11 02:55 -------- d-----w- c:\program files\TeamViewer
2009-08-11 02:55 . 2009-08-11 02:55 -------- d-----w- c:\documents and settings\Administrator\temp
2009-08-09 17:31 . 2009-08-09 17:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-08-09 12:08 . 2009-08-10 12:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\UseNeXT
2009-08-09 12:07 . 2009-08-09 12:08 -------- d-----w- c:\program files\UseNeXT
2009-08-09 09:16 . 2009-08-09 09:16 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-09 09:16 . 2009-08-13 03:37 -------- d-----w- c:\program files\DivX
2009-08-06 23:00 . 2009-08-06 23:00 -------- d-----w- c:\program files\ESET

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 16:04 . 2009-02-13 00:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-08-31 15:53 . 2009-02-13 00:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC
2009-08-31 15:51 . 2009-02-13 00:09 -------- d-----w- c:\program files\mIRC
2009-08-31 04:44 . 2009-02-12 22:26 -------- d-----w- c:\program files\Java
2009-08-23 06:37 . 2009-02-13 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2009-08-22 03:11 . 2009-07-28 15:40 -------- d-----w- c:\program files\Registry Easy
2009-08-21 00:59 . 2009-04-19 16:23 -------- d-----w- c:\program files\USB Disk Security
2009-08-18 17:18 . 2009-07-28 15:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dev-Cpp
2009-08-11 16:06 . 2009-03-25 05:01 -------- d-----r- c:\program files\TypingMaster
2009-08-09 17:31 . 2009-02-12 22:22 -------- d-----w- c:\program files\Unlocker
2009-08-09 12:08 . 2009-02-17 09:23 43552 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-02 02:09 . 2009-08-02 02:06 -------- d-----w- c:\program files\Easy-Hide-IP
2009-08-02 00:38 . 2009-08-02 00:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Hide IP NG
2009-08-01 23:54 . 2009-02-22 07:13 -------- d-----w- c:\program files\Hide My IP 2009
2009-08-01 23:50 . 2009-07-29 04:20 -------- d-----w- c:\program files\QuickTime Alternative
2009-07-30 05:29 . 2009-02-28 01:26 -------- d-----w- c:\program files\MagicISO
2009-07-28 15:23 . 2009-07-28 15:23 -------- d-----w- c:\program files\Trend Micro
2009-07-28 01:29 . 2009-07-28 01:28 -------- d-----w- c:\program files\Google
2009-07-28 01:11 . 2009-02-13 00:36 -------- d-----w- c:\program files\Yahoo!
2009-07-28 00:56 . 2009-07-28 00:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-28 00:55 . 2009-07-28 00:54 -------- d-----w- c:\program files\Microsoft
2009-07-28 00:54 . 2009-07-28 00:53 -------- d-----w- c:\program files\Windows Live
2009-07-28 00:54 . 2009-07-28 00:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-28 00:30 . 2009-07-28 00:30 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-26 01:18 . 2009-07-26 01:18 -------- d-----w- c:\program files\Vimicro
2009-07-26 01:18 . 2009-02-12 22:33 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-26 01:18 . 2009-02-12 22:33 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-25 12:23 . 2009-02-16 21:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 03:21 . 2009-07-24 03:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Media Player Classic
2009-07-22 05:00 . 2009-07-22 05:00 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-07-22 04:56 . 2009-07-22 04:56 -------- d-----w- c:\program files\Microsoft.NET
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------


[-] 2005-11-28 16:42 1580544 9103FE3967CC3446A7BDE004ECA0B946 c:\windows\system32\sfcfiles.dll

c:\windows\system32\msgsvc.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-05 4363504]
"QuickPhrase"="c:\program files\TypingMaster\quickphrase\quickphrase.exe" [2007-08-04 638992]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-28 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-22 126976]
"SetRefresh"="c:\program files\COMPAQ\SetRefresh\\SetRefresh.exe" [2003-11-21 525824]
"9089C5"="c:\windows\system32\BC7B8D\9089C5.EXE" [2009-07-26 1426205]
"BigDogPath"="c:\windows\VM_STI.EXE" [2003-01-21 40960]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]
"USB Antivirus"="c:\program files\USB Disk Security\USBGuard.exe" [2008-09-24 798720]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2009-03-08 128512]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
9089C5.lnk - c:\windows\system32\BC7B8D\9089C5.EXE [2009-7-25 1426205]
WordWeb.lnk - c:\program files\WordWeb\wweb32.exe [2009-2-13 42168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
"DisableCAD"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"link"= 00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\TeamViewer\\Version4\\TeamViewer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9403:TCP"= 9403:TCP:grdupczt

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [4/9/2009 3:18 PM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [4/9/2009 3:21 PM 94360]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [4/9/2009 3:19 PM 731840]
S2 gbvgps;Server Center;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 6:26 PM 14336]
S3 mrvkdoe;mrvkdoe;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
gbvgps
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1960408961-839522115-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 23:56]

2009-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1960408961-839522115-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 23:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Microsoft Internet Explorer
uInternet Settings,ProxyServer = socks=
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
.
.
------- File Associations -------
.
inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-05 15:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mrvkdoe]
"ImagePath"="\??\c:\windows\system32\01.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1960408961-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,6c,03,aa,3f,b6,ba,4b,96,2e,49,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,57,6c,03,aa,3f,b6,ba,4b,96,2e,49,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2180)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\windows\system32\imapi.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
.
**************************************************************************
.
Completion time: 2009-09-05 15:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-05 22:03
ComboFix2.txt 2009-04-19 06:45

Pre-Run: 7,405,543,424 bytes free
Post-Run: 7,328,890,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

236

Edited by michaelnikki, 04 September 2009 - 12:44 PM.