Computing.Net > Forums > Security and Virus > Red x on C + pos files

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Howtos

Site Search

Message Find

Data Recovery

About

Red x on C + pos files

Reply to Message Icon
Original Message
Name: dc613
Date: February 11, 2008 at 18:39:30 Pacific
Subject: Red x on C + pos files
OS: XP SP2 Home Edition
CPU/Ram: AMD Antlon 300+/ 1024MB P
Model/Manufacturer: HP pavilon a420n
Comment:

Several Days ago I noticed a significant decrease in system performance. So I went to my hard drive (To access my virus scanner) and I noticed a Red X! I went into the drive and there were THOUSANDS of pos files. So I did some looking around, downloaded some programs recommended to other people with this problem, and tried to fix it. Needless to say it didn't work. For the next few days I did everything I could to get rid of the pos files and the Red X. And only a few hours ago the pos files were deletable and the Red X was gone! (After some extensive "tweaking") But my Computer ran slower than usual (But faster than before) and I still received a lot of pop-ups. So I was wondering if the virus is still on my computer and how to finally get rid of it!

Thanks for Reading!


Report Offensive Message For Removal

Response Number 1
Name: jabuck
Date: February 11, 2008 at 18:59:51 Pacific
Subject: Red x on C + pos files
Reply: (edit)

Go to the this link:

Disable Realtime Protection

Follow their directions to disable any realtime protection that you have as it will interfere with the fix by reinstalling the corrupt files.

Please download Atribune's VundoFix.exe from the following site to your desktop:

Vundofix.exe

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click "yes".

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click "ok".

Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.


Report Offensive Follow Up For Removal

Response Number 2
Name: dc613
Date: February 11, 2008 at 19:16:35 Pacific
Subject: Red x on C + pos files
Reply: (edit)

Thanks for the speedy reply!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:53 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Program Files\Web Buying\v1.8.8\webbuying.exe
C:\WINDOWS\system32\A?pPatch\w?aclt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Backup\Gran Paradiso\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {0E054CF4-1567-4979-92C5-118FE54F64C3} - (no file)
O2 - BHO: (no name) - {538edf60-fee4-49cd-b408-06efb32eff14} - C:\WINDOWS\system32\vneriah.dll
O2 - BHO: (no name) - {6A37B9C1-0605-00A5-0217-5F00CACE80C5} - (no file)
O2 - BHO: (no name) - {6E32EDC3-5504-00A4-0A17-5F00CACEDACD} - C:\WINDOWS\system32\rssjt.dll
O2 - BHO: (no name) - {A10E80E3-584C-4AFE-A61A-5E56861B7264} - C:\Program Files\Messenger\hyjelipu89104.dll
O2 - BHO: (no name) - {B13DAD40-E67D-4CA2-8DC1-90C5F153E690} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: {a2030b1c-e410-ce98-19b4-ef611e13636c} - {c63631e1-16fe-4b91-89ec-014ec1b0302a} - C:\WINDOWS\system32\jhkplign.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [3c59231a] rundll32.exe "C:\WINDOWS\system32\oxycrmjk.dll",b
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [Rzmounjc] C:\WINDOWS\system32\A?pPatch\w?aclt.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 2717 bytes

