lots of pos?.tmp files in my cdrive

- / -
January 1, 2009 at 10:24:19
Specs: Windows XP, -
there are lots of pos?.tmp files in my cdrive, i cant get rid of them. also my local disk (C:) is marked with a big large X. please help. thanks

See More: lots of pos?.tmp files in my cdrive

Report •


#1
January 1, 2009 at 10:54:12
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 1, 2009 at 12:05:01
okay so i download malware bytes, but its not opening?

Report •

#3
January 1, 2009 at 12:11:08
Click on Start, click Run, and then type devmgmt.msc and click OK
On the View menu click on Show hidden devices
Browse to Non-Plug and Play Drivers and click the + sign to the left, you should see something like TDSSserv.sys in that list.
Highlight that driver and right click on it and select DISABLE - NOT uninstall.
Now RESTART your computer.

Go to start> control panel> add/remove programs and uninstall Malwarebytes if found.

This way of downloading Malwarebytes is different as you will need to rename it before you download it.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins int the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

If Malwarebytes installed but will not run navigate to this folder:

C:\Programs Files\Malwarebytes' AntiMalware

Rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again.

For Hijack This if it will not run rename the Hijack This.exe file to somethingelse.exe and try installing it again.


Report •

Related Solutions

#4
January 1, 2009 at 12:41:16
mbam-log

Malwarebytes' Anti-Malware 1.31
Database version: 1590
Windows 5.1.2600 Service Pack 2

1/1/2009 12:35:08 PM
mbam-log-2009-01-01 (12-35-08).txt

Scan type: Quick Scan
Objects scanned: 58811
Time elapsed: 8 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 6
Registry Data Items Infected: 1
Folders Infected: 10
Files Infected: 80

Memory Processes Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\lfsykbtl.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\antiviruspro2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MPMFC1 (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\aldd (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dot1XCfg (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Registry Defender (Rogue.Registry.Defender) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\acee2785 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus pro 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ADP (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\SalesMon (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMon\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Dot1XCfg (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Storageprotector (Rogue.Storageprotector) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Storageprotector\Data (Rogue.Storageprotector) -> Quarantined and deleted successfully.
C:\WINDOWS\Search And Destroy (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\alcdqgtc.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dxljyvmg.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\epxwkfbd.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ibderzdl.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihofdidy.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iunkckbp.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lfsykbtl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ltbkysfl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mfqcrets.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qmjhhmht.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\raelgprm.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\trbztrll.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vgjyhvor.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vokrrhxn.dllbox (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wmylkglg.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\glgklymw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\japiaxol.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcqlgaxn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ptoyfwgb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rfagacti.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSarxx.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSScfmm.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSoiqh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSvkql.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wftccxyg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\evdpvjlk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nkttrhtt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\windows (Trojan.Zapchast) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\karna.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xxkkteyj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\laxdbysk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\loyqqmqo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mvxmlqwx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmqlt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\mofugclq.exe (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\TMP3203.tmp (Rogue.MalwareAlarm) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\uninstall.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\qrjatydi.exe (Rogue.WinPCDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\TDSS1e00.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Dot1XCfg\Dot1XCfg.exe.lzma (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Storageprotector\Data\ac (Rogue.Storageprotector) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Storageprotector\Data\em (Rogue.Storageprotector) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Storageprotector\Data\oid (Rogue.Storageprotector) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Storageprotector\Data\user (Rogue.Storageprotector) -> Quarantined and deleted successfully.
C:\WINDOWS\Search And Destroy\uninstall.exe (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro2009\Uninstall.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\b.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSlxcp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00B14C.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> Quarantined and deleted successfully.
C:\WINDOWS\Search And Destroy Setup Log.txt (Rogue.SearchAndDestroy) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcYpmmk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMafdd1419.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMafdd1419.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\brastk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wini10894.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\brastk.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\user\Local Settings\Temp\_A00F658719E1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Help and Support Center.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\wrdwn3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\wrdwn6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\wrdwn8 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\wrdwn9 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\TDSS1da6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSkkai.log (Trojan.TDSS) -> Quarantined and deleted successfully.


Report •

#5
January 1, 2009 at 12:44:51
hihackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:28 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAGE~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr0...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pl...
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: cb4344 - cb4344.dll (file missing)
O20 - Winlogon Notify: dxljyvmg - dxljyvmg.dll (file missing)
O20 - Winlogon Notify: epxwkfbd - epxwkfbd.dll (file missing)
O20 - Winlogon Notify: ibderzdl - ibderzdl.dll (file missing)
O20 - Winlogon Notify: ihofdidy - ihofdidy.dll (file missing)
O20 - Winlogon Notify: iunkckbp - iunkckbp.dll (file missing)
O20 - Winlogon Notify: mfqcrets - mfqcrets.dll (file missing)
O20 - Winlogon Notify: qmjhhmht - qmjhhmht.dll (file missing)
O20 - Winlogon Notify: raelgprm - raelgprm.dll (file missing)
O20 - Winlogon Notify: trbztrll - trbztrll.dll (file missing)
O20 - Winlogon Notify: vgjyhvor - vgjyhvor.dll (file missing)
O20 - Winlogon Notify: vokrrhxn - vokrrhxn.dll (file missing)
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

--
End of file - 4344 bytes


Report •

#6
January 1, 2009 at 12:51:23
Once you get SDFix downloaded go offline, turn off your McAfee antivirus, and turn off any antispyware that you have, run SDFix from safe mode and restart the Antivirus before you get back on line to post the log.

Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.

1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt


Report •

#7
January 1, 2009 at 14:00:19

[b]SDFix: Version 1.240 [/b]
Run by user on Thu 01/01/2009 at 01:21 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:

[b]Name [/b]:
TDSSserv.sys

[b]Path [/b]:
\systemroot\system32\drivers\TDSSmqlt.sys

TDSSserv.sys - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

Trojan Files Found:

C:\DOCUME~1\USER\COOKIES\FUGYXOM.DB - Deleted
C:\DOCUME~1\USER\COOKIES\APAWANO.DL - Deleted
C:\DOCUME~1\USER\COOKIES\NEWUJO~1.DL - Deleted
C:\DOCUME~1\USER\COOKIES\RAJE.PIF - Deleted
C:\DOCUME~1\USER\COOKIES\LYWYPO~1.VBS - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP1.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP11.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP15.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP16.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP17.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP18.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP2.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP25.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP3.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP34.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP35.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP3D.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP4.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP40.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP46.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP4C.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP6.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP9.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMPA.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMPB5.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMPC.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMPE.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\system32\drivers\TDSSmqlt.sys - Deleted
C:\WINDOWS\system32\TDSSmtve.dat - Deleted
C:\WINDOWS\SYSTEM32\TDSSMTVE.dat - Deleted

Folder C:\Temp\1cb - Removed


Removing Temp Files

[b]ADS Check [/b]:


[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-01 13:27:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Blubster\\Blubster.exe"="C:\\Program Files\\Blubster\\Blubster.exe:*:Enabled:Blubster"
"C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"="C:\\Program Files\\MSN Messenger\\MsnMsgr .Exe:*:Enabled:Messenger"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\system32\\drivers\\svchost.exe"="C:\\WINDOWS\\system32\\drivers\\svchost.exe:*:Disabled:svchost"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[b]Remaining Files [/b]:


File Backups: - C:\SDFix\backups\backups.zip

[b]Files with Hidden Attributes [/b]:

Mon 4 Feb 2008 20,480 ...H. --- "C:\Documents and Settings\user\My Documents\~WRL1308.tmp"
Mon 4 Feb 2008 20,992 ...H. --- "C:\Documents and Settings\user\My Documents\~WRL2596.tmp"
Mon 4 Feb 2008 20,480 ...H. --- "C:\Documents and Settings\user\My Documents\~WRL3813.tmp"

[b]Finished![/b]


Report •

#8
January 1, 2009 at 14:16:41
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your McAfee antivirus, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#9
January 2, 2009 at 08:55:11
ComboFix 09-01-01.02 - user 2009-01-02 8:43:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.187 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Cookies\kyhehopavo.inf
c:\documents and settings\user\Cookies\xakaw.dat
c:\documents and settings\user\Local Settings\Temporary Internet Files\ysokumi.reg
c:\documents and settings\user\My Documents\RACLE~1
c:\windows\IE4 Error Log.txt
c:\windows\system32\dobe~1
c:\windows\system32\jmoqr.ini
c:\windows\system32\jmoqr.ini2
c:\windows\system32\uFgjPqss.ini2

.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-01 13:14 . 2009-01-01 13:40 <DIR> d-------- C:\SDFix
2009-01-01 13:08 . 2009-01-01 13:08 <DIR> d-------- c:\windows\ERUNT
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 12:24 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 12:24 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 12:20 . 2009-01-01 12:20 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-01 09:52 . 2009-01-01 12:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 08:39 . 2009-01-01 08:39 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 14:07 . 2008-12-31 14:07 <DIR> d-------- c:\documents and settings\user\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 20:09 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-01 17:58 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-01 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 17:07 --------- d-----w c:\program files\Canon
2009-01-01 17:06 --------- d-----w c:\program files\Windows Live
2008-12-31 22:07 --------- d-----w c:\program files\SmashMash
2008-11-21 12:23 19,452 ----a-w c:\documents and settings\user\Application Data\fehabepa.vbs
2008-11-18 23:37 --------- d-----w c:\documents and settings\user\Application Data\Lavasoft
2008-11-18 23:17 18,989 ----a-w c:\program files\Common Files\zydunu.vbs
2008-11-18 23:17 16,372 ----a-w c:\windows\obinonoxy.com
2008-11-18 23:17 16,313 ----a-w c:\program files\Common Files\josyqam.dat
2008-11-18 23:17 15,939 ----a-w c:\windows\fune.vbs
2008-11-18 23:17 15,331 ----a-w c:\windows\venered.scr
2008-11-18 23:17 14,572 ----a-w c:\documents and settings\user\Application Data\qaculo.reg
2008-11-18 23:17 13,653 ----a-w c:\program files\Common Files\ilidemi.com
2008-11-18 23:17 10,806 ----a-w c:\program files\Common Files\ufutaf.reg
2008-11-14 06:21 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2004-10-01 22:00 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
2003-11-20 02:37 10,459 -c--a-w c:\program files\readme.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IEEE 802.11g USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g USB Wireless LAN Utility.lnk
backup=c:\windows\pss\IEEE 802.11g USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra--c--- 2004-12-28 14:01 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra--c--- 2003-05-07 00:32 36864 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"acee2785"=rundll32.exe "c:\windows\system32\fpbcldmd.dll",b

