help with all these pos files

Computing.Net > Forums > Security and Virus > help with all these pos files

help with all these pos files

Original Message

Name: kimlee100
Date: February 3, 2008 at 15:27:26 Pacific
Subject: help with all these pos files
OS: windows xp sp2
CPU/Ram: 0.99GB of RAM
Model/Manufacturer: dell

Comment:

please help me i have lot of pos files in my documents and having all these popups .

kml

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: February 3, 2008 at 16:13:59 Pacific

Reply: (edit)

Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.
Please download Atribune's VundoFix.exe from the following site to your desktop:
Vundofix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click "ok".
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 2

Name: kimlee100
Date: February 3, 2008 at 22:42:07 Pacific

Reply: (edit)

hi thanks so much for helping me here is log of hijack this..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:05 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Tania Billah\Desktop\HiJackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\rravsqyp.dll
O2 - BHO: (no name) - {687E22B7-DCE4-4A61-877C-CBCF20A043EC} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\SYSTEM32\JKKIFCC.DLL
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fyamwzsg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D4D561EB-0412-42C6-A987-B83D1BAF180E} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: {8686b4ce-336e-2079-c2d4-0cf65117a08e} - {e80a7115-6fc0-4d2c-9702-e633ec4b6868} - C:\WINDOWS\system32\ajbivmwo.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [e003f212] rundll32.exe "C:\WINDOWS\system32\kvpbwgai.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.exodusvipdesk.com
O15 - Trusted Zone: *.learn.com
O15 - Trusted Zone: *.vipdesk.com
O15 - Trusted Zone: *.vipdeskconnect.com
O15 - Trusted Zone: *.webroom.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: fyamwzsg - C:\WINDOWS\SYSTEM32\fyamwzsg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9877 bytes
here is lof of combofix:
ComboFix 08-02.03.1 - Tania Billah 2008-02-03 21:39:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.554 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\vtstt.dll
C:\Documents and Settings\Tania Billah\Application Data\AVSystemCare
C:\Documents and Settings\Tania Billah\Application Data\AVSystemCare\Logs\threats.log
C:\Program Files\AVSystemCare
C:\Program Files\AVSystemCare\history.db
C:\Program Files\AVSystemCare\main.log
C:\Program Files\AVSystemCare\ResErrors.log
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\system32\bdpymsuk.ini
C:\WINDOWS\system32\blawxoia.ini
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\drfikupw.dll
C:\WINDOWS\system32\fyamwzsg.dll
C:\WINDOWS\system32\fyamwzsg.dll . . . . failed to delete
C:\WINDOWS\system32\fyamwzsg.dllbox
C:\WINDOWS\system32\iagwbpvk.ini
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\jehykgtq.ini
C:\WINDOWS\system32\jkkifcc.dll
C:\WINDOWS\system32\kvpbwgai.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmrnspsw.ini
C:\WINDOWS\system32\oiahdqkp.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rfnwvfty.ini
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstt.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.
2008-02-03 15:22 . 2008-02-03 21:45 163,904 --a------ C:\WINDOWS\system32\fyamwzsg.dll
2008-02-03 12:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:45 . 2008-02-03 14:33 <DIR> d-------- C:\VundoFix Backups
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-29 06:56 . 2008-01-29 06:56 65,088 --a------ C:\WINDOWS\system32\rravsqyp.dll
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-24 14:21 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-24 14:15 . 2008-01-24 14:18 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-24 14:15 . 2008-01-24 14:15 <DIR> d-------- C:\Temp\cXzz9
2008-01-24 14:15 . 2008-01-24 14:15 <DIR> d-------- C:\Temp
2008-01-16 11:20 . 2008-01-24 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 05:33 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-02-01 15:02 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-12-04 21:27 --------- d--h--r C:\Documents and Settings\Tania Billah\Application Data\yahoo!
2007-12-04 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2006-05-30 21:06 56 --sh--r C:\WINDOWS\system32\620A5C2A27.sys
2007-02-26 19:19 56 --sh--r C:\WINDOWS\system32\D74B323B1D.sys
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-01-29 06:56 65088 --a------ C:\WINDOWS\system32\rravsqyp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
C:\WINDOWS\system32\jkkll.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-03 21:45 163904 --a------ C:\WINDOWS\system32\fyamwzsg.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]
C:\WINDOWS\system32\vtstu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 01:56 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48 32881]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"bm"="C:\Program Files\Common Files\AVSystemCare\bm.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyamwzsg]
fyamwzsg.dll 2008-02-03 21:45 163904 C:\WINDOWS\system32\fyamwzsg.dll
R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 21:47:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\fyamwzsg.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\fyamwzsg.dll
.
r Running Proce
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-03 21:50:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 05:50:39
.
2008-02-01 15:05:19 --- E O F ---