ComboFix 08-02-12.1 - Owner 2008-02-11 21:08:13.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.639 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sffpssdd.sys
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\AVSystemCare
C:\Documents and Settings\Owner\Application Data\AVSystemCare\Logs\threats.log
C:\Documents and Settings\Owner\Application Data\AVSystemCare\Logs\update.log
C:\Documents and Settings\Owner\Application Data\AVSystemCare\PGE.dat
C:\Documents and Settings\Owner\Application Data\MBOLS~1
C:\Documents and Settings\Owner\ResErrors.log
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\ystem3~1
C:\Program Files\Common Files\ystem3~1\?ystem32\
C:\Program Files\Common Files\ystem3~1\smss.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.8\wbuninst.exe
C:\Program Files\web buying\v1.8.8\webbuying.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\ac1
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\appatc~1\w?aclt.exe
C:\WINDOWS\system32\bhlulpfd.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\sffpssdd.sys
C:\WINDOWS\system32\hcovfomp.ini
C:\WINDOWS\system32\kjmrcyxo.ini
C:\WINDOWS\system32\liytjuss.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlnmp.ini
C:\WINDOWS\system32\mlnmp.ini2
C:\WINDOWS\system32\mniljhqw.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\oxycrmjk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pfendxrk.ini
C:\WINDOWS\system32\pmofvoch.dll
C:\WINDOWS\system32\rssjt.dll
C:\WINDOWS\system32\tuvwwtr.dll
C:\WINDOWS\system32\v9
C:\WINDOWS\system32\v9\rabs2135.exe
C:\WINDOWS\system32\vneriah.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wscomejb.dll
C:\WINDOWS\uninstall_nmon.vbs
E:\Autorun.inf
F:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SFFPSSDD
-------\cmdService
-------\sffpssdd


