Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Ready for next step

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Ready for next step

Unread postby julie0527 » December 31st, 2007, 12:53 am

Link to previous post:
http://www.malwareremoval.com/forum/viewtopic.php?f=12&t=25707&p=249600#p249600

We have copied all the data files to an external hard drive. We are unable to download combofix because it locks up when it is not in safemode. Should our next step be to reformat the hard drive? Thank you for your help!
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am
Advertisement
Register to Remove

Re: Ready for next step

Unread postby Katana » January 3rd, 2008, 10:33 pm

Hi Julie, sorry for the delay.

I thought you wanted to try and clean ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Ready for next step

Unread postby julie0527 » January 5th, 2008, 12:09 pm

I would like to try and clean it still. It is now locking up when I try to start it up. What should my next step be? I really need it working soon. Thanks for your help!
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am

Re: Ready for next step

Unread postby Katana » January 5th, 2008, 6:29 pm

Try and run the following tool in normal mode.
If you can't oot the machine in normal mode then run it in safe mode.



Download and Run ComboFix
  • Download Combofix from one of the links below :

    ComboFix.exe 1
    ComboFix.exe 2
    ComboFix.exe 3

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Ready for next step

Unread postby julie0527 » January 6th, 2008, 6:24 pm

It's not allowing us to download anything. When we click on the 1st and 3rd combofix links a box pops up that says: Security Alert- Yellow triangle w/! inside Your current security settings do not allow this file to be downloaded.

The 2nd combofix link does open but opens a site that is in spanish.

How do we change the security settings to download a file? We think its from the virus. Our privacy settings are set at medium and we have unblocked popups. It will not let us lower our security level zone below medium. We made sure it is enabled to download files under the security tab. Restricted sites is on high but it won't let me change that.

I can't open combofix on this computer b/c it's my husbands work computer. Thank you!
Last edited by julie0527 on January 6th, 2008, 6:39 pm, edited 1 time in total.
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am

Re: Ready for next step

Unread postby Katana » January 6th, 2008, 6:39 pm

Do you have any way of transferring files from another PC ?
A USB drive, or floppy

If yes, then download Combofix on a different machine and then transfer it to the infected one.
If you can't do this let me know.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Ready for next step

Unread postby julie0527 » January 6th, 2008, 6:40 pm

Will it hurt my husbands work computer? If not then I can do that.
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am

Re: Ready for next step

Unread postby Katana » January 6th, 2008, 6:44 pm

Which machine is infected, the work computer or the home computer ?

It won't hurt to download it on the work computer, it doesn't run automatically
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Ready for next step

Unread postby julie0527 » January 6th, 2008, 6:47 pm

Okay great! We'll do that right now. The home computer is infected and the work one is clean.
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am

Re: Ready for next step

Unread postby julie0527 » January 6th, 2008, 9:56 pm

Here is the combofix log and the symantec results from after combofix since we can't download hijackthis:


ComboFix 08-01-04.1 - Matthew 2008-01-06 18:28:38.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.792 [GMT -5:00]
Running from: F:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Matthew\Application Data\WinAntiSpyware 2007
C:\Documents and Settings\Matthew\Application Data\WinAntiSpyware 2007\Logs\update.log
C:\Documents and Settings\Matthew\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\SYSTEM32\aaqdvolk.ini
C:\WINDOWS\system32\acbsmprl.dll
C:\WINDOWS\system32\ajtiwbsn.dll
C:\WINDOWS\SYSTEM32\ajvjssch.ini
C:\WINDOWS\system32\akwfrows.dll
C:\WINDOWS\SYSTEM32\amcsokxd.ini
C:\WINDOWS\SYSTEM32\annxvtql.ini
C:\WINDOWS\system32\ardjfeyu.dll
C:\WINDOWS\SYSTEM32\awdirybr.ini
C:\WINDOWS\SYSTEM32\bayjvfur.ini
C:\WINDOWS\system32\bdiiordw.dll
C:\WINDOWS\system32\bdrfbcdu.dll
C:\WINDOWS\SYSTEM32\beertybo.ini
C:\WINDOWS\SYSTEM32\bhtjiopo.ini
C:\WINDOWS\SYSTEM32\biwnxxxp.ini
C:\WINDOWS\SYSTEM32\bnqjisne.ini
C:\WINDOWS\system32\bruvciio.dll
C:\WINDOWS\system32\bwvblijl.dll
C:\WINDOWS\SYSTEM32\cahritkt.ini
C:\WINDOWS\system32\cbvlwsxv.dll
C:\WINDOWS\system32\cmybudfd.dll
C:\WINDOWS\system32\cpeyeajl.dll
C:\WINDOWS\SYSTEM32\cpssethd.ini
C:\WINDOWS\SYSTEM32\cvfebufq.ini
C:\WINDOWS\SYSTEM32\cwnskrcg.ini
C:\WINDOWS\SYSTEM32\cxegktoo.ini
C:\WINDOWS\SYSTEM32\dbcouxgx.ini
C:\WINDOWS\SYSTEM32\degqmftw.ini
C:\WINDOWS\system32\dhtesspc.dll
C:\WINDOWS\SYSTEM32\drqvvrbo.ini
C:\WINDOWS\system32\dthtsukq.dll
C:\WINDOWS\system32\dxkoscma.dll
C:\WINDOWS\SYSTEM32\dxkplfcj.ini
C:\WINDOWS\SYSTEM32\edyuqsio.ini
C:\WINDOWS\SYSTEM32\eicijgyv.ini
C:\WINDOWS\SYSTEM32\ejenrpje.ini
C:\WINDOWS\system32\ejprneje.dll
C:\WINDOWS\SYSTEM32\ejqyuexw.ini
C:\WINDOWS\SYSTEM32\emaosver.ini
C:\WINDOWS\system32\ensijqnb.dll
C:\WINDOWS\SYSTEM32\epbktlcx.ini
C:\WINDOWS\SYSTEM32\epdrplqy.ini
C:\WINDOWS\SYSTEM32\eqfykjhq.ini
C:\WINDOWS\system32\esanaxvs.dll
C:\WINDOWS\SYSTEM32\essfgxai.ini
C:\WINDOWS\SYSTEM32\etxbnrpf.ini
C:\WINDOWS\SYSTEM32\ffiuxshx.ini
C:\WINDOWS\system32\fprnbxte.dll
C:\WINDOWS\system32\fwpdfanc.dll
C:\WINDOWS\system32\gbgdwpau.dll
C:\WINDOWS\system32\gcrksnwc.dll
C:\WINDOWS\SYSTEM32\gqbiylcm.ini
C:\WINDOWS\system32\gxcyyyrj.dll
C:\WINDOWS\system32\hcssjvja.dll
C:\WINDOWS\SYSTEM32\hhhkj.bak1
C:\WINDOWS\SYSTEM32\hhhkj.bak2
C:\WINDOWS\SYSTEM32\hhhkj.ini
C:\WINDOWS\SYSTEM32\hhhkj.ini2
C:\WINDOWS\SYSTEM32\hhhkj.tmp
C:\WINDOWS\system32\hhvadehk.dll
C:\WINDOWS\SYSTEM32\hlutcwap.ini
C:\WINDOWS\SYSTEM32\hqpmvyev.ini
C:\WINDOWS\system32\iaxgfsse.dll
C:\WINDOWS\SYSTEM32\ijstncwi.ini
C:\WINDOWS\SYSTEM32\ikwpyefj.ini
C:\WINDOWS\SYSTEM32\inelbiys.ini
C:\WINDOWS\SYSTEM32\irofneiw.ini
C:\WINDOWS\system32\isimbisw.dll
C:\WINDOWS\SYSTEM32\isskjydu.ini
C:\WINDOWS\system32\itkdekkp.dll
C:\WINDOWS\system32\iucscqfx.dll
C:\WINDOWS\system32\iusqnghq.dll
C:\WINDOWS\system32\iwcntsji.dll
C:\WINDOWS\SYSTEM32\ixcomiyv.ini
C:\WINDOWS\system32\jcflpkxd.dll
C:\WINDOWS\system32\jfeypwki.dll
C:\WINDOWS\system32\jkxjycln.dll
C:\WINDOWS\system32\jkypgtgk.dll
C:\WINDOWS\system32\jofdkfsy.dll
C:\WINDOWS\SYSTEM32\jryyycxg.ini
C:\WINDOWS\system32\jyvppkgt.dll
C:\WINDOWS\SYSTEM32\kgtgpykj.ini
C:\WINDOWS\SYSTEM32\khedavhh.ini
C:\WINDOWS\system32\kjmytrdv.dll
C:\WINDOWS\system32\klovdqaa.dll
C:\WINDOWS\system32\ktofpqlw.dll
C:\WINDOWS\SYSTEM32\ktvvwqdy.ini
C:\WINDOWS\system32\kundbjcs.dll
C:\WINDOWS\system32\kvhoqsqq.dll