plz let me know what to do next?
Thanks

kml

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: February 4, 2008 at 03:46:57 Pacific

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\fyamwzsg.dll
C:\WINDOWS\system32\rravsqyp.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\620A5C2A27.sys
C:\WINDOWS\system32\D74B323B1D.sys

Driver::
fyamwzsg
Folder::
C:\WINDOWS\system32\nGpxx01
C:\Temp\cXzz9
C:\Temp

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bm"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyamwzsg]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log and a new Hijack This log please.
Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.

Report Offensive Follow Up For Removal

Response Number 4

Name: kimlee100
Date: February 4, 2008 at 10:12:46 Pacific

Reply: (edit)

hi thanks here is hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:11 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tania Billah\Desktop\HiJackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.exodusvipdesk.com
O15 - Trusted Zone: *.learn.com
O15 - Trusted Zone: *.vipdesk.com
O15 - Trusted Zone: *.vipdeskconnect.com
O15 - Trusted Zone: *.webroom.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8997 bytes
And here s combofix log:
ComboFix 08-02.03.1 - Tania Billah 2008-02-04 10:02:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tania Billah\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system32\620A5C2A27.sys
C:\WINDOWS\system32\D74B323B1D.sys
C:\WINDOWS\system32\fyamwzsg.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\rravsqyp.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
C:\Temp
C:\WINDOWS\system32\620A5C2A27.sys
C:\WINDOWS\system32\D74B323B1D.sys
C:\WINDOWS\system32\fyamwzsg.dllbox
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\rravsqyp.dll
.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.
2008-02-03 12:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:45 . 2008-02-03 14:33 <DIR> d-------- C:\VundoFix Backups
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-16 11:20 . 2008-01-24 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 17:56 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-02-01 15:02 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-12-04 21:27 --------- d--h--r C:\Documents and Settings\Tania Billah\Application Data\yahoo!
2007-12-04 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
C:\WINDOWS\system32\rravsqyp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
C:\WINDOWS\system32\jkkll.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]
C:\WINDOWS\system32\vtstu.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 01:56 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48 32881]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"bm"="C:\Program Files\Common Files\AVSystemCare\bm.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyamwzsg]
fyamwzsg.dll
R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 10:05:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-04 10:05:30
ComboFix-quarantined-files.txt 2008-02-04 18:05:21
ComboFix2.txt 2008-02-04 05:50:44
.
2008-02-01 15:05:19 --- E O F ---
thanks for helping me n whats my next step?

kml

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: February 4, 2008 at 14:40:18 Pacific

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\rravsqyp.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\vtstu.dll

Driver::
rravsqyp
vtstu
jkkll
fyamwzsg
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.
Post a new Combofix log.

