Tom's Guide | Tom's Hardware | Tom's Games

Computing.Net > Forums > Security and Virus > help with all these pos files

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Click here to start participating now! Also, check out the New User Guide.

help with all these pos files

Reply to Message Icon

Name: kimlee100
Date: February 3, 2008 at 15:27:26 Pacific
OS: windows xp sp2
CPU/Ram: 0.99GB of RAM
Product: dell
Comment:

please help me i have lot of pos files in my documents and having all these popups .


kml



Sponsored Link
Ads by Google

Response Number 1
Name: jabuck
Date: February 3, 2008 at 16:13:59 Pacific
Reply:

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


0

Response Number 2
Name: kimlee100
Date: February 3, 2008 at 22:42:07 Pacific
Reply:

hi thanks so much for helping me here is log of hijack this..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:05 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\Tania Billah\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\rravsqyp.dll
O2 - BHO: (no name) - {687E22B7-DCE4-4A61-877C-CBCF20A043EC} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\SYSTEM32\JKKIFCC.DLL
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\fyamwzsg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D4D561EB-0412-42C6-A987-B83D1BAF180E} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: {8686b4ce-336e-2079-c2d4-0cf65117a08e} - {e80a7115-6fc0-4d2c-9702-e633ec4b6868} - C:\WINDOWS\system32\ajbivmwo.dll (file missing)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com ad=http://avsystemcare.com sd=http://ykeeper.avsystemcare.com
O4 - HKLM\..\Run: [e003f212] rundll32.exe "C:\WINDOWS\system32\kvpbwgai.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.exodusvipdesk.com
O15 - Trusted Zone: *.learn.com
O15 - Trusted Zone: *.vipdesk.com
O15 - Trusted Zone: *.vipdeskconnect.com
O15 - Trusted Zone: *.webroom.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: fyamwzsg - C:\WINDOWS\SYSTEM32\fyamwzsg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9877 bytes

here is lof of combofix:

ComboFix 08-02.03.1 - Tania Billah 2008-02-03 21:39:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.554 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\vtstt.dll
C:\Documents and Settings\Tania Billah\Application Data\AVSystemCare
C:\Documents and Settings\Tania Billah\Application Data\AVSystemCare\Logs\threats.log
C:\Program Files\AVSystemCare
C:\Program Files\AVSystemCare\history.db
C:\Program Files\AVSystemCare\main.log
C:\Program Files\AVSystemCare\ResErrors.log
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\system32\bdpymsuk.ini
C:\WINDOWS\system32\blawxoia.ini
C:\WINDOWS\system32\cfhkj.ini
C:\WINDOWS\system32\cfhkj.ini2
C:\WINDOWS\system32\drfikupw.dll
C:\WINDOWS\system32\fyamwzsg.dll
C:\WINDOWS\system32\fyamwzsg.dll . . . . failed to delete
C:\WINDOWS\system32\fyamwzsg.dllbox
C:\WINDOWS\system32\iagwbpvk.ini
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\jehykgtq.ini
C:\WINDOWS\system32\jkkifcc.dll
C:\WINDOWS\system32\kvpbwgai.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmrnspsw.ini
C:\WINDOWS\system32\oiahdqkp.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rfnwvfty.ini
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstt.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 15:22 . 2008-02-03 21:45 163,904 --a------ C:\WINDOWS\system32\fyamwzsg.dll
2008-02-03 12:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:45 . 2008-02-03 14:33 <DIR> d-------- C:\VundoFix Backups
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-29 06:56 . 2008-01-29 06:56 65,088 --a------ C:\WINDOWS\system32\rravsqyp.dll
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-24 14:21 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-24 14:15 . 2008-01-24 14:18 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-24 14:15 . 2008-01-24 14:15 <DIR> d-------- C:\Temp\cXzz9
2008-01-24 14:15 . 2008-01-24 14:15 <DIR> d-------- C:\Temp
2008-01-16 11:20 . 2008-01-24 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 05:33 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-02-01 15:02 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-12-04 21:27 --------- d--h--r C:\Documents and Settings\Tania Billah\Application Data\yahoo!
2007-12-04 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2006-05-30 21:06 56 --sh--r C:\WINDOWS\system32\620A5C2A27.sys
2007-02-26 19:19 56 --sh--r C:\WINDOWS\system32\D74B323B1D.sys
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-01-29 06:56 65088 --a------ C:\WINDOWS\system32\rravsqyp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-03 21:45 163904 --a------ C:\WINDOWS\system32\fyamwzsg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]
C:\WINDOWS\system32\vtstu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 01:56 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48 32881]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"bm"="C:\Program Files\Common Files\AVSystemCare\bm.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyamwzsg]
fyamwzsg.dll 2008-02-03 21:45 163904 C:\WINDOWS\system32\fyamwzsg.dll