C:\WINDOWS\system32\kwhyewpq.dll
C:\WINDOWS\system32\kxaeytkx.dll
C:\WINDOWS\SYSTEM32\lakyyyqs.ini
C:\WINDOWS\SYSTEM32\ljaeyepc.ini
C:\WINDOWS\SYSTEM32\ljilbvwb.ini
C:\WINDOWS\system32\lnlblkjp.dll
C:\WINDOWS\SYSTEM32\loiuybsr.ini
C:\WINDOWS\system32\lqtvxnna.dll
C:\WINDOWS\SYSTEM32\lrpmsbca.ini
C:\WINDOWS\system32\lxjwknap.dll
C:\WINDOWS\system32\mclyibqg.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\medoevbt.ini
C:\WINDOWS\system32\moauokmt.dll
C:\WINDOWS\SYSTEM32\muqhbwew.ini
C:\WINDOWS\system32\nikblfqo.dll
C:\WINDOWS\system32\nkrmnkio.dll
C:\WINDOWS\SYSTEM32\nlcyjxkj.ini
C:\WINDOWS\SYSTEM32\nsbwitja.ini
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\obrvvqrd.dll
C:\WINDOWS\system32\obytreeb.dll
C:\WINDOWS\SYSTEM32\oiknmrkn.ini
C:\WINDOWS\system32\oisquyde.dll
C:\WINDOWS\system32\ootkgexc.dll
C:\WINDOWS\system32\opoijthb.dll
C:\WINDOWS\SYSTEM32\oqflbkin.ini
C:\WINDOWS\system32\orqygtfw.dll
C:\WINDOWS\SYSTEM32\pankwjxl.ini
C:\WINDOWS\system32\pawctulh.dll
C:\WINDOWS\system32\pffiivox.dll
C:\WINDOWS\SYSTEM32\pjklblnl.ini
C:\WINDOWS\SYSTEM32\pkkedkti.ini
C:\WINDOWS\system32\plxbqbxy.dll
C:\WINDOWS\system32\pqenkqeu.dll
C:\WINDOWS\system32\pxxxnwib.dll
C:\WINDOWS\system32\qfubefvc.dll
C:\WINDOWS\SYSTEM32\qhgnqsui.ini
C:\WINDOWS\system32\qhjkyfqe.dll
C:\WINDOWS\SYSTEM32\qkusthtd.ini
C:\WINDOWS\SYSTEM32\qpweyhwk.ini
C:\WINDOWS\SYSTEM32\qqsqohvk.ini
C:\WINDOWS\system32\rbyridwa.dll
C:\WINDOWS\system32\revsoame.dll
C:\WINDOWS\system32\rsbyuiol.dll
C:\WINDOWS\system32\rufvjyab.dll
C:\WINDOWS\SYSTEM32\scjbdnuk.ini
C:\WINDOWS\SYSTEM32\sclufcww.ini
C:\WINDOWS\system32\snpqthvx.dll
C:\WINDOWS\SYSTEM32\sqltsskv.ini
C:\WINDOWS\system32\sqyyykal.dll
C:\WINDOWS\SYSTEM32\svxanase.ini
C:\WINDOWS\SYSTEM32\sworfwka.ini
C:\WINDOWS\system32\syibleni.dll
C:\WINDOWS\system32\tbveodem.dll
C:\WINDOWS\SYSTEM32\tficjqiv.ini
C:\WINDOWS\SYSTEM32\tgkppvyj.ini
C:\WINDOWS\system32\tktirhac.dll
C:\WINDOWS\SYSTEM32\tmkouaom.ini
C:\WINDOWS\SYSTEM32\uapwdgbg.ini
C:\WINDOWS\SYSTEM32\uasxfkew.ini
C:\WINDOWS\SYSTEM32\udcbfrdb.ini
C:\WINDOWS\system32\udyjkssi.dll
C:\WINDOWS\SYSTEM32\ueqkneqp.ini
C:\WINDOWS\SYSTEM32\uyefjdra.ini
C:\WINDOWS\system32\vablmsix.dll
C:\WINDOWS\SYSTEM32\vdrtymjk.ini
C:\WINDOWS\system32\veyvmpqh.dll
C:\WINDOWS\system32\viqjcift.dll
C:\WINDOWS\system32\vksstlqs.dll
C:\WINDOWS\SYSTEM32\vxswlvbc.ini
C:\WINDOWS\system32\vygjicie.dll
C:\WINDOWS\system32\vyimocxi.dll
C:\WINDOWS\SYSTEM32\wdroiidb.ini
C:\WINDOWS\system32\wekfxsau.dll
C:\WINDOWS\system32\wewbhqum.dll
C:\WINDOWS\SYSTEM32\wftgyqro.ini
C:\WINDOWS\system32\wienfori.dll
C:\WINDOWS\system32\win
C:\WINDOWS\SYSTEM32\wlqpfotk.ini
C:\WINDOWS\system32\wpyhybxx.dll
C:\WINDOWS\system32\wrhqdbeh.dll
C:\WINDOWS\SYSTEM32\wsibmisi.ini
C:\WINDOWS\system32\wtfmqged.dll
C:\WINDOWS\system32\wwcfulcs.dll
C:\WINDOWS\system32\wxeuyqje.dll
C:\WINDOWS\system32\xcltkbpe.dll
C:\WINDOWS\SYSTEM32\xfqcscui.ini
C:\WINDOWS\system32\xgxuocbd.dll
C:\WINDOWS\system32\xhsxuiff.dll
C:\WINDOWS\SYSTEM32\xismlbav.ini
C:\WINDOWS\SYSTEM32\xktyeaxk.ini
C:\WINDOWS\SYSTEM32\xoviiffp.ini
C:\WINDOWS\SYSTEM32\xvhtqpns.ini
C:\WINDOWS\SYSTEM32\xxbyhypw.ini
C:\WINDOWS\system32\ydqwvvtk.dll
C:\WINDOWS\system32\yqlprdpe.dll
C:\WINDOWS\SYSTEM32\ysfkdfoj.ini
C:\WINDOWS\SYSTEM32\yxbqbxlp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService




((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 18:07 . 2008-01-06 18:07 <DIR> d-------- C:\WINDOWS\LastGood
2008-01-06 17:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-19 11:33 . 2007-12-19 11:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nova Development
2007-12-19 11:33 . 2007-12-19 11:33 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 11:10 . 2007-12-19 11:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2007-12-18 23:33 . 2007-12-18 23:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-18 23:29 . 2007-12-18 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-12-18 23:28 . 2007-12-19 11:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-17 01:07 . 2007-12-17 01:07 129 --a------ C:\Shortcut to CD Drive.lnk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 02:00 --------- d-----w C:\Program Files\Quicken
2007-12-03 04:21 --------- d-----w C:\Program Files\McAfee
2007-12-03 04:21 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-03 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-30 01:18 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-29 21:49 --------- d-----w C:\Program Files\EsetOnlineScanner
2007-11-29 19:31 --------- d-----w C:\Documents and Settings\Matthew\Application Data\McAfee
2007-11-29 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-29 14:00 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-29 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-11-28 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-21 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\eBay
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-11 05:57 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-11 05:57 617,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-11 05:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-11 05:57 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-10-11 05:57 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-11 05:57 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-10-11 05:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-10-11 05:57 251,904 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-10-11 05:57 205,824 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-11 05:57 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-10-11 05:57 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-10-10 10:48 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2006-12-21 20:54 14,201 ----a-w C:\Program Files\INSTALL.LOG
2005-09-14 13:24 33,280 ----a-w C:\Program Files\EndProcess.exe
2004-04-21 03:55 1,760,378 ----a-w C:\Program Files\aaw6.exe
2004-03-14 22:48 2,800,777 ----a-w C:\Program Files\aucmak2.exe
2004-03-14 21:18 19,296,636 ----a-w C:\Program Files\PEERInstall.exe
2004-02-08 18:30 10 ----a-w C:\Program Files\Notes.txt
2004-02-08 18:07 336 ----a-w C:\Program Files\announce.txt
2004-02-07 03:26 5,864 ----a-w C:\Program Files\client.ini
2004-01-29 05:15 984 ----a-w C:\Program Files\popup.html
2004-01-28 15:47 1,800 ----a-w C:\Program Files\TabConfig.txt
2004-01-20 18:25 2,060,288 ----a-w C:\Program Files\PartyPoker.exe
2004-01-08 20:24 41 ----a-w C:\Program Files\RemoveGlobalMsg.txt
2004-01-08 20:23 205 ----a-w C:\Program Files\ResendGlobalMsg.txt
2004-01-05 01:46 3,371,040 ---h--r C:\Documents and Settings\Matthew\SYSTEM.DAT
2004-01-05 01:45 831,520 ---h--r C:\Documents and Settings\Matthew\USER.DAT
2004-01-05 01:45 3,833,888 ---h--r C:\Documents and Settings\Matthew\CLASSES.DAT
2003-12-12 15:26 28,352 ----a-w C:\Program Files\poker.bin
2003-07-03 23:13 498 ----a-w C:\Documents and Settings\Matthew\eReg.dat
2003-05-26 23:17 30 ----a-w C:\Documents and Settings\Matthew\INTURS.DAT
2003-05-13 18:20 8,224 ----a-w C:\Documents and Settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2003-05-09 04:45 19,281 ----a-w C:\Documents and Settings\Matthew\War3Unin.dat
2003-05-04 04:41 11,310 ----a-w C:\Documents and Settings\Matthew\scunin.dat
2003-05-03 17:03 1,536 ----a-w C:\Documents and Settings\Matthew\TrueSoft.dat
2003-05-01 22:32 163,872 ---h--r C:\Documents and Settings\Matthew\HWINFO.DAT
2003-02-28 21:35 6,550 ----a-w C:\Documents and Settings\Matthew\JAUTOEXP.DAT
2002-06-14 17:33 96,256 ----a-w C:\Program Files\UnGins.exe
2002-05-24 06:49 869 ----a-w C:\Program Files\cards_sliding.wav
2002-05-24 06:49 679,936 ----a-w C:\Program Files\libeay32.dll
2002-05-24 06:49 5,004 ----a-w C:\Program Files\tap.wav
2002-05-24 06:49 147,456 ----a-w C:\Program Files\ssleay32.dll
2002-05-23 11:25 147,728 ----a-w C:\Program Files\ASYCFILT.DLL
2002-05-18 03:45 9,946 ----a-w C:\Program Files\mouse_move.wav
2002-05-18 03:45 80,856 ----a-w C:\Program Files\ding.wav
2002-05-18 03:45 7,362 ----a-w C:\Program Files\addchips.wav
2002-05-18 03:45 59,716 ----a-w C:\Program Files\firework3.wav
2002-05-18 03:45 2,561 ----a-w C:\Program Files\cards_dealing.wav
2002-05-18 03:45 16,544 ----a-w C:\Program Files\reminder.wav
2002-05-18 03:45 15,724 ----a-w C:\Program Files\ring.wav
2002-05-18 03:45 11,062 ----a-w C:\Program Files\chimes.wav
2002-05-18 03:45 1,687 ----a-w C:\Program Files\chips_sliding.wav
2001-11-29 19:58 456 ----a-w C:\Documents and Settings\Matthew\PTHSP.DAT
1999-06-22 05:45 57,344 ----a-w C:\Program Files\Zlib.dll
2006-05-29 01:40 80 --sh--r C:\WINDOWS\SYSTEM32\04DF4FF763.dll
2007-06-30 04:21 1,843,914 --sh--w C:\WINDOWS\SYSTEM32\fgjlm.bak1
2007-06-30 12:30 1,873,569 --sh--w C:\WINDOWS\SYSTEM32\fgjlm.ini2
2007-09-18 21:34 644 --sh--w C:\WINDOWS\SYSTEM32\mrxofpgb.ini2
2007-09-30 20:19 693,421 --sh--w C:\WINDOWS\SYSTEM32\obdekini.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B79BC28-8906-4E91-8A2F-1171A146DA33}]
2005-07-22 19:59 98816 --a------ C:\WINDOWS\system32\d3dx9_2.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-09-29 09:44 597104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-15 01:00 126976]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 10:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 17:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 02:56 11776 C:\WINDOWS\SYSTEM32\regsvr32.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05 53248]
"TgAddServer"="c:\@Home\tioga\bin\tgfix /fds http://www/download/tioga" [ ]
"Tgcmd"="c:\@Home\tioga\bin\tgcmd.exe" [2000-03-10 18:59 598016]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 19:46 270336]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2004-01-20 11:45 1757184]
"PDUiP6000DMon"="C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 13:26 57344]
"PDUiP6000DTskbr"="C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 09:29 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-11 17:52 98304]
"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2005-08-23 08:36 1110079]
"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2005-08-23 08:22 188416]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-14 20:47 180269]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2007-07-06 07:00 438359]
"SSP Notifier"="C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 11:44 20480]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [2007-07-28 09:32 1279336]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-04-04 12:10:52]
PictureProject In Touch.lnk - C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe [2005-03-21 17:30:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-08 17:36:15]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Forget Me Not.lnk - C:\Program Files\Mindscape\CreataParty\PMREMIND.EXE [2005-10-10 20:24:47]
Gomez PEER.lnk - C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe [2004-03-14 16:19:25]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2003-09-18 10:47:10]
KODAK Software Updater.lnk - C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-12-11 18:03:15]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2006-12-21 16:11:39]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