((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 19:27 . 2008-02-11 19:27 3,832,374 --a------ C:\C w normal settings V.bmp
2008-02-11 19:27 . 2008-02-11 19:27 3,832,374 --a------ C:\C in DM NV.bmp
2008-02-11 19:26 . 2008-02-11 19:26 3,832,374 --a------ C:\C in DM.bmp
2008-02-11 19:08 . 2008-02-11 19:27 3,832,374 --a------ C:\C w normal settings.bmp
2008-02-11 07:12 . 2008-02-11 07:12 <DIR> d-------- C:\VundoFix Backups
2008-02-11 06:48 . 2008-02-11 06:48 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-11 06:25 . 2008-02-11 06:25 0 --a------ C:\WINDOWS\system32\lgkdvgjc.dll.vir
2008-02-11 00:32 . 2008-02-11 00:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-11 00:32 . 2008-02-11 00:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-10 11:16 . 2008-02-10 11:16 72,566 --a------ C:\WINDOWS\system32\GameFly_2.ico
2008-02-10 10:54 . 2008-02-10 10:54 <DIR> d-------- C:\WINDOWS\system32\wd11
2008-02-10 10:54 . 2008-02-10 15:34 <DIR> d-------- C:\WINDOWS\system32\vb6
2008-02-10 10:54 . 2008-02-10 10:54 <DIR> d-------- C:\WINDOWS\system32\kp9
2008-02-10 10:54 . 2008-02-10 10:54 <DIR> d-------- C:\Program Files\xInsIDE
2008-02-10 10:54 . 2008-02-10 10:54 40,960 --a------ C:\WINDOWS\system32\khfcyab.dll.vir
2008-02-10 02:21 . 2008-02-11 06:25 144 --a------ C:\WINDOWS\wininit.ini
2008-02-10 02:21 . 2008-02-10 02:21 0 --a------ C:\WINDOWS\system32\lwukbsuk.dll.vir
2008-02-09 20:08 . 2008-02-09 20:08 <DIR> d-------- C:\Program Files\VUGames
2008-02-09 18:48 . 2008-02-09 18:48 <DIR> d-------- C:\Program Files\America's Army Server Manager
2008-02-09 18:43 . 2008-02-09 18:43 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-02-09 18:43 . 2008-02-09 18:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2008-02-09 16:02 . 2008-02-09 16:02 <DIR> d-------- C:\Program Files\NovaLogic
2008-02-09 01:49 . 2008-02-09 01:49 <DIR> d-------- C:\Program Files\Panicware
2008-02-09 01:32 . 2008-02-09 01:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2008-02-09 01:25 . 2008-02-09 01:25 163,904 --a------ C:\WINDOWS\system32\zxugnfvi.dll.vir
2008-02-08 20:48 . 2008-02-08 20:48 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-08 20:04 . 2008-02-08 20:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-07 16:06 . 2008-02-07 16:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-07 06:52 . 2008-02-07 06:52 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-07 06:51 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-07 06:49 . 2008-02-07 06:51 <DIR> d-------- C:\Program Files\RABCO
2008-02-07 06:49 . 2008-02-07 06:49 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-07 06:49 . 2008-02-07 06:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-07 06:49 . 2008-02-07 06:49 36,864 --a------ C:\WINDOWS\mrofinu1000106.exe.tmp
2008-02-07 06:48 . 2008-02-07 06:48 <DIR> d-------- C:\WINDOWS\system32\wb3
2008-02-07 06:48 . 2008-02-08 16:52 <DIR> d-------- C:\WINDOWS\system32\rp4
2008-02-07 06:48 . 2008-02-07 06:48 <DIR> d-------- C:\WINDOWS\system32\ps5
2008-02-07 06:48 . 2008-02-08 16:52 <DIR> d-------- C:\WINDOWS\system32\cz6
2008-02-07 06:45 . 2008-02-10 10:54 36,864 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-02-06 18:48 . 2008-02-06 18:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-02-06 18:47 . 2008-02-06 18:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LucasArts
2008-02-06 18:47 . 2008-02-06 18:47 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-06 18:40 . 2008-02-06 18:40 <DIR> d-------- C:\Program Files\LucasArts
2008-02-06 17:37 . 2008-02-06 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-02-06 16:58 . 2008-02-06 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-02-06 16:48 . 2008-02-06 16:48 <DIR> d-------- C:\WINDOWS\system32\EVGA
2008-02-03 20:00 . 2008-02-03 20:00 <DIR> d-------- C:\Program Files\Realtek AC97
2008-01-27 01:36 . 2008-01-27 01:36 <DIR> d-------- C:\Program Files\VIA
2008-01-27 01:13 . 2008-01-27 01:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-01-24 22:28 . 2008-01-24 22:28 <DIR> d-------- C:\Program Files\Miscsoftware.com
2008-01-22 20:17 . 2008-01-22 20:17 <DIR> d-------- C:\Program Files\Maxis
2008-01-22 20:17 . 2008-01-22 20:17 533 --a------ C:\WINDOWS\eReg.dat
2008-01-21 15:18 . 2008-01-21 15:19 691 --a------ C:\WINDOWS\starflight.ini
2008-01-21 14:50 . 2008-01-21 14:50 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-21 14:50 . 2008-01-21 14:50 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-01-20 18:10 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-01-20 18:09 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2008-01-20 18:09 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2008-01-20 18:09 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-01-20 18:09 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-01-20 18:09 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2008-01-20 18:09 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2008-01-20 17:28 . 2008-01-20 17:29 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-01-18 17:25 . 2008-01-18 17:25 <DIR> d-------- C:\Program Files\ArtMoney
2008-01-18 03:01 . 2008-01-18 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-17 15:23 . 2008-01-17 15:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-17 15:21 . 2008-01-17 15:21 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-17 06:15 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-16 22:51 . 2008-01-16 22:51 <DIR> d-------- C:\WINDOWS\Sun
2008-01-16 21:04 . 2008-01-19 03:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-16 20:56 . 2008-01-16 20:56 <DIR> d-------- C:\Program Files\iTunes
2008-01-16 20:56 . 2008-01-16 20:56 <DIR> d-------- C:\Program Files\iPod
2008-01-16 20:56 . 2008-01-16 20:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-16 20:55 . 2008-01-16 20:56 <DIR> d-------- C:\Program Files\QuickTime
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-16 20:55 . 2008-01-16 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-16 20:04 . 2008-01-16 20:04 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-16 20:01 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\[u]0[/u]02248_.tmp
2008-01-16 20:00 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-16 19:58 . 2008-01-16 19:58 <DIR> d-------- C:\WINDOWS\EHome
2008-01-15 15:57 . 2008-02-10 17:41 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-15 15:56 . 2008-01-15 15:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-15 15:56 . 2008-02-10 17:41 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-15 15:56 . 2008-02-09 22:20 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-15 15:34 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-15 15:34 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-14 22:23 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-14 18:47 . 2008-01-14 18:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-14 18:39 . 2006-06-14 02:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-01-14 18:39 . 2006-02-14 18:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-01-14 18:39 . 2006-06-14 03:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-01-14 18:39 . 2004-08-03 23:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-01-14 18:39 . 2001-08-17 16:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-01-14 18:39 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-01-14 18:39 . 2001-08-17 16:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-14 18:39 . 2006-06-14 02:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-14 18:39 . 2004-08-03 23:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 02:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 06:18 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-09 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-09 06:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-01-21 00:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-14 23:47 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-14 23:46 4,110 --sha-r C:\WINDOWS\system32\drivers\HP_DQ175A-ABA A420N_YC_Pavi_QMXK404_E41NAheBLU4_4_IKamet2_SASUSTek Computer INC._V2.01_B3.06_T031219_WXH1_L409_M960_J164_7AMD_8Athlon XP 3000+_92.16_111063044_N11063065_P_Z11C1044C_K_A11063059_U11063038_G11067205_O_DHWP264E.MRK
2007-11-13 19:45 806,912 ----a-w C:\WINDOWS\boinc.scr
.
[code]


