I may have deleted the first ComboFix I ran, I only see the 2, 10/31 and 12/04, plus the one that quarantines something, I included that in the middle. The latter one I ran doesn't complete, it drops the memory or something and reboots before completion, so that is all that is in the text file. I will try again now after shutting as much off as I can and see if I can get it to complete the scan.
ComboFix 07-10-29.1 - bjdonis 10/31/2007 0:33:58.1 -
FAT32x86
Running from: C:\Documents and Settings\bjdonis\Local Settings\Temporary Internet Files\Content.IE5\E1YH4NK7\ComboFix[1].exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Microsoft Security Adviser
C:\WINNT\Help\access.hlp
C:\WINNT\Help\verifier.hlp
C:\WINNT\sys.log
C:\WINNT\system32\drivers\atmapi.sys
C:\WINNT\system32\nvrssl.dll
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.
2007-10-31 00:32 51,200 --a------ C:\WINNT\NirCmd.exe
2007-10-31 00:01 <DIR> d-------- C:\New Folder
2007-10-31 00:00 <DIR> d-------- C:\Hijack This
2007-10-30 20:58 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-30 18:53 1,270 --a------ C:\WINNT\system32\tmp.reg
2007-10-30 18:45 <DIR> d-------- C:\VundoFix Backups
2007-10-30 13:57 403,216 --a------ C:\WINNT\system32\dllcache\user32.dll
2007-10-30 13:57 178,688 --a------ C:\syswpsv.exe
2007-10-30 13:52 27,136 --a------ C:\WINNT\shwol.dll
2007-09-30 23:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-20 22:10 <DIR> d-------- C:\Program Files\Citrix
2007-09-20 22:10 <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\ICAClient
2007-09-20 22:06 46,744 --a------ C:\WINNT\system32\drivers\odptdi.sys
2007-09-20 22:05 <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\Aventail
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll
2007-08-15 15:16 5,166 --sh--w C:\SUHDLOG.DAT
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2007-08-14 15:36 45,056 --sha-w C:\VIDEOROM.BIN
2007-07-31 01:19 92,504 ----a-w C:\WINNT\system32\dllcache\cdm.dll
2007-07-31 01:19 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-07-31 01:19 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-07-31 01:19 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-07-31 01:19 53,080 ----a-w C:\WINNT\system32\dllcache\wuauclt.exe
2007-07-31 01:19 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-07-31 01:19 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-07-31 01:19 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINNT\system32\wuaueng.dll
2007-07-31 01:19 1,712,984 ----a-w C:\WINNT\system32\dllcache\wuaueng.dll
2007-07-31 01:18 33,624 ----a-w C:\WINNT\system32\wups.dll
2003-06-19 20:05 403,216 ----a-w C:\WINNT\system32\irtexqb
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
C:\WINNT\system32\user32.dll ... is infected !! (additional data below) 403,216 2007-10-30 19:57:40 C:\WINNT\system32\user32.dll
403,216 2007-10-30 19:57:40 C:\WINNT\system32\dllcache\user32.dll
403,216 2003-06-19 20:05:04 C:\WINNT\ServicePackFiles\i386\user32.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 01:04 ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
R1 Odptdi;Odptdi;\??\C:\WINNT\system32\drivers\odptdi.sys
R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
R3 chips;chips;C:\WINNT\system32\DRIVERS\chipsm5.sys
R3 ess;ESS Audio Driver (WDM);C:\WINNT\system32\drivers\ess.sys
R3 N100;Compaq Ethernet or Fast Ethernet NIC NT Driver;C:\WINNT\system32\DRIVERS\n100nt5.sys
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2007-10-31 00:45:03
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-31 0:46:22 - machine was rebooted
.