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2007-08-01 280064]
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe [2005-07-30 02:12]

2009-01-02 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKLM-Run-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAGE~1.EXE
Notify-cbxxxxx - cbxxxxx.dll
Notify-dxljyvmg - dxljyvmg.dll
Notify-epxwkfbd - epxwkfbd.dll
Notify-ibderzdl - ibderzdl.dll
Notify-ihofdidy - ihofdidy.dll
Notify-iunkckbp - iunkckbp.dll
Notify-mfqcrets - mfqcrets.dll
Notify-qmjhhmht - qmjhhmht.dll
Notify-raelgprm - raelgprm.dll
Notify-trbztrll - trbztrll.dll
Notify-vgjyhvor - vgjyhvor.dll
Notify-vokrrhxn - vokrrhxn.dll
MSConfigStartUp-acee2785 - c:\windows\system32\wjuypjwv.dll
MSConfigStartUp-Dot1XCfg - c:\program files\Dot1XCfg\Dot1XCfg.exe
MSConfigStartUp-McAfee QuickClean Imonitor - c:\program files\McAfee\McAfee QuickClean\Plguni.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\mcagent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MSKAGE~1.EXE
MSConfigStartUp-MSKDetectorExe - c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr .exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-RemoteControl - c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
MSConfigStartUp-SBI - c:\documents and settings\user\Local Settings\Temporary Internet Files\Content.IE5\BZDFRPOW\install_sbd_en[1].exe
MSConfigStartUp-SearchAndDestroyMFC - c:\program files\Search And Destroy\Search And Destroy.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-_AntiSpyware - c:\progra~1\mcafee\MCAFEE~1\masalert.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 08:48:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
c:\progra~1\McAfee\McAfee AntiSpyware\MASSrv.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-02 8:51:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 16:51:01

Pre-Run: 28,547,993,600 bytes free
Post-Run: 29,446,848,512 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

159 --- E O F --- 2008-12-31 23:04:06


Report •

#10
January 2, 2009 at 09:31:00
Please go to Virus Total and upload the following files one at the time for analysis:


c:\windows\obinonoxy.com

c:\program files\Common Files\ilidemi.com

c:\program files\Common Files\zydunu.vbs

c:\program files\Common Files\josyqam.dat

c:\documents and settings\user\Application Data\qaculo.reg

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file".

Post the results in your reply.


Report •

#11
January 2, 2009 at 11:23:13
c:\windows\obinonoxy.com


File obinonoxy.com received on 01.02.2009 20:20:34 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 22.
Estimated start time is between 171 and 244 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.31 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 -
AVG 8.0.0.199 2008.12.31 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 851 2008.12.31 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2008.12.30 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2008.12.31 -
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2008.12.31 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5479 2008.12.30 -
Microsoft 1.4205 2009.01.02 -
NOD32 3725 2008.12.31 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2008.12.31 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2008.12.31 -
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.31 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2008.12.31 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 16372 bytes
MD5...: 93514cb9af29c1d0c41e39138613ad6f
SHA1..: cc7c603452d9697a1583038367fd7d50f0f7fdde
SHA256: 7121e4f8d68ca2c3252ab323ec73df3342e5edec56ce0f2e490396511c6e08ba
SHA512: ee8748e642525a21a10c1ac83d75dbd2aa71d2df5bee69c32f4710904266c234
1584f38dd1e56e31dd777f8eea350f0ade166aa7138c21d1ba24fdda175310fe

ssdeep: 384:dYK8smrFX2bc9EhX0pI+VgrcmdsSi9X+mGr+d:qK8saXX9E0m+Gs55G8

PEiD..: -
TrID..: File type identification
MPEG Video (100.0%)
PEInfo: -


c:\program files\Common Files\ilidemi.com

File ilidemi.com received on 01.02.2009 20:24:06 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.31 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 -
AVG 8.0.0.199 2008.12.31 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 851 2008.12.31 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2008.12.30 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2008.12.31 -
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2008.12.31 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5479 2008.12.30 -
Microsoft 1.4205 2009.01.02 -
NOD32 3725 2008.12.31 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2008.12.31 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2008.12.31 -
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.31 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2008.12.31 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.01 -
Additional information
File size: 13653 bytes
MD5...: db3a651a37cead3d77b2066286913845
SHA1..: 2d45eed5bf9a7713564e434ace67c3d87396d7f1
SHA256: d26fded3d0b87ee7fd6ceb0ded66c1d045d00c1b9de2d9b7b0ca942f6afd4e1d
SHA512: c6f37d8f39f319425e3dd95b560d92da3eaaced0e3cff556e63e79554adc73ac
ef8e8a20fe0c2494cd8dd8fd8feaccb25f264ec0b69e0071d833b4bc0986fef7