----a-w           267,048 2008-01-12 10:17:38  C:\Documents and Settings\Owner\Desktop\iTunes\iTunesHelper .exe
[/code]


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A10E80E3-584C-4AFE-A61A-5E56861B7264}]
2008-02-07 19:07 217088 --a------ C:\Program Files\Messenger\hyjelipu89104.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B13DAD40-E67D-4CA2-8DC1-90C5F153E690}]
C:\WINDOWS\system32\jkkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c63631e1-16fe-4b91-89ec-014ec1b0302a}]
C:\WINDOWS\system32\jhkplign.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xInsIDE"="C:\Program Files\xInsIDE\xInsIDE.exe" [2008-02-10 10:54 57344]
"Rzmounjc"="C:\WINDOWS\system32\A?pPatch\w?aclt.exe" [ ]
"RecordNow!"="" []
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10 536576]
"Notn"="C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe" [ ]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"srservice"=2 (0x2)
"ShellHWDetection"=2 (0x2)

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 03:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 03:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 09:00:01 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-02-06 19:56:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 23:47:15 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 21:11:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2008-02-11 21:12:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 03:12:42
.
2008-02-09 21:33:05 --- E O F ---


Report Offensive Follow Up For Removal

Response Number 3
Name: jabuck
Date: February 11, 2008 at 20:10:51 Pacific
Subject: Red x on C + pos files
Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::

----a-w 267,048 2008-01-12 10:17:38 C:\Documents and Settings\Owner\Desktop\iTunes\iTunesHelper .exe

File::
C:\WINDOWS\system32\lgkdvgjc.dll.vir
C:\WINDOWS\system32\GameFly_2.ico
C:\WINDOWS\system32\khfcyab.dll.vir
C:\WINDOWS\system32\lwukbsuk.dll.vir
C:\WINDOWS\system32\zxugnfvi.dll.vir
C:\WINDOWS\mrofinu1000106.exe.tmp
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\[u]0[/u]02248_.tmp
C:\WINDOWS\system32\jhkplign.dll
C:\WINDOWS\system32\jkkjj.dll
C:\Program Files\Messenger\hyjelipu89104.dll
C:\Program Files\xInsIDE\xInsIDE.exe

Folder::
C:\WINDOWS\system32\wd11
C:\WINDOWS\system32\vb6
C:\WINDOWS\system32\kp9
C:\WINDOWS\system32\wb3
C:\WINDOWS\system32\rp4
C:\WINDOWS\system32\ps5
C:\WINDOWS\system32\cz6
C:\Program Files\xInsIDE

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A10E80E3-584C-4AFE-A61A-5E56861B7264}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B13DAD40-E67D-4CA2-8DC1-90C5F153E690}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c63631e1-16fe-4b91-89ec-014ec1b0302a}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xInsIDE"=-
"Rzmounjc"=-
"Notn"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Download ATF Cleaner from this link:
ATF Cleaner

Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Post a new Hijack This log and a new Combofix log.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended
Scan Options:
Scan Archives
Scan Mail Base
Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.