R0 lbzemkha;lbzemkha;C:\WINDOWS\system32\drivers\iowacykc.dat []
S2 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [2001-08-15 06:43]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 12:51]

*Newly Created Service* - DCFS2K
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 06:48:56 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-12-01 06:03:01 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 18:35:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-06 18:36:32
ComboFix-quarantined-files.txt 2008-01-06 23:36:23
.
2007-12-06 01:14:19 --- E O F ---

----------------------------------------------------------------------------------------

Symantec results:

247751 files scanned, 219 file(s) infected on your disk drives.


No viruses were detected in memory.

Your computer is free of known threats. Virus Detection does not check compressed files.

Your computer appears safe for now. For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.

No viruses were detected in memory.

The scan was cancelled before finishing. To restart the scan, click here.

Your computer is free of known threats. Virus Detection does not check compressed files.

Your computer appears safe for now. For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.

Warning! The scan detected a virus that is active in your computer's memory.
The scan ended to prevent further infection.

You should shut down your computer immediately and restart it with an antivirus rescue disk or similar tool.


No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.


No viruses were detected in memory.

Your computer is infected with at least one known virus or Trojan horse.

Note: The scan was cancelled before finishing. There may be more infected files on this computer.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.


A scan has not been run. To start Virus Detection, click here.