ssdeep: 192:EwwHcUrjQ0hDT2gKzQb76u46IZOKKwAP4f/C7xdYXBIEBXO7XwolgkQF6lon
nZA4:FwHJHQ0JTYzQb7wJJAP4H6TE4Lc6QndD

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -


C:\Program Files\Common Files\zydunu.vbs

File zydunu.vbs received on 01.02.2009 20:29:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.02 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 -
AVG 8.0.0.199 2009.01.02 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 866 2009.01.02 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.02 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 -
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2009.01.02 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5482 2009.01.02 -
Microsoft 1.4205 2009.01.02 -
NOD32 3732 2009.01.02 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2009.01.02 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 -
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.02 -
Additional information
File size: 18989 bytes
MD5...: cf7ea5e214d9ce53046ea0c4ee83c86e
SHA1..: f274997e7e86b63cd2d94234adf4b0954cfe9d92
SHA256: e0cfe0cfb5eebca443a47f5650586fa13a480f2ecb16fccc0950003e54f65d83
SHA512: 8fe0abde5bccc287d18b63e115b09cd2401f9451efa8320e8e4c960f5a7efb45
b436e916eaec4ca4f908fc92aeb8062abf79df83bdb3ed9a52926e9d2a9e024d

ssdeep: 384:LpZ/tEg4F8oH4ooj6s1JRTk8uFH8kcpTks1ZP85IDYOVg6Sh:LE4HxRgZPcJ
NZP85+St

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -


c:\program files\Common Files\josyqam.dat

File josyqam.dat received on 01.02.2009 20:34:12 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.02 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 -
AVG 8.0.0.199 2009.01.02 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 866 2009.01.02 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.02 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2009.01.02 -
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2009.01.02 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5481 2009.01.02 -
McAfee+Artemis 5482 2009.01.02 -
Microsoft 1.4205 2009.01.02 -
NOD32 3732 2009.01.02 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2009.01.02 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2009.01.02 -
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.02 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2009.01.02 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.02 -
Additional information
File size: 16313 bytes
MD5...: d9ad5e19ca10d6de6aaec6cd56323686
SHA1..: 9f22435184bed56378c6b5ef81bd0c338f2bc468
SHA256: 919f453fe9522cd539c306d1ea3853280e62894625c4742e8a3db3c72a93b44b
SHA512: ba70baae1d70d7d1a36483c9d9f10ab288d4cc956caf69afc611ad68bd9eb2d2
894c0a480b9192622602f95c2f1b02ed5fce961640b9a546c17a87bc851a42ea

ssdeep: 384:GRUbpMZqI9yYWS122ezeAdJYz/Tx8r+kkURsT:GGpGZoYWD9dqDduN6

PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -



Report •

#12
January 2, 2009 at 14:48:06
c:\documents and settings\user\Application Data\qaculo.reg

File qaculo.reg received on 01.02.2009 20:37:28 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/38 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.31 -
AhnLab-V3 2008.12.31.0 2009.01.02 -
AntiVir 7.9.0.45 2009.01.02 -
Authentium 5.1.0.4 2009.01.02 -
Avast 4.8.1281.0 2009.01.02 -
AVG 8.0.0.199 2008.12.31 -
BitDefender 7.2 2009.01.02 -
CAT-QuickHeal 10.00 2009.01.02 -
ClamAV 0.94.1 2009.01.02 -
Comodo 851 2008.12.31 -
DrWeb 4.44.0.09170 2009.01.02 -
eTrust-Vet 31.6.6287 2009.01.01 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2008.12.30 -
F-Secure 8.0.14470.0 2009.01.02 -
Fortinet 3.117.0.0 2009.01.02 -
GData 19 2008.12.31 -
Ikarus T3.1.1.45.0 2009.01.02 -
K7AntiVirus 7.10.572 2008.12.31 -
Kaspersky 7.0.0.125 2009.01.02 -
McAfee 5482 2009.01.02 -
McAfee+Artemis 5479 2008.12.30 -
Microsoft 1.4205 2009.01.02 -
NOD32 3725 2008.12.31 -
Norman 5.80.02 2009.01.02 -
Panda 9.0.0.4 2009.01.02 -
PCTools 4.4.2.0 2008.12.31 -
Prevx1 V2 2009.01.02 -
Rising 21.10.22.00 2008.12.31 -
SecureWeb-Gateway 6.7.6 2008.12.31 -
Sophos 4.37.0 2009.01.02 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.31 -
TheHacker 6.3.1.4.204 2009.01.02 -
TrendMicro 8.700.0.1004 2008.12.31 -
VBA32 3.12.8.10 2009.01.01 -
ViRobot 2008.12.30.1540 2008.12.31 -
VirusBuster 4.5.11.0 2009.01.02 -
Additional information
File size: 14572 bytes
MD5...: 274f28f57f10348482bbd8e856c9af69
SHA1..: a7154527f2bbf6c95818e6503ed337c0b41ea77b
SHA256: 6ccb1cd9a76dfb13020c26ae0d1bbb72b98649cdd23d38130ace7b904bda4c68
SHA512: 14dd4107add359322f39ac0678aa2f0586534f78a8c969dd04d8cbd12a65bdb0
fff032ee197311f4cba3014e6a62e071f509e2c968604203da8a28007638f82f