Report Offensive Follow Up For Removal


Pos Tmp files and Red X on Drive Help with GBDialer removal help with virus PSW.Agent.H tons of pos files, can't delete Help with PC problems	Help With These Darn Pop-Ups!!! Plse help with Hijack This log I NEED help with search hijack Help with HijackThis help with virus

Response Number 6

Name: kimlee100
Date: February 4, 2008 at 17:50:57 Pacific

Reply: (edit)

Here is combofix log:
ComboFix 08-02.03.1 - Tania Billah 2008-02-04 16:33:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.500 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tania Billah\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\rravsqyp.dll
C:\WINDOWS\system32\vtstu.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Java
2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 10:33 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:45 . 2008-02-03 14:33 <DIR> d-------- C:\VundoFix Backups
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-16 11:20 . 2008-02-04 11:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 00:12 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-04 22:21 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 01:56 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]
R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 16:35:44
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\NoAds\NoAds.dll
.
Completion time: 2008-02-04 16:36:14
ComboFix-quarantined-files.txt 2008-02-05 00:36:06
ComboFix2.txt 2008-02-04 18:05:31
ComboFix3.txt 2008-02-04 05:50:44
.
2008-02-01 15:05:19 --- E O F ---

And here is bitdefender log:

BitDefender Online Scanner

Scan report generated at: Mon, Feb 04, 2008 - 17:41:46

Scan path: C:\;D:\;

Statistics
Time

00:48:34
Files

200919
Folders

6417
Boot Sectors

4
Archives

4806
Packed Files

10663

Results
Identified Viruses

7
Infected Files

24
Suspect Files

0
Warnings

0
Disinfected

0
Deleted Files

24

Engines Info
Virus Definitions

978926
Engine build

AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins

16
Archive plugins

41
Unpack plugins

7
E-mail plugins

6
System plugins

5

Scan Settings
First Action

Disinfect
Second Action

Delete
Heuristics

Yes
Enable Warnings

Yes
Scanned Extensions

*;
Exclude Extensions

Scan Emails

Yes
Scan Archives

Yes
Scan Packed

Yes
Scan Files

Yes
Scan Boot

Yes

Scanned File

Status
C:\QooBox\Quarantine\C\WINDOWS\system32\drfikupw.dll.vir

Infected with: Trojan.Vundo.DXU
C:\QooBox\Quarantine\C\WINDOWS\system32\drfikupw.dll.vir

Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\fyamwzsg.dll.vir

Infected with: Trojan.Vundo.DWB
C:\QooBox\Quarantine\C\WINDOWS\system32\fyamwzsg.dll.vir

Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkifcc.dll.vir

Infected with: Trojan.Vundo.DXE
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkifcc.dll.vir

Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\kvpbwgai.dll.vir

Infected with: Trojan.Vundo.DXV
C:\QooBox\Quarantine\C\WINDOWS\system32\kvpbwgai.dll.vir

Deleted
C:\QooBox\Quarantine\catchme2008-02-03_214710.90.zip=>fyamwzsg.dll

Infected with: Trojan.Vundo.DWB
C:\QooBox\Quarantine\catchme2008-02-03_214710.90.zip=>fyamwzsg.dll