R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 21:47:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\fyamwzsg.dll

PROCESS: C:\WINDOWS\Explorer.exe [6.00.2900.3156]
-> C:\WINDOWS\system32\fyamwzsg.dll
.
r Running Proce
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-03 21:50:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 05:50:39
.
2008-02-01 15:05:19 --- E O F ---


plz let me know what to do next?
Thanks


kml


0

Response Number 3
Name: jabuck
Date: February 4, 2008 at 03:46:57 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\fyamwzsg.dll
C:\WINDOWS\system32\rravsqyp.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\620A5C2A27.sys
C:\WINDOWS\system32\D74B323B1D.sys


Driver::
fyamwzsg

Folder::
C:\WINDOWS\system32\nGpxx01
C:\Temp\cXzz9
C:\Temp

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bm"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyamwzsg]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log and a new Hijack This log please.

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.


0

Response Number 4
Name: kimlee100
Date: February 4, 2008 at 10:12:46 Pacific
Reply:

hi thanks here is hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:11 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Athan\Athan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Tania Billah\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.exodusvipdesk.com
O15 - Trusted Zone: *.learn.com
O15 - Trusted Zone: *.vipdesk.com
O15 - Trusted Zone: *.vipdeskconnect.com
O15 - Trusted Zone: *.webroom.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8997 bytes

And here s combofix log:

ComboFix 08-02.03.1 - Tania Billah 2008-02-04 10:02:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.529 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tania Billah\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\WINDOWS\system32\620A5C2A27.sys
C:\WINDOWS\system32\D74B323B1D.sys
C:\WINDOWS\system32\fyamwzsg.dll
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\rravsqyp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\Temp
C:\WINDOWS\system32\620A5C2A27.sys
C:\WINDOWS\system32\D74B323B1D.sys
C:\WINDOWS\system32\fyamwzsg.dllbox
C:\WINDOWS\system32\msxml3a.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\rravsqyp.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 12:20 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:45 . 2008-02-03 14:33 <DIR> d-------- C:\VundoFix Backups
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-16 11:20 . 2008-01-24 16:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 17:56 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-02-01 15:02 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-12-04 21:27 --------- d--h--r C:\Documents and Settings\Tania Billah\Application Data\yahoo!
2007-12-04 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
C:\WINDOWS\system32\rravsqyp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
C:\WINDOWS\system32\jkkll.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]
C:\WINDOWS\system32\vtstu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 01:56 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 14:48 32881]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"bm"="C:\Program Files\Common Files\AVSystemCare\bm.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fyamwzsg]
fyamwzsg.dll

R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 10:05:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 10:05:30
ComboFix-quarantined-files.txt 2008-02-04 18:05:21
ComboFix2.txt 2008-02-04 05:50:44
.
2008-02-01 15:05:19 --- E O F ---

thanks for helping me n whats my next step?


kml


0

Response Number 5
Name: jabuck
Date: February 4, 2008 at 14:40:18 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\rravsqyp.dll
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\vtstu.dll

Driver::
rravsqyp
vtstu
jkkll
fyamwzsg

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{687E22B7-DCE4-4A61-877C-CBCF20A043EC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4D561EB-0412-42C6-A987-B83D1BAF180E}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.