ssdeep: 192:UcMoDoKkBT/pr4P549EzXTEJcjpjD5ynh98vd7oxRKNS7rJajN5dwF3zzlw7
b:UcnELpr4PCmScjpjlyhGvdyr05eF3zJM

PEiD..: -
TrID..: File type identification
Adobe PhotoShop Brush (100.0%)
PEInfo: -


Report •

#13
January 2, 2009 at 16:02:49
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\obinonoxy.com
c:\program files\Common Files\ilidemi.com
c:\program files\Common Files\zydunu.vbs
c:\program files\Common Files\josyqam.dat
c:\documents and settings\user\Application Data\qaculo.reg
c:\program files\Common Files\ufutaf.reg

Registry::
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"acee2785"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Post a new Combofix log following the previous directions.

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Post a new Hijack This log please.


Report •

#14
January 2, 2009 at 17:31:25
ComboFix 09-01-01.02 - user 2009-01-02 20:22:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.97 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\user\Application Data\qaculo.reg
c:\program files\Common Files\ilidemi.com
c:\program files\Common Files\josyqam.dat
c:\program files\Common Files\ufutaf.reg
c:\program files\Common Files\zydunu.vbs
c:\windows\obinonoxy.com
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\qaculo.reg
c:\program files\Common Files\ilidemi.com
c:\program files\Common Files\josyqam.dat
c:\program files\Common Files\ufutaf.reg
c:\program files\Common Files\zydunu.vbs
c:\windows\obinonoxy.com
c:\windows\system32\ayypuoae.ini
c:\windows\system32\buqiiuuo.ini
c:\windows\system32\daidtvnv.ini
c:\windows\system32\dmdlcbpf.ini
c:\windows\system32\epaefqfb.ini
c:\windows\system32\epqtcslh.ini
c:\windows\system32\fuxfdghk.ini
c:\windows\system32\gkhrfyju.ini
c:\windows\system32\hkpjdqtm.ini
c:\windows\system32\hmfoeksj.ini
c:\windows\system32\hsvyusvw.ini
c:\windows\system32\kxvaxnyf.ini
c:\windows\system32\loyfajtn.ini
c:\windows\system32\mbcoxjsb.ini
c:\windows\system32\ninoqwil.ini
c:\windows\system32\nttiileg.ini
c:\windows\system32\pbaohrwi.ini
c:\windows\system32\pnjaydqo.ini
c:\windows\system32\smgfblok.ini
c:\windows\system32\sypujaag.ini
c:\windows\system32\tdljblej.ini
c:\windows\system32\uwbabpjo.ini
c:\windows\system32\vsndkqmx.ini
c:\windows\system32\vwjpyujw.ini
c:\windows\system32\wbgngsuw.ini
c:\windows\system32\windbxbb.ini
c:\windows\system32\xxoqfoxy.ini
c:\windows\system32\yibbufuw.ini

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-01 13:14 . 2009-01-01 13:40 <DIR> d-------- C:\SDFix
2009-01-01 13:08 . 2009-01-01 13:08 <DIR> d-------- c:\windows\ERUNT
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 12:24 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 12:24 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 12:20 . 2009-01-01 12:20 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-01 09:52 . 2009-01-01 12:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 08:39 . 2009-01-01 08:39 <DIR> d-------- c:\program files\Lavasoft
2008-12-31 14:07 . 2008-12-31 14:07 <DIR> d-------- c:\documents and settings\user\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 20:09 --------- d-----w c:\program files\Messenger Plus! Live
2009-01-01 17:58 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-01 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 17:07 --------- d-----w c:\program files\Canon
2009-01-01 17:06 --------- d-----w c:\program files\Windows Live
2008-12-31 22:07 --------- d-----w c:\program files\SmashMash
2008-11-21 12:23 19,452 ----a-w c:\documents and settings\user\Application Data\fehabepa.vbs
2008-11-18 23:37 --------- d-----w c:\documents and settings\user\Application Data\Lavasoft
2008-11-18 23:17 15,939 ----a-w c:\windows\fune.vbs
2008-11-18 23:17 15,331 ----a-w c:\windows\venered.scr
2008-11-14 06:21 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2004-10-01 22:00 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
2003-11-20 02:37 10,459 -c--a-w c:\program files\readme.txt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IEEE 802.11g USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g USB Wireless LAN Utility.lnk
backup=c:\windows\pss\IEEE 802.11g USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra--c--- 2004-12-28 14:01 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra--c--- 2003-05-07 00:32 36864 c:\windows\system32\VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"acee2785"=rundll32.exe "c:\windows\system32\fpbcldmd.dll",b