Report Offensive Follow Up For Removal

Response Number 4
Name: dc613
Date: February 11, 2008 at 20:40:28 Pacific
Subject: Red x on C + pos files
Reply: (edit)

Thanks again for the speedy response

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:14 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Backup\Gran Paradiso\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe

--
End of file - 1301 bytes

ComboFix 08-02-12.1 - Owner 2008-02-11 22:26:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.721 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 22:11 . 2008-02-11 22:11 <DIR> d-------- C:\Program Files\RamBooster 2.0
2008-02-11 19:27 . 2008-02-11 19:27 3,832,374 --a------ C:\C w normal settings V.bmp
2008-02-11 19:27 . 2008-02-11 19:27 3,832,374 --a------ C:\C in DM NV.bmp
2008-02-11 19:26 . 2008-02-11 19:26 3,832,374 --a------ C:\C in DM.bmp
2008-02-11 19:08 . 2008-02-11 19:27 3,832,374 --a------ C:\C w normal settings.bmp
2008-02-11 07:12 . 2008-02-11 07:12 <DIR> d-------- C:\VundoFix Backups
2008-02-11 06:48 . 2008-02-11 06:48 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-11 00:32 . 2008-02-11 00:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-11 00:32 . 2008-02-11 00:32 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-10 02:21 . 2008-02-11 06:25 144 --a------ C:\WINDOWS\wininit.ini
2008-02-09 20:08 . 2008-02-09 20:08 <DIR> d-------- C:\Program Files\VUGames
2008-02-09 18:48 . 2008-02-09 18:48 <DIR> d-------- C:\Program Files\America's Army Server Manager
2008-02-09 18:43 . 2008-02-09 18:43 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-02-09 18:43 . 2008-02-09 18:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SystemRequirementsLab
2008-02-09 16:02 . 2008-02-09 16:02 <DIR> d-------- C:\Program Files\NovaLogic
2008-02-09 01:49 . 2008-02-09 01:49 <DIR> d-------- C:\Program Files\Panicware
2008-02-09 01:32 . 2008-02-09 01:32 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2008-02-08 20:48 . 2008-02-08 20:48 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-02-08 20:04 . 2008-02-08 20:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-07 16:06 . 2008-02-07 16:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-07 06:52 . 2008-02-07 06:52 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-02-07 06:51 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-02-07 06:49 . 2008-02-07 06:51 <DIR> d-------- C:\Program Files\RABCO
2008-02-07 06:49 . 2008-02-07 06:49 <DIR> d-------- C:\Program Files\Drmupgds
2008-02-07 06:49 . 2008-02-07 06:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-06 18:48 . 2008-02-06 18:48 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-02-06 18:47 . 2008-02-06 18:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LucasArts
2008-02-06 18:47 . 2008-02-06 18:47 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-06 18:40 . 2008-02-06 18:40 <DIR> d-------- C:\Program Files\LucasArts
2008-02-06 17:37 . 2008-02-06 17:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-02-06 16:58 . 2008-02-06 16:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-02-06 16:48 . 2008-02-06 16:48 <DIR> d-------- C:\WINDOWS\system32\EVGA
2008-02-03 20:00 . 2008-02-03 20:00 <DIR> d-------- C:\Program Files\Realtek AC97
2008-01-27 01:36 . 2008-01-27 01:36 <DIR> d-------- C:\Program Files\VIA
2008-01-27 01:13 . 2008-01-27 01:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-01-24 22:28 . 2008-01-24 22:28 <DIR> d-------- C:\Program Files\Miscsoftware.com
2008-01-22 20:17 . 2008-01-22 20:17 <DIR> d-------- C:\Program Files\Maxis
2008-01-22 20:17 . 2008-01-22 20:17 533 --a------ C:\WINDOWS\eReg.dat
2008-01-21 15:18 . 2008-01-21 15:19 691 --a------ C:\WINDOWS\starflight.ini
2008-01-21 14:50 . 2008-01-21 14:50 233,472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-01-21 14:50 . 2008-01-21 14:50 81,920 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-01-20 18:10 . 2006-08-01 15:02 49,152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-01-20 18:09 . 2006-12-08 15:20 10,528,768 --a------ C:\WINDOWS\system32\RTLCPL.exe
2008-01-20 18:09 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soundman.exe
2008-01-20 18:09 . 2006-07-31 11:19 315,392 --a------ C:\WINDOWS\alcupd.exe
2008-01-20 18:09 . 2006-07-31 11:27 217,088 --a------ C:\WINDOWS\Alcrmv.exe
2008-01-20 18:09 . 2006-10-18 02:53 147,456 --a------ C:\WINDOWS\system32\RtlCPAPI.dll
2008-01-20 18:09 . 2002-02-05 13:54 141,016 --a------ C:\WINDOWS\system32\alsndmgr.wav
2008-01-20 17:28 . 2008-01-20 17:29 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2008-01-18 17:25 . 2008-01-18 17:25 <DIR> d-------- C:\Program Files\ArtMoney