C:\WINDOWS\SYSTEM32\A3.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\ACYPKEDR.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\ADSLD.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\ADSN.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\ADSND.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\AFOMBYLE.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\AJBYUCSE.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\AJIUWTMN.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\AJTIWBS.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\ATMLI.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\AVICA.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\AVXBRJNI.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\BDIIORD.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\BHOFTBUH.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\BIBHCVNO.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\BJKHTVUC.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\BKLULAXK.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\BKWJAPFF.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\BPDEIPGF.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\bpggtluh.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\BQTFEVKR.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\BRNOVEUJ.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\BROMXHIC.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\BROWSE.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\BTHC.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\BTYYBVYB.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\CGCQUJRC.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\CKMADMLD.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\CKSRSCET.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\CMCFG3.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\CNJYRCNY.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\CNMLM6.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\CONSOL.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\CPEYEAJ.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\cqowstgh.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\CTDPROX.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\CTMEDEN.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\CTOSUSE.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\cvufvasj.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\D3D8TH.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\D3DR.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\d3dx9_2.11 is infected with SecurityRisk.Downldr
C:\WINDOWS\SYSTEM32\d3dx9_2.dll is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\DAKJTQGF.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\DBGHEL.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\DCEIDMCW.0LL is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\DDIIPAPX.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\DEDICWIG.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\DFFJXHCE.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DGTMPRNV.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DHBAJFIB.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\DHULRBCM.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DLPWEXAO.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\DMFPNTMX.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DMTUIKYL.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DNBOUAXO.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DNLHGALH.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\DNPFDPBJ.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DPCUETXY.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\DQHPUYDB.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\DUTFJJKX.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DYOFSJST.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\EACKWXQR.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\EFAUGRXJ.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\EJOHYADK.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\EMGWTKVC.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\enpvread.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\EQXYAKSX.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\EWDNECWI.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\FBUPQUET.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\FIMILHLD.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\FKCTXGEK.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\FMVPHYFU.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\FNPXBDPA.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\FOXDOGLE.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\fybopbkg.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\GBXQVOJQ.0LL is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\GLFXVOSQ.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\GTFQLXOR.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\GWSOSXSW.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\GXINAMPX.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\hamjmuqg.dll is infected with Trojan.Zlob
C:\WINDOWS\SYSTEM32\HBGEAOMD.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\HCVESQER.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\HEHGIKHC.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\HNIQOLHK.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\HNNVQCKV.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\HRQLEYUK.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\ILGDQHQY.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\IMSXTBHK.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\INYVEDJP.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\JAHNYAYL.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\JAYACIGU.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\JCPBXLMI.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\JGMRJHUU.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\JKDYERWL.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\JNWXRCWX.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\JQWEEVYN.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\KBCRYHBW.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\KCJWGBXU.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\KCYDIGLT.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\KOSNSXMN.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\KPNFOSUI.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\kskfhhqg.dll is infected with Trojan.Zlob
C:\WINDOWS\SYSTEM32\KSMRHCTD.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\KVGCXOJD.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\LESMTRQS.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\LFOOGUNF.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\LGUOEOUN.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\LJOWSFHG.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\lxjygbrm.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\MHKYHRPU.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\MMWDNKFQ.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\MSXJVBTE.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\muxgcjtq.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\NEVRRUHG.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\NIUOGRKJ.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\NMJDNTXN.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\NOYKBQWP.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\NPSPFJDU.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\NQDMVTVS.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\NREETITT.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\NSUEIQAS.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\OIPBOVQK.0LL is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\ORRABPCF.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\ORVMPEHP.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\OVWGTQAT.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\PEITOHKX.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\PFORILOC.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\PGCNCGOK.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\PGINAADV.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\PHCIMYRD.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\PKFMJUOG.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\PMBBAREW.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\PQBMXQQL.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\PUEWBBOL.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\PURYUKWD.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\PXEVUDRO.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\PXUWFAKR.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\QBQMVUWQ.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\QJGDBASM.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\QLRCLLGW.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\QNPECMLR.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\QNPGUBIA.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\QOWTAOGV.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\QPTREWHG.0LL is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\qrwksbpe.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\QURYURYQ.0LL is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\QVNWEJXV.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\QXCBPWWX.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\RBRNIOOW.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\rcvwvtrr.dll is infected with Trojan.Zlob
C:\WINDOWS\SYSTEM32\RFSGHWCW.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\RJJYMAXI.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\RMODASBH.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\rowthwjg.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\RQENJDLK.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\rtmcvrgk.dll is infected with Trojan.Zlob
C:\WINDOWS\SYSTEM32\RXDIITCD.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\RYJGFCTV.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\SCUWVDLY.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\SEGPWGIO.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\SHAQSUWK.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\STUMYUQT.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\SXSUDHUF.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\TAAWFBRD.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\TBQTEDDL.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\TCHWUPXA.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\TDLGOLSN.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\TIGNLUVJ.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\TKKILDIS.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\TNXQEYHP.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\TQCELJBC.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\TTFJHROT.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\TWGNGGTC.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\TWTPLUDA.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\UAJUWBSA.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\UASXVWWT.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\ubhpwagt.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\UCKXROGC.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\UDDWHLXY.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\UFSJARYY.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\UQSHQMPJ.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\USCCFQNV.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\UTVQRRSG.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\vbrjhsob.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\VCJUKORQ.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\VCNAUGDW.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\VCOGHMJC.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\voospell.dll is infected with Trojan.Zlob
C:\WINDOWS\SYSTEM32\vymjcoil.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\WCVRLIQJ.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\WDIFRVFG.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\WHLDMHBT.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\WHLXWSEL.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\WLQFHNAP.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\WPFLHIDE.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\WQJJPCYG.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\WRWLXCYP.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\WVJHFNAX.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\WYLJVQIW.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\XASMIEXP.0LL is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\XDUQCJKG.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\xlfmkhfl.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\XOLJOLQA.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\xtbndrad.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\XXJMVATI.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\YASLXQLF.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\YCWXIGIX.0LL is infected with Downloader
C:\WINDOWS\SYSTEM32\YFACCNNA.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\YFWSFVFL.0XE is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\ygdwdlqe.dll is infected with Trojan.Vundo
C:\WINDOWS\SYSTEM32\YPOGGOTH.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\YRAWEMXB.0XE is infected with Downloader
C:\WINDOWS\SYSTEM32\DRIVERS\HMEEWWYK.0YS is infected with Trojan Horse
C:\WINDOWS\SYSTEM32\DRIVERS\vidid35x9.sys is infected with Spyware.Apropos.C
C:\WINDOWS\Downloaded Program Files\MiniInstaller.exe is infected with Backdoor.Formador
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe is infected with Downloader.MisleadApp
C:\Program Files\Imastant\npf.sys is infected with Spyware.Apropos.C
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am