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=

S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2007-08-01 280064]
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\mcafee\MCAFEE~1\MASCon.exe [2005-07-30 02:12]

2009-01-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 20:26:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
c:\progra~1\McAfee\McAfee AntiSpyware\MASSrv.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-02 20:28:35 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2009-01-03 04:28:18
ComboFix2.txt 2009-01-02 16:51:14

Pre-Run: 29,428,174,848 bytes free
Post-Run: 29,399,343,104 bytes free

148 --- E O F --- 2008-12-31 23:04:06


Report •

#15
January 2, 2009 at 17:39:19
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:35 PM, on 1/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr0...
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pl...
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

--
End of file - 3704 bytes


Report •

#16
January 2, 2009 at 18:45:44
Let me know if the red x is gone and how the computer is operating please and more importantly make sure to follow through with the clean-up.

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
c:\windows\system32\fpbcldmd.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •

#17
January 2, 2009 at 19:10:03
ComboFix 09-01-01.02 - user 2009-01-02 21:58:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.133 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\fpbcldmd.dll
.

((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 21:02 . 2009-01-02 21:04 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-02 21:02 . 2009-01-02 21:02 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-02 21:02 . 2009-01-02 21:02 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-02 21:02 . 2009-01-02 21:02 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-02 21:01 . 2009-01-02 21:01 <DIR> d-------- c:\program files\AVG
2009-01-02 21:01 . 2009-01-02 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-01 13:14 . 2009-01-01 13:40 <DIR> d-------- C:\SDFix
2009-01-01 13:08 . 2009-01-01 13:08 <DIR> d-------- c:\windows\ERUNT
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 12:24 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 12:24 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 12:20 . 2009-01-01 12:20 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-01 09:52 . 2009-01-01 12:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 08:39 . 2009-01-01 08:39 <DIR> d-------- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 17:58 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-01 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 17:07 --------- d-----w c:\program files\Canon
2009-01-01 17:06 --------- d-----w c:\program files\Windows Live
2008-12-31 22:07 --------- d-----w c:\program files\SmashMash
2008-11-21 12:23 19,452 ----a-w c:\documents and settings\user\Application Data\fehabepa.vbs
2008-11-18 23:37 --------- d-----w c:\documents and settings\user\Application Data\Lavasoft
2008-11-18 23:17 15,939 ----a-w c:\windows\fune.vbs
2008-11-18 23:17 15,331 ----a-w c:\windows\venered.scr
2008-11-14 06:21 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2004-10-01 22:00 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
2003-11-20 02:37 10,459 -c--a-w c:\program files\readme.txt
.

((((((((((((((((((((((((((((( snapshot@2009-01-02_ 8.50.05.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-03 05:02:08 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2006-12-02 06:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 08:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 08:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 08:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 08:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 08:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 08:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 08:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 08:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 08:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 08:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 08:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 08:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 08:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 08:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-02 1261336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IEEE 802.11g USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g USB Wireless LAN Utility.lnk
backup=c:\windows\pss\IEEE 802.11g USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra--c--- 2004-12-28 14:01 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra--c--- 2003-05-07 00:32 36864 c:\windows\system32\VTTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2009-01-02 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-02 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-02 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2009-01-02 76040]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2007-08-01 280064]
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 22:01:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-02 22:03:51 - machine was rebooted [user]
ComboFix-quarantined-files.txt 2009-01-03 06:03:35
ComboFix2.txt 2009-01-03 04:28:37
ComboFix3.txt 2009-01-02 16:51:14

Pre-Run: 31,722,397,696 bytes free
Post-Run: 31,737,057,280 bytes free

133 --- E O F --- 2008-12-31 23:04:06


Report •

#18
January 2, 2009 at 19:12:02
After doing everything that you have said my Mcafee antivirus just stopped working! so i just uninstalled it and downloaded the temp. one for now. Also the pos?.tmp files are gone!!! THANK YOU! but the red x is still there

Report •

#19
January 2, 2009 at 19:28:21
You have had quite a work out.

This should fix the red X.

Go to start> run> type in notepad > ok. Copy paste the following into notepad making [autorun] the very top line:

[autorun]

ICON=C:\WINDOWS\SYSTEM\SHELL32.DLL,8

Click "save as"> then using the drop down arrow on the far right of the "save in" window select Local Disk C: to be displayed in the "save in" window.

Next type "C:\autorun.inf" (you must use the quotes) in the file name window> click save.

Restart the computer and let me know if that worked.