Deleted
C:\QooBox\Quarantine\catchme2008-02-03_214710.90.zip

Updated
C:\VundoFix Backups\ajbivmwo.dll.bad

Infected with: Trojan.Vundo.DXU
C:\VundoFix Backups\ajbivmwo.dll.bad

Deleted
C:\VundoFix Backups\cbxusrq.dll.bad

Infected with: Trojan.Vundo.DXE
C:\VundoFix Backups\cbxusrq.dll.bad

Deleted
C:\VundoFix Backups\cgylccev.dll.bad

Infected with: Trojan.Vundo.DWB
C:\VundoFix Backups\cgylccev.dll.bad

Deleted
C:\VundoFix Backups\dcrypjla.dll.bad

Infected with: Trojan.Vundo.DWB
C:\VundoFix Backups\dcrypjla.dll.bad

Deleted
C:\VundoFix Backups\emqmetyd.dll.bad

Infected with: Trojan.Vundo.DWB
C:\VundoFix Backups\emqmetyd.dll.bad

Deleted
C:\VundoFix Backups\fblaivdi.dll.bad

Infected with: Trojan.Vundo.DVC
C:\VundoFix Backups\fblaivdi.dll.bad

Disinfection failed
C:\VundoFix Backups\fblaivdi.dll.bad

Deleted
C:\VundoFix Backups\fernrfkb.dll.bad

Infected with: Trojan.Vundo.DXU
C:\VundoFix Backups\fernrfkb.dll.bad

Deleted
C:\VundoFix Backups\foxhunot.dll.bad

Infected with: Trojan.Vundo.DXU
C:\VundoFix Backups\foxhunot.dll.bad

Deleted
C:\VundoFix Backups\fyamwzsg.dll.bad

Infected with: Trojan.Vundo.DWB
C:\VundoFix Backups\fyamwzsg.dll.bad

Deleted
C:\VundoFix Backups\homqrkqf.dll.bad

Infected with: Trojan.Vundo.DXV
C:\VundoFix Backups\homqrkqf.dll.bad

Deleted
C:\VundoFix Backups\jkkifcc.dll.bad

Infected with: Trojan.Vundo.DXE
C:\VundoFix Backups\jkkifcc.dll.bad

Deleted
C:\VundoFix Backups\jxfojrch.dll.bad

Infected with: Trojan.Vundo.DXS
C:\VundoFix Backups\jxfojrch.dll.bad

Deleted
C:\VundoFix Backups\kvpbwgai.dll.bad

Infected with: Trojan.Vundo.DXV
C:\VundoFix Backups\kvpbwgai.dll.bad

Deleted
C:\VundoFix Backups\pkqdhaio.dll.bad

Infected with: Trojan.Vundo.DXV
C:\VundoFix Backups\pkqdhaio.dll.bad

Deleted
C:\VundoFix Backups\qvewlkey.dll.bad

Infected with: Trojan.Vundo.DXU
C:\VundoFix Backups\qvewlkey.dll.bad

Deleted
C:\VundoFix Backups\sdiudkso.dll.bad

Infected with: Trojan.Vundo.DWB
C:\VundoFix Backups\sdiudkso.dll.bad

Deleted
C:\VundoFix Backups\ssttt.dll.bad

Infected with: Trojan.Vundo.DXG
C:\VundoFix Backups\ssttt.dll.bad

Deleted
C:\VundoFix Backups\xbfprbfb.dll.bad

Infected with: Trojan.Vundo.DWB
C:\VundoFix Backups\xbfprbfb.dll.bad

Deleted
C:\VundoFix Backups\xunvvrab.dll.bad

Infected with: Trojan.Vundo.DVC
C:\VundoFix Backups\xunvvrab.dll.bad

Disinfection failed
C:\VundoFix Backups\xunvvrab.dll.bad

Deleted

kml

Report Offensive Follow Up For Removal

Response Number 7

Name: jabuck
Date: February 4, 2008 at 19:07:20 Pacific

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "Folder::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\VundoFix Backups
C:\Qoobox

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Is your c: drive icon a red X ?
You should be clean, how is the computer operating?

Report Offensive Follow Up For Removal

Response Number 8

Name: kimlee100
Date: February 4, 2008 at 22:46:13 Pacific

Reply: (edit)

here is combofix log:

ComboFix 08-02.03.1 - Tania Billah 2008-02-04 22:37:29.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.515 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tania Billah\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Qoobox
C:\Qoobox\BackEnv\appdata.folder.dat
C:\Qoobox\BackEnv\cache.folder.dat
C:\Qoobox\BackEnv\desktop.folder.dat
C:\Qoobox\BackEnv\favorites.folder.dat
C:\Qoobox\BackEnv\local appdata.folder.dat
C:\Qoobox\BackEnv\local settings.folder.dat
C:\Qoobox\BackEnv\my pictures.folder.dat
C:\Qoobox\BackEnv\personal.folder.dat
C:\Qoobox\BackEnv\profiles.folder.dat
C:\Qoobox\BackEnv\programs.folder.dat
C:\Qoobox\BackEnv\setpath.bat
C:\Qoobox\BackEnv\setpath.dat
C:\Qoobox\BackEnv\start menu.folder.dat
C:\Qoobox\BackEnv\startup.folder.dat
C:\Qoobox\BackEnv\templates.folder.dat
C:\Qoobox\CFScript_used_2008-02-04@10.02.txt
C:\Qoobox\CFScript_used_2008-02-04@16.33.txt
C:\Qoobox\CFScript_used_2008-02-04@22.37.txt
C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt
C:\Qoobox\ComboFix4.txt
C:\Qoobox\snapshot@2008-02-03_21.50.13.75.dat
C:\Qoobox\snapshot@2008-02-03_21.50.13.75_B.dat
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\cgylccev.dllbox.bad
C:\VundoFix Backups\emqmetyd.dllbox.bad
C:\VundoFix Backups\fqkrqmoh.ini.bad
C:\VundoFix Backups\fyamwzsg.dllbox.bad
C:\VundoFix Backups\hcrjofxj.ini.bad
C:\VundoFix Backups\hqxxvoyu.dll.bad
C:\VundoFix Backups\iagwbpvk.ini.bad
C:\VundoFix Backups\jkkll.dll.bad
C:\VundoFix Backups\kusmypdb.dll.bad
C:\VundoFix Backups\lbebqaci.dll.bad
C:\VundoFix Backups\llkkj.ini.bad
C:\VundoFix Backups\llkkj.ini2.bad
C:\VundoFix Backups\mhifyajj.dll.bad
C:\VundoFix Backups\vtstu.dll.bad
C:\VundoFix Backups\wspsnrmm.dll.bad
C:\VundoFix Backups\ytfvwnfr.dll.bad
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-04 19:13 . 2008-02-04 19:13 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-04 16:50 . 2008-02-04 17:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-04 16:46 . 2008-02-04 16:46 <DIR> d-------- C:\Program Files\Universal
2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Java
2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 10:33 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-16 11:20 . 2008-02-04 11:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 06:34 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-04 22:21 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]
R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]
.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 22:39:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-02-04 22:40:11
.
2008-02-01 15:05:19 --- E O F ---
YES drive C does have RED X...and one more strange thing i noticed is in control panel i have this APPN NODE PROPERTIES with red dot with four sides..i never saw that before...plz help me on this too..
otherwise my computer is running fine now all pos files gone no strange pop ups...
Thanks so much for helping

kml

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: February 5, 2008 at 03:39:32 Pacific

Reply: (edit)

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.
This should fix the red X.
Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line:
[autorun]
ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8
Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window.
Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save.
Restart the computer.
The control panel icon is most likely SQL a microsoft approved program or VPN but we would need more info to verify that.

Report Offensive Follow Up For Removal

Response Number 10

Name: jabuck
Date: February 6, 2008 at 15:14:59 Pacific

Reply: (edit)

It looks better but there is still so work to do.
First your java must be updated or you will continue to be reinfected as that is how you computer is being attacked. Instructions in response #9.
Go to start> control panel> add/remove programs and uninstall this program if found:
UltimateBuddy
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
-c--a-w 61,879 2007-09-08 03:48:25 C:\Program Files\GameHouse\Incredible Ink\Gamehouse Incredible Ink Trial to Full by Great Elmo!! .exe
File::
C:\Program Files\Uninstall Fun Web Products.dll
C:\WINDOWS\system32\upnwgfpl.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtt.dll
C:\Program Files\OneStepSearch\onestep.exe

Driver::
OneStep Search Service
Folder::
C:\Program Files\UltimateBuddy
C:\Program Files\OneStepSearch
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54E1409A-68D1-43EF-93D6-5414721BA361}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC976D09-E645-47B2-BF43-973734BD8782}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log.
Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

Report Offensive Follow Up For Removal

Virus trouble

Rundll32- Bad image

Use following form to reply to current message:

Name: From My Computing.Net Settings E-Mail: From My Computing.Net Settings Subject: help with all these pos files

Comments:

  Homepage URL (*): 
Homepage Title (*): 
         Image URL:

Have you ever used OpenOffice?

Poll Finishes In 5 Days.
Discuss in The Lounge

Dos on disk-on-module

IE & Firefox showing old website

Delgated authentication

net searching

Multiple Wireless Routers

All Posts Awaiting Replies