Re: Ready for next step

Unread postby Katana » January 7th, 2008, 7:25 am

Did Symantec remove any of the files or did it just scan them ?


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\Program Files\popup.html
    C:\Program Files\PartyPoker.exe
    C:\Program Files\poker.bin
    C:\Program Files\cards_sliding.wav
    C:\Program Files\tap.wav
    C:\Program Files\mouse_move.wav
    C:\Program Files\ding.wav
    C:\Program Files\addchips.wav
    C:\Program Files\firework3.wav
    C:\Program Files\cards_dealing.wav
    C:\Program Files\reminder.wav
    C:\Program Files\ring.wav
    C:\Program Files\chimes.wav
    C:\Program Files\chips_sliding.wav
    C:\WINDOWS\SYSTEM32\04DF4FF763.dll
    C:\WINDOWS\SYSTEM32\fgjlm.bak1
    C:\WINDOWS\SYSTEM32\fgjlm.ini2
    C:\WINDOWS\SYSTEM32\mrxofpgb.ini2
    C:\WINDOWS\SYSTEM32\obdekini.ini2
    C:\WINDOWS\system32\d3dx9_2.dll
    C:\WINDOWS\system32\drivers\iowacykc.dat
    
    Driver::
    lbzemkha
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8B79BC28-8906-4E91-8A2F-1171A146DA33}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TgAddServer"=-
    "UserFaultCheck"=-
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Please try to boot normally and see if you can access the internet properly now.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Ready for next step

Unread postby julie0527 » January 7th, 2008, 11:46 am

Symantec just scanned. We used it since we couldn't download hijackthis.

I tried twice to start in normal mode and both times it had the flashing lines, screen flashed black several times, and it locked up. The 1st time after I opened Internet Explorer and the 2nd time before.

Forgot to mention earlier that in safe mode it also takes 2 or 3 tries to get IE to open properly.

-----------------------------------------------------------------------------------------

ComboFix 08-01-04.1 - Matthew 2008-01-07 10:34:06.4 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.756 [GMT -5:00]
Running from: F:\ComboFix.exe
Command switches used :: C:\Documents and Settings\Matthew\Desktop\CFScript.txt

FILE
C:\Program Files\addchips.wav
C:\Program Files\cards_dealing.wav
C:\Program Files\cards_sliding.wav
C:\Program Files\chimes.wav
C:\Program Files\chips_sliding.wav
C:\Program Files\ding.wav
C:\Program Files\firework3.wav
C:\Program Files\mouse_move.wav
C:\Program Files\PartyPoker.exe
C:\Program Files\poker.bin
C:\Program Files\popup.html
C:\Program Files\reminder.wav
C:\Program Files\ring.wav
C:\Program Files\tap.wav
C:\WINDOWS\SYSTEM32\04DF4FF763.dll
C:\WINDOWS\system32\d3dx9_2.dll
C:\WINDOWS\system32\drivers\iowacykc.dat
C:\WINDOWS\SYSTEM32\fgjlm.bak1
C:\WINDOWS\SYSTEM32\fgjlm.ini2
C:\WINDOWS\SYSTEM32\mrxofpgb.ini2
C:\WINDOWS\SYSTEM32\obdekini.ini2
.