2008-01-18 03:01 . 2008-01-18 03:01 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-17 15:23 . 2008-01-17 15:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2008-01-17 15:21 . 2008-01-17 15:21 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-01-17 06:15 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-01-16 22:51 . 2008-01-16 22:51 <DIR> d-------- C:\WINDOWS\Sun
2008-01-16 21:04 . 2008-01-19 03:01 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-01-16 20:56 . 2008-01-16 20:56 <DIR> d-------- C:\Program Files\iTunes
2008-01-16 20:56 . 2008-01-16 20:56 <DIR> d-------- C:\Program Files\iPod
2008-01-16 20:56 . 2008-01-16 20:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-16 20:55 . 2008-01-16 20:56 <DIR> d-------- C:\Program Files\QuickTime
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-01-16 20:55 . 2008-01-16 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-16 20:55 . 2008-01-16 20:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-01-16 20:04 . 2008-01-16 20:04 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-01-16 20:01 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\[u]0[/u]02248_.tmp
2008-01-16 20:00 . 2005-06-28 10:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-16 19:58 . 2008-01-16 19:58 <DIR> d-------- C:\WINDOWS\EHome
2008-01-15 15:57 . 2008-02-10 17:41 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-15 15:56 . 2008-01-15 15:56 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-15 15:56 . 2008-02-10 17:41 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2008-01-15 15:56 . 2008-02-09 22:20 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2008-01-15 15:34 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-15 15:34 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-14 22:23 . 2004-08-04 00:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-01-14 18:47 . 2008-01-14 18:47 0 --a------ C:\WINDOWS\nsreg.dat
2008-01-14 18:39 . 2006-06-14 02:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-01-14 18:39 . 2006-02-14 18:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-01-14 18:39 . 2006-06-14 03:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-01-14 18:39 . 2004-08-03 23:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-01-14 18:39 . 2001-08-17 16:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-01-14 18:39 . 2004-08-03 23:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-01-14 18:39 . 2001-08-17 16:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-01-14 18:39 . 2006-06-14 02:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-14 18:39 . 2004-08-03 23:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-01-14 18:38 . 2004-08-03 23:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2008-01-14 18:38 . 2004-08-03 23:15 145,792 --a--c--- C:\WINDOWS\system32\dllcache\portcls.sys
2008-01-14 18:38 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-01-14 18:38 . 2004-08-03 23:08 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2008-01-14 18:38 . 2004-08-03 23:08 60,288 --a--c--- C:\WINDOWS\system32\dllcache\drmk.sys
2008-01-14 18:38 . 2001-08-17 15:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-01-14 18:10 . 2008-02-09 01:20 246 --a------ C:\WINDOWS\system\hpsysdrv.dat
2008-01-14 18:00 . 2008-02-11 22:16 <DIR> d-a------ C:\Program Files
2008-01-14 18:00 . 2008-01-14 18:07 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-01-14 17:59 . 2008-02-11 07:12 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2008-01-14 17:48 . 2008-02-09 18:48 <DIR> d-------- C:\Backup
2008-01-14 17:46 . 2008-01-14 17:46 4,110 -rahs---- C:\WINDOWS\system32\drivers\HP_DQ175A-ABA A420N_YC_Pavi_QMXK404_E41NAheBLU4_4_IKamet2_SASUSTek Computer INC._V2.01_B3.06_T031219_WXH1_L409_M960_J164_7AMD_8Athlon XP 3000+_92.16_111063044_N11063065_P_Z11C1044C_K_A11063059_U11063038_G11067205_O_DHWP264E.MRK
2008-01-14 17:44 . 2003-10-10 23:19 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\WINDOWS
2008-01-14 17:43 . 2008-01-14 17:43 <DIR> d-------- C:\Program Files\ArcSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 02:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 06:18 --------- d-----w C:\Program Files\Hewlett-Packard
2008-02-09 06:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-09 06:11 --------- d-----w C:\Documents and Settings\Owner\Application Data\interMute
2008-01-21 00:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-14 23:47 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-14 23:46 4,110 --sha-r C:\WINDOWS\system32\drivers\HP_DQ175A-ABA A420N_YC_Pavi_QMXK404_E41NAheBLU4_4_IKamet2_SASUSTek Computer INC._V2.01_B3.06_T031219_WXH1_L409_M960_J164_7AMD_8Athlon XP 3000+_92.16_111063044_N11063065_P_Z11C1044C_K_A11063059_U11063038_G11067205_O_DHWP264E.MRK
2007-11-13 19:45 806,912 ----a-w C:\WINDOWS\boinc.scr
.
[code]