Report •

#20
January 2, 2009 at 21:27:26
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 03, 2009 03:39:31
Records in database: 1551365


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Files scanned 31783
Threat name 7
Infected objects 19
Suspicious objects 0
Duration of the scan 01:14:45

File name Threat name Threats count
C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Anti Virus 3.0.669 Incl 32&64BIT(Precracked)\EAVBE32.3.0.669.exe Infected: Trojan-Downloader.Win32.Small.adda 1

C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Anti Virus 3.0.669 Incl 32&64BIT(Precracked)\EAVBE64.3.0.669.exe Infected: Trojan-Downloader.Win32.Small.adda 1

C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE32.3.0.669.exe Infected: Trojan-Downloader.Win32.Small.adda 1

C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE64.3.0.669.exe Infected: Trojan-Downloader.Win32.Small.adda 1

C:\Temp\nDcca1109.exe Infected: Trojan-Downloader.Win32.Small.buy 1

C:\Temp\nDcca1109.exe Infected: Trojan-Downloader.Win32.Small.hwg 1

C:\Temp\nDcca1109.exe Infected: not-a-virus:AdWare.Win32.TTC.a 1

C:\WINDOWS\system32\anpmyala.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\cihyrluo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\dllvslbs.dll Infected: Trojan.Win32.Monder.ag 1

C:\WINDOWS\system32\gheffove.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\jqypluny.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\owtllsqu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\oylsotry.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\pwgtcaoi.dll Infected: Trojan.Win32.Monder.ap 1

C:\WINDOWS\system32\ssonypbx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\udwmdcxr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\vwhokamx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

C:\WINDOWS\system32\wvphowdv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn 1

The selected area was scanned.


Report •

#21
January 2, 2009 at 21:40:02
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\Temp\nDcca1109.exe
C:\Temp\nDcca1109.exe
C:\Temp\nDcca1109.exe
C:\WINDOWS\system32\anpmyala.dll
C:\WINDOWS\system32\cihyrluo.dll
C:\WINDOWS\system32\dllvslbs.dll
C:\WINDOWS\system32\gheffove.dll
C:\WINDOWS\system32\jqypluny.dll
C:\WINDOWS\system32\owtllsqu.dll
C:\WINDOWS\system32\oylsotry.dll
C:\WINDOWS\system32\pwgtcaoi.dll
C:\WINDOWS\system32\ssonypbx.dll
C:\WINDOWS\system32\udwmdcxr.dll
C:\WINDOWS\system32\vwhokamx.dll
C:\WINDOWS\system32\wvphowdv.dll
C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE64.3.0.669.exe
C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE32.3.0.669.exe
C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Anti Virus 3.0.669 Incl 32&64BIT(Precracked)\EAVBE64.3.0.669.exe
C:\Documents and Settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Anti Virus 3.0.669 Incl 32&64BIT(Precracked)\EAVBE32.3.0.669.exe

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Did you run the fix for the red X?


Report •

#22
January 3, 2009 at 09:04:12
yes i did run the fix for the red x, and its finally gone!! thank you :)

Report •

#23
January 3, 2009 at 09:19:47
Glad we could help.

Report •

#24
January 3, 2009 at 09:34:34
ComboFix 09-01-01.02 - user 2009-01-03 12:11:48.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.319.157 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Anti Virus 3.0.669 Incl 32&64BIT(Precracked)\EAVBE32.3.0.669.exe
c:\documents and settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Anti Virus 3.0.669 Incl 32&64BIT(Precracked)\EAVBE64.3.0.669.exe
c:\documents and settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE32.3.0.669.exe
c:\documents and settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE64.3.0.669.exe
c:\temp\nDcca1109.exe
c:\windows\system32\anpmyala.dll
c:\windows\system32\cihyrluo.dll
c:\windows\system32\dllvslbs.dll
c:\windows\system32\gheffove.dll
c:\windows\system32\jqypluny.dll
c:\windows\system32\owtllsqu.dll
c:\windows\system32\oylsotry.dll
c:\windows\system32\pwgtcaoi.dll
c:\windows\system32\ssonypbx.dll
c:\windows\system32\udwmdcxr.dll
c:\windows\system32\vwhokamx.dll
c:\windows\system32\wvphowdv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE32.3.0.669.exe
c:\documents and settings\user\My Documents\Downloads\ESET NOD32 Anti Virus&Smart Security 3.0.669 Incl 32&64BIT ( Fully Activated )\ESET NOD32 Smart Security 3.0.669 Incl 32&64BIT(Precracked)\ESSBE64.3.0.669.exe
c:\temp\nDcca1109.exe
c:\windows\system32\anpmyala.dll
c:\windows\system32\cihyrluo.dll
c:\windows\system32\dllvslbs.dll
c:\windows\system32\gheffove.dll
c:\windows\system32\jqypluny.dll
c:\windows\system32\owtllsqu.dll
c:\windows\system32\oylsotry.dll
c:\windows\system32\pwgtcaoi.dll
c:\windows\system32\ssonypbx.dll
c:\windows\system32\udwmdcxr.dll
c:\windows\system32\vwhokamx.dll
c:\windows\system32\wvphowdv.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-03 to 2009-01-03 )))))))))))))))))))))))))))))))
.