Post a new Combofix log.


0

Related Posts

See More



Response Number 6
Name: kimlee100
Date: February 4, 2008 at 17:50:57 Pacific
Reply:

Here is combofix log:

ComboFix 08-02.03.1 - Tania Billah 2008-02-04 16:33:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.500 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tania Billah\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\rravsqyp.dll
C:\WINDOWS\system32\vtstu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Java
2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 10:33 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:45 . 2008-02-03 14:33 <DIR> d-------- C:\VundoFix Backups
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-16 11:20 . 2008-02-04 11:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 00:12 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-04 22:21 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 01:56 761947]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]

R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 16:35:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\NoAds\NoAds.dll
.
Completion time: 2008-02-04 16:36:14
ComboFix-quarantined-files.txt 2008-02-05 00:36:06
ComboFix2.txt 2008-02-04 18:05:31
ComboFix3.txt 2008-02-04 05:50:44
.
2008-02-01 15:05:19 --- E O F ---


And here is bitdefender log:


BitDefender Online Scanner


Scan report generated at: Mon, Feb 04, 2008 - 17:41:46



Scan path: C:\;D:\;




Statistics

Time

00:48:34

Files

200919

Folders

6417

Boot Sectors

4

Archives

4806

Packed Files

10663


Results

Identified Viruses

7

Infected Files

24

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

24


Engines Info

Virus Definitions

978926

Engine build

AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins

16

Archive plugins

41

Unpack plugins

7

E-mail plugins

6

System plugins

5


Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes



Scanned File

Status

C:\QooBox\Quarantine\C\WINDOWS\system32\drfikupw.dll.vir

Infected with: Trojan.Vundo.DXU

C:\QooBox\Quarantine\C\WINDOWS\system32\drfikupw.dll.vir

Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\fyamwzsg.dll.vir

Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\C\WINDOWS\system32\fyamwzsg.dll.vir

Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\jkkifcc.dll.vir

Infected with: Trojan.Vundo.DXE

C:\QooBox\Quarantine\C\WINDOWS\system32\jkkifcc.dll.vir

Deleted

C:\QooBox\Quarantine\C\WINDOWS\system32\kvpbwgai.dll.vir

Infected with: Trojan.Vundo.DXV

C:\QooBox\Quarantine\C\WINDOWS\system32\kvpbwgai.dll.vir

Deleted

C:\QooBox\Quarantine\catchme2008-02-03_214710.90.zip=>fyamwzsg.dll

Infected with: Trojan.Vundo.DWB

C:\QooBox\Quarantine\catchme2008-02-03_214710.90.zip=>fyamwzsg.dll

Deleted

C:\QooBox\Quarantine\catchme2008-02-03_214710.90.zip

Updated

C:\VundoFix Backups\ajbivmwo.dll.bad

Infected with: Trojan.Vundo.DXU

C:\VundoFix Backups\ajbivmwo.dll.bad

Deleted

C:\VundoFix Backups\cbxusrq.dll.bad

Infected with: Trojan.Vundo.DXE

C:\VundoFix Backups\cbxusrq.dll.bad

Deleted

C:\VundoFix Backups\cgylccev.dll.bad

Infected with: Trojan.Vundo.DWB

C:\VundoFix Backups\cgylccev.dll.bad

Deleted

C:\VundoFix Backups\dcrypjla.dll.bad

Infected with: Trojan.Vundo.DWB

C:\VundoFix Backups\dcrypjla.dll.bad

Deleted

C:\VundoFix Backups\emqmetyd.dll.bad

Infected with: Trojan.Vundo.DWB

C:\VundoFix Backups\emqmetyd.dll.bad

Deleted

C:\VundoFix Backups\fblaivdi.dll.bad

Infected with: Trojan.Vundo.DVC

C:\VundoFix Backups\fblaivdi.dll.bad

Disinfection failed

C:\VundoFix Backups\fblaivdi.dll.bad

Deleted

C:\VundoFix Backups\fernrfkb.dll.bad

Infected with: Trojan.Vundo.DXU

C:\VundoFix Backups\fernrfkb.dll.bad

Deleted

C:\VundoFix Backups\foxhunot.dll.bad

Infected with: Trojan.Vundo.DXU

C:\VundoFix Backups\foxhunot.dll.bad

Deleted

C:\VundoFix Backups\fyamwzsg.dll.bad

Infected with: Trojan.Vundo.DWB

C:\VundoFix Backups\fyamwzsg.dll.bad

Deleted

C:\VundoFix Backups\homqrkqf.dll.bad

Infected with: Trojan.Vundo.DXV

C:\VundoFix Backups\homqrkqf.dll.bad

Deleted

C:\VundoFix Backups\jkkifcc.dll.bad

Infected with: Trojan.Vundo.DXE

C:\VundoFix Backups\jkkifcc.dll.bad

Deleted

C:\VundoFix Backups\jxfojrch.dll.bad

Infected with: Trojan.Vundo.DXS

C:\VundoFix Backups\jxfojrch.dll.bad

Deleted

C:\VundoFix Backups\kvpbwgai.dll.bad

Infected with: Trojan.Vundo.DXV

C:\VundoFix Backups\kvpbwgai.dll.bad

Deleted

C:\VundoFix Backups\pkqdhaio.dll.bad

Infected with: Trojan.Vundo.DXV

C:\VundoFix Backups\pkqdhaio.dll.bad

Deleted

C:\VundoFix Backups\qvewlkey.dll.bad

Infected with: Trojan.Vundo.DXU

C:\VundoFix Backups\qvewlkey.dll.bad

Deleted

C:\VundoFix Backups\sdiudkso.dll.bad

Infected with: Trojan.Vundo.DWB

C:\VundoFix Backups\sdiudkso.dll.bad

Deleted

C:\VundoFix Backups\ssttt.dll.bad

Infected with: Trojan.Vundo.DXG

C:\VundoFix Backups\ssttt.dll.bad

Deleted

C:\VundoFix Backups\xbfprbfb.dll.bad

Infected with: Trojan.Vundo.DWB

C:\VundoFix Backups\xbfprbfb.dll.bad

Deleted

C:\VundoFix Backups\xunvvrab.dll.bad

Infected with: Trojan.Vundo.DVC

C:\VundoFix Backups\xunvvrab.dll.bad

Disinfection failed

C:\VundoFix Backups\xunvvrab.dll.bad

Deleted





kml


0

Response Number 7
Name: jabuck
Date: February 4, 2008 at 19:07:20 Pacific
Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "Folder::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Folder::
C:\VundoFix Backups
C:\Qoobox

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Is your c: drive icon a red X ?

You should be clean, how is the computer operating?


0

Response Number 8
Name: kimlee100
Date: February 4, 2008 at 22:46:13 Pacific
Reply:

here is combofix log:


ComboFix 08-02.03.1 - Tania Billah 2008-02-04 22:37:29.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.515 [GMT -8:00]
Running from: C:\Documents and Settings\Tania Billah\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tania Billah\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Qoobox
C:\Qoobox\BackEnv\appdata.folder.dat
C:\Qoobox\BackEnv\cache.folder.dat
C:\Qoobox\BackEnv\desktop.folder.dat
C:\Qoobox\BackEnv\favorites.folder.dat
C:\Qoobox\BackEnv\local appdata.folder.dat
C:\Qoobox\BackEnv\local settings.folder.dat
C:\Qoobox\BackEnv\my pictures.folder.dat
C:\Qoobox\BackEnv\personal.folder.dat
C:\Qoobox\BackEnv\profiles.folder.dat
C:\Qoobox\BackEnv\programs.folder.dat
C:\Qoobox\BackEnv\setpath.bat
C:\Qoobox\BackEnv\setpath.dat
C:\Qoobox\BackEnv\start menu.folder.dat
C:\Qoobox\BackEnv\startup.folder.dat
C:\Qoobox\BackEnv\templates.folder.dat
C:\Qoobox\CFScript_used_2008-02-04@10.02.txt
C:\Qoobox\CFScript_used_2008-02-04@16.33.txt
C:\Qoobox\CFScript_used_2008-02-04@22.37.txt
C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt
C:\Qoobox\ComboFix4.txt
C:\Qoobox\snapshot@2008-02-03_21.50.13.75.dat
C:\Qoobox\snapshot@2008-02-03_21.50.13.75_B.dat
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\cgylccev.dllbox.bad
C:\VundoFix Backups\emqmetyd.dllbox.bad
C:\VundoFix Backups\fqkrqmoh.ini.bad
C:\VundoFix Backups\fyamwzsg.dllbox.bad
C:\VundoFix Backups\hcrjofxj.ini.bad
C:\VundoFix Backups\hqxxvoyu.dll.bad
C:\VundoFix Backups\iagwbpvk.ini.bad
C:\VundoFix Backups\jkkll.dll.bad
C:\VundoFix Backups\kusmypdb.dll.bad
C:\VundoFix Backups\lbebqaci.dll.bad
C:\VundoFix Backups\llkkj.ini.bad
C:\VundoFix Backups\llkkj.ini2.bad
C:\VundoFix Backups\mhifyajj.dll.bad
C:\VundoFix Backups\vtstu.dll.bad
C:\VundoFix Backups\wspsnrmm.dll.bad
C:\VundoFix Backups\ytfvwnfr.dll.bad

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-02-04 19:13 . 2008-02-04 19:13 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-04 16:50 . 2008-02-04 17:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-02-04 16:46 . 2008-02-04 16:46 <DIR> d-------- C:\Program Files\Universal
2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Java
2008-02-04 10:33 . 2008-02-04 10:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-04 10:33 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-03 12:02 . 2008-02-03 12:45 4,050 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-03 12:01 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-02-03 12:01 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-02-03 12:01 . 2008-02-02 00:55 83,456 --a------ C:\WINDOWS\system32\VACFix.exe
2008-02-03 12:01 . 2008-01-27 14:37 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-02-03 12:01 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-03 12:01 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-03 10:58 . 2008-02-03 14:40 <DIR> d-------- C:\Documents and Settings\Tania Billah\Application Data\SUPERAntiSpyware.com
2008-02-03 10:58 . 2008-02-03 10:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-02 23:11 . 2008-02-02 23:11 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-24 14:21 . 2008-01-24 14:21 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-16 11:20 . 2008-02-04 11:23 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-16 11:20 . 2008-01-16 11:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini
2008-01-06 12:36 . 2008-01-06 12:36 <DIR> d-------- C:\Documents and Settings\Asif Billah\Application Data\SiteAdvisor