----a-w           267,048 2008-01-12 10:17:38  C:\Documents and Settings\Owner\Desktop\iTunes\iTunesHelper .exe
[/code]


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10 536576]
"AdwareAlert"="C:\Program Files\AdwareAlert\AdwareAlert.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"srservice"=2 (0x2)
"ShellHWDetection"=2 (0x2)

S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-07-30 03:15]
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-07-30 03:15]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 09:00:01 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-02-06 19:56:23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-14 23:47:15 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Easy Internet signup\HPSdpApp.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 22:27:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 22:28:00
ComboFix-quarantined-files.txt 2008-02-12 04:27:44
ComboFix2.txt 2008-02-12 04:18:50
ComboFix3.txt 2008-02-12 03:12:45
.
2008-02-09 21:33:05 --- E O F ---

Regarding the Kaspersky Scanner- I can't click the accept button. No I'm not running IE7 I'm running Mozilla Firefox 3 Beta 2.



Report Offensive Follow Up For Removal

Response Number 5
Name: jabuck
Date: February 12, 2008 at 03:35:21 Pacific
Subject: Red x on C + pos files
Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RenV::
----a-w 267,048 2008-01-12 10:17:38 C:\Documents and Settings\Owner\Desktop\iTunes\iTunesHelper .exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Combofix log.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

You will need to allow an active x install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Post a log in your reply.


Report Offensive Follow Up For Removal


Response Number 6
Name: Bob2th
Date: February 25, 2008 at 08:15:07 Pacific
Subject: Red x on C + pos files
Reply: (edit)

My main computer in a workgroup network was infected with Vundo, Zlob, thousands of pos.tmp files and a red x on the c drive icon...VundoFix and ComboFix completely cleaned it up....however a minor problem developed....Our data is stored using Microsoft SQL Server...the workstations can not access the server database, with an error message saying that " make sure the firewalls on your network are set to allow SQL Server traffic on TCP port 1433 and UDP port 1434.....We set up "exceptions" in the firewall for this, but it didn't work....I temporary solution was to turn off the firewall....but that's not a good long term solution...any ideas??


Report Offensive Follow Up For Removal






Use following form to reply to current message: 

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Red x on C + pos files

Comments:
         

 


  Homepage URL (*): 
Homepage Title (*): 
         Image URL:
 
Data Recovery Software



Parallels and Windows Domains

OS Install Failure

Vista and Dual Core Athlon

How to stop scanning while opening

open dialog

All Posts Awaiting Replies