2009-01-02 22:17 . 2009-01-02 22:17 <DIR> d-------- c:\program files\Java
2009-01-02 22:17 . 2009-01-02 22:17 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-02 21:02 . 2009-01-03 12:00 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-02 21:02 . 2009-01-02 21:02 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-02 21:02 . 2009-01-02 21:02 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-02 21:02 . 2009-01-02 21:02 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-02 21:01 . 2009-01-02 21:01 <DIR> d-------- c:\program files\AVG
2009-01-02 21:01 . 2009-01-02 21:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-01 13:14 . 2009-01-01 13:40 <DIR> d-------- C:\SDFix
2009-01-01 13:08 . 2009-01-01 13:08 <DIR> d-------- c:\windows\ERUNT
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-01 12:24 . 2009-01-01 12:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-01 12:24 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-01 12:24 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-01 12:20 . 2009-01-01 12:20 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2009-01-01 09:52 . 2009-01-01 12:09 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-01 08:39 . 2009-01-01 08:39 <DIR> d-------- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-01 17:58 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-01 17:57 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-01 17:07 --------- d-----w c:\program files\Canon
2009-01-01 17:06 --------- d-----w c:\program files\Windows Live
2008-12-31 22:07 --------- d-----w c:\program files\SmashMash
2008-11-21 12:23 19,452 ----a-w c:\documents and settings\user\Application Data\fehabepa.vbs
2008-11-18 23:37 --------- d-----w c:\documents and settings\user\Application Data\Lavasoft
2008-11-18 23:17 15,939 ----a-w c:\windows\fune.vbs
2008-11-18 23:17 15,331 ----a-w c:\windows\venered.scr
2008-11-14 06:21 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2004-10-01 22:00 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
2003-11-20 02:37 10,459 -c--a-w c:\program files\readme.txt
.

((((((((((((((((((((((((((((( snapshot@2009-01-02_ 8.50.05.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-13 22:03:36 410,976 ----a-w c:\windows\system32\deploytk.dll
+ 2009-01-03 06:17:11 410,984 ----a-w c:\windows\system32\deploytk.dll
+ 2009-01-03 05:02:08 26,824 ----a-w c:\windows\system32\drivers\avgmfx86.sys
+ 2009-01-03 06:17:11 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-01-03 06:17:11 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-03 06:17:11 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-03 20:15:18 16,384 ----atw c:\windows\temp\Perflib_Perfdata_718.dat
+ 2006-12-02 06:56:00 96,256 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 08:25:52 1,101,824 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 08:25:56 1,093,120 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 08:25:58 69,632 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 08:26:00 57,856 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 08:08:00 40,960 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 08:08:00 45,056 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 08:08:00 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 08:08:00 57,344 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 08:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 08:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 08:08:00 61,440 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 08:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 08:08:00 49,152 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 08:46:44 65,536 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-02 1261336]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-02 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IEEE 802.11g USB Wireless LAN Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IEEE 802.11g USB Wireless LAN Utility.lnk
backup=c:\windows\pss\IEEE 802.11g USB Wireless LAN Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra--c--- 2004-12-28 14:01 544768 c:\windows\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
-ra--c--- 2003-05-07 00:32 36864 c:\windows\system32\VTTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\MsnMsgr .Exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2009-01-02 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-01-02 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-02 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2009-01-02 76040]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN(WLAN);c:\windows\system32\DRIVERS\zd1211u.sys [2007-08-01 280064]
.
Contents of the 'Scheduled Tasks' folder

2009-01-03 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-03 12:16:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-03 12:19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-03 20:18:57
ComboFix2.txt 2009-01-03 06:03:53
ComboFix3.txt 2009-01-03 04:28:37
ComboFix4.txt 2009-01-02 16:51:14

Pre-Run: 31,642,542,080 bytes free
Post-Run: 31,690,530,816 bytes free

179 --- E O F --- 2008-12-31 23:04:06


Report •

#25
January 3, 2009 at 10:08:20
That looks good. How is the computer operating?

Report •

#26
January 3, 2009 at 10:18:30
it works great. thank you very much again. i just have one more question, --> i wont harm or ruin my computer if i remove all the programs which i just download right?

Report •

#27
January 3, 2009 at 10:23:48
Navigate to and delete this folder:

C:\SDFix

Empty the recycle bin.

Delete the registry search tools from your desktop.

Go to start> run> type in combofix /u (note the space after combofix) then press enter> run. This will uninstall combofix so give the uninstaller a minute to run.

Go to start> control panel> add/remove programs and uninstall these programs:

Hijack This

Malwarebytes

Kaspersky

You should keep AFT Cleaner and run it weekly.


You should consider adding "Spywareblaster" to your arsenol of antispyware tools, you can download it from this link Spywareblaster

Just download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Glad we could help.


Report •


Ask Question