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 06:34 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\SiteAdvisor
2008-02-04 22:21 --------- d-----w C:\Program Files\Interaction Client .NET Edition
2008-02-03 22:40 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-03 20:19 146 -c--a-w C:\Documents and Settings\Asif Billah\Application Data\wklnhst.dat
2008-02-03 01:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-03 01:55 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-02-03 00:11 --------- d-----w C:\Program Files\McAfee
2008-01-28 22:33 --------- d-----w C:\Program Files\VIPdesk IM
2008-01-26 19:23 22,092 -c--a-w C:\Documents and Settings\Tania Billah\Application Data\wklnhst.dat
2008-01-06 21:10 --------- d-----w C:\Program Files\Common Files\NSV
2008-01-03 05:54 --------- d-----w C:\Program Files\SiteAdvisor
2008-01-02 14:08 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-01-01 20:55 --------- d-----w C:\Program Files\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-01-01 20:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-01 20:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-01-01 20:51 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\CyberLink
2007-12-26 04:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Cyberlink
2007-12-26 04:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 04:08 --------- d-----w C:\Program Files\CyberLink
2007-12-26 04:04 --------- d-----w C:\Program Files\Digital Photo Navigator 1.5
2007-12-10 18:35 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-10 18:35 --------- d-----w C:\Documents and Settings\Tania Billah\Application Data\skypePM
2007-12-10 18:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-12-06 18:24 --------- d-----w C:\Program Files\XtenNetworksInc
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-29 01:50 722,176 ----a-w C:\Documents and Settings\Tania Billah\gotomypc_428.exe
2007-07-11 21:20 6,736 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [2007-11-23 23:25 151552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 18:35 397312 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 07:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 17:29 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-05 13:53 98304]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 07:44 81920]
"Athan"="C:\Program Files\Athan\Athan.exe" [2006-05-23 03:32 974848]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-25 13:07 185896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"AIMPro"="C:\Program Files\AIM\AIM Pro\aimpro.exe" [ ]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 17:04 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 16:58 696320]
"EverioService"="C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-22 21:10 151552]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 13:57 36640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2007-05-24 08:40:38 1524776]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-05 13:49:11 24576]

R1 ATMDLC;Attachmate DLC Protocol;C:\WINDOWS\system32\DRIVERS\atmdlc.sys [2004-06-14 08:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 02:30:01 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (TANIABILLAH-Asif Billah).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
"2008-01-01 20:49:49 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 20:49:47 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 22:39:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 22:40:11
.
2008-02-01 15:05:19 --- E O F ---

YES drive C does have RED X...and one more strange thing i noticed is in control panel i have this APPN NODE PROPERTIES with red dot with four sides..i never saw that before...plz help me on this too..

otherwise my computer is running fine now all pos files gone no strange pop ups...

Thanks so much for helping


kml


0

Response Number 9
Name: jabuck
Date: February 5, 2008 at 03:39:32 Pacific
Reply:

Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.

This should fix the red X.

Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line:

[autorun]

ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8

Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window.

Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save.

Restart the computer.

The control panel icon is most likely SQL a microsoft approved program or VPN but we would need more info to verify that.


0

Response Number 10
Name: jabuck
Date: February 6, 2008 at 15:14:59 Pacific
Reply:

It looks better but there is still so work to do.

First your java must be updated or you will continue to be reinfected as that is how you computer is being attacked. Instructions in response #9.

Go to start> control panel> add/remove programs and uninstall this program if found:

UltimateBuddy

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
-c--a-w 61,879 2007-09-08 03:48:25 C:\Program Files\GameHouse\Incredible Ink\Gamehouse Incredible Ink Trial to Full by Great Elmo!! .exe

File::
C:\Program Files\Uninstall Fun Web Products.dll
C:\WINDOWS\system32\upnwgfpl.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtt.dll
C:\Program Files\OneStepSearch\onestep.exe

Driver::
OneStep Search Service

Folder::
C:\Program Files\UltimateBuddy
C:\Program Files\OneStepSearch

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54E1409A-68D1-43EF-93D6-5414721BA361}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EC976D09-E645-47B2-BF43-973734BD8782}]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.


0

Sponsored Link
Ads by Google
Reply to Message Icon

Virus trouble Rundll32- Bad image



Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.


Go to Security and Virus Forum Home


Sponsored links
Ads by Google


Results for: help with all these pos files
Pos Tmp files and Red X on Drive www.computing.net/answers/security/pos-tmp-files-and-red-x-on-drive/22511.html

help with virus PSW.Agent.H www.computing.net/answers/security/help-with-virus-pswagenth/11371.html

Help with GBDialer removal www.computing.net/answers/security/help-with-gbdialer-removal/17874.html