--- E O F ---
- Code: Select all
07-10-30 13:57 142848 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\nvrssl.dll.vir
07-10-30 13:58 106 --a------ C:\Qoobox\Quarantine\C\WINNT\sys.log.vir
07-10-30 14:25 218 --a------ C:\Qoobox\Quarantine\C\WINNT\system32\drivers\atmapi.sys.vir
07-10-30 14:25 56832 --a------ C:\Qoobox\Quarantine\C\WINNT\Help\access.hlp.vir
07-10-30 14:25 61440 --a------ C:\Qoobox\Quarantine\C\WINNT\Help\verifier.hlp.vir
Folder PATH listing
Volume serial number is 0006FE80 4310:1012
C:\QOOBOX\QUARANTINE
+---Registry_backups
\---C
\---WINNT
| sys.log.vir
|
+---Help
| access.hlp.vir
| verifier.hlp.vir
|
\---system32
| nvrssl.dll.vir
|
\---drivers
atmapi.sys.vir
ComboFix 07-12-02.6 - bjdonis 2007-12-04 13:01:47.3 -
FAT32x86
Running from: C:\Documents and Settings\bjdonis\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\bjdonis\Desktop\Live Safety Center.lnk
C:\Documents and Settings\bjdonis\Desktop\Online Security Guide.lnk
C:\Documents and Settings\bjdonis\Favorites\Online Security Guide.lnk
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINNT\system32\a1
C:\WINNT\system32\bthnngid.dll
C:\WINNT\system32\g2
C:\WINNT\system32\g2\caws83122.exe
C:\WINNT\system32\h1
C:\WINNT\system32\ktcsuwj.dll
C:\WINNT\system32\lkkkj.bak1
C:\WINNT\system32\lkkkj.bak2
C:\WINNT\system32\lkkkj.ini
C:\WINNT\system32\nizkqfwi.dllbox
C:\WINNT\system32\pac.txt
C:\WINNT\system32\r2
C:\WINNT\system32\v8
C:\WINNT\system32\v8\taldrvr11.exe
C:\WINNT\TTC-4444.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.
2007-12-04 13:02 . 07-12-04 13:02 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_380.dat
2007-12-04 12:56 . 07-12-04 12:56 <DIR> d-------- C:\FOUND.000
2007-11-30 02:29 . 07-12-03 17:52 642,752 ---h----- C:\WINNT\ShellIconCache
2007-11-19 22:44 . 07-11-19 22:44 <DIR> d-------- C:\WINNT\system32\BITS
2007-11-12 11:07 . 07-11-12 11:07 11,736 --a------ C:\Documents and Settings\bjdonis\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 09:49 . 07-11-07 10:19 136 --ah----- C:\aaw7boot.cmd
2007-11-06 11:48 . 07-11-06 11:48 <DIR> dr-h----- C:\$VAULT$.AVG
2007-11-06 11:32 . 07-11-06 11:32 <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\AVG7
2007-11-06 11:31 . 07-11-06 11:31 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-06 11:30 . 07-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 11:30 . 07-11-06 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-06 11:30 . 07-11-06 11:30 26,944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-11-06 00:27 . 07-11-06 00:27 24,576 --a------ C:\WINNT\system32\VundoFixSVC.exe
2007-11-05 23:59 . 07-11-11 10:08 589,626 ---hs---- C:\WINNT\system32\qjdbbgwn.ini
2007-11-05 23:59 . 07-11-05 23:59 294 ---hs---- C:\WINNT\system32\jtpxgnvs.ini
2007-11-04 13:36 . 07-11-04 13:36 <DIR> d--hs---- C:\WINNT\Ympkb25pcw
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\WINNT\system32\Mz02r
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\Temp\mZOr
2007-11-04 13:34 . 07-11-04 13:34 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 17:15 246 ----a-w C:\Program Files\Common Files\quba
2007-10-31 02:58 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\user32.dll
2007-10-30 19:57 403,216 ----a-w C:\WINNT\system32\dllcache\user32.dll
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\rteke.html
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-29 22:24 472 --sha-r C:\WINNT\Ympkb25pcw\sAD4vZcDwT.vbs
.
C:\WINNT\system32\user32.dll ... is infected !! (additional data below) 403,216 2007-10-30 19:57:40 C:\WINNT\system32\user32.dll
403,216 2007-10-30 19:57:40 C:\WINNT\system32\dllcache\user32.dll
403,216 2003-06-19 20:05:04 C:\WINNT\ServicePackFiles\i386\user32.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09985909-06B9-4005-A4CF-1C9C6E1690AA}]
C:\Program Files\PLUS!\meposybi4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFCC577-EA60-4A9C-8980-BB486556BA61}]
C:\Program Files\Common Files\quba.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49D35D4F-4738-41FE-A616-77D4947520AA}]
C:\WINNT\system32\jkkkl.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8652D896-3C1F-4182-9400-B172A853AE58}]
C:\Program Files\PLUS!\meposybi83122.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"431010bd"="C:\WINNT\system32\nwgbbdjq.dll" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07-11-06 11:30 ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [07-11-06 11:30 ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 ]
C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywvu]
yayywvu.dll
This is the last entry when I do the Cntrl A.