((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-06 17:50 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-19 11:33 . 2007-12-19 11:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Nova Development
2007-12-19 11:33 . 2007-12-19 11:33 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 11:10 . 2007-12-19 11:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ulead Systems
2007-12-18 23:33 . 2007-12-18 23:33 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-18 23:29 . 2007-12-18 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2007-12-18 23:28 . 2007-12-19 11:33 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-17 01:07 . 2007-12-17 01:07 129 --a------ C:\Shortcut to CD Drive.lnk

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 02:00 --------- d-----w C:\Program Files\Quicken
2007-12-03 04:21 --------- d-----w C:\Program Files\McAfee
2007-12-03 04:21 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-03 04:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-11-30 01:18 28,672 ----a-w C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-11-29 21:49 --------- d-----w C:\Program Files\EsetOnlineScanner
2007-11-29 19:31 --------- d-----w C:\Documents and Settings\Matthew\Application Data\McAfee
2007-11-29 19:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-29 14:00 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-29 14:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-11-28 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-11-21 00:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\eBay
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-30 09:55 3,065,856 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-11 05:57 96,256 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
2007-10-11 05:57 666,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-10-11 05:57 617,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-10-11 05:57 55,808 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-10-11 05:57 532,480 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-10-11 05:57 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-10-11 05:57 449,024 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-10-11 05:57 39,424 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
2007-10-11 05:57 357,888 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
2007-10-11 05:57 251,904 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
2007-10-11 05:57 205,824 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-10-11 05:57 16,384 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-10-11 05:57 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-10-11 05:57 146,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-10-11 05:57 1,498,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-10-11 05:57 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-10-11 05:57 1,024,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-10-10 10:48 18,432 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2006-12-21 20:54 14,201 ----a-w C:\Program Files\INSTALL.LOG
2005-09-14 13:24 33,280 ----a-w C:\Program Files\EndProcess.exe
2004-04-21 03:55 1,760,378 ----a-w C:\Program Files\aaw6.exe
2004-03-14 22:48 2,800,777 ----a-w C:\Program Files\aucmak2.exe
2004-03-14 21:18 19,296,636 ----a-w C:\Program Files\PEERInstall.exe
2004-02-08 18:30 10 ----a-w C:\Program Files\Notes.txt
2004-02-08 18:07 336 ----a-w C:\Program Files\announce.txt
2004-02-07 03:26 5,864 ----a-w C:\Program Files\client.ini
2004-01-28 15:47 1,800 ----a-w C:\Program Files\TabConfig.txt
2004-01-08 20:24 41 ----a-w C:\Program Files\RemoveGlobalMsg.txt
2004-01-08 20:23 205 ----a-w C:\Program Files\ResendGlobalMsg.txt
2004-01-05 01:46 3,371,040 ---h--r C:\Documents and Settings\Matthew\SYSTEM.DAT
2004-01-05 01:45 831,520 ---h--r C:\Documents and Settings\Matthew\USER.DAT
2004-01-05 01:45 3,833,888 ---h--r C:\Documents and Settings\Matthew\CLASSES.DAT
2003-07-03 23:13 498 ----a-w C:\Documents and Settings\Matthew\eReg.dat
2003-05-26 23:17 30 ----a-w C:\Documents and Settings\Matthew\INTURS.DAT
2003-05-13 18:20 8,224 ----a-w C:\Documents and Settings\Matthew\Application Data\GDIPFONTCACHEV1.DAT
2003-05-09 04:45 19,281 ----a-w C:\Documents and Settings\Matthew\War3Unin.dat
2003-05-04 04:41 11,310 ----a-w C:\Documents and Settings\Matthew\scunin.dat
2003-05-03 17:03 1,536 ----a-w C:\Documents and Settings\Matthew\TrueSoft.dat
2003-05-01 22:32 163,872 ---h--r C:\Documents and Settings\Matthew\HWINFO.DAT
2003-02-28 21:35 6,550 ----a-w C:\Documents and Settings\Matthew\JAUTOEXP.DAT
2002-06-14 17:33 96,256 ----a-w C:\Program Files\UnGins.exe
2002-05-24 06:49 679,936 ----a-w C:\Program Files\libeay32.dll
2002-05-24 06:49 147,456 ----a-w C:\Program Files\ssleay32.dll
2002-05-23 11:25 147,728 ----a-w C:\Program Files\ASYCFILT.DLL
2001-11-29 19:58 456 ----a-w C:\Documents and Settings\Matthew\PTHSP.DAT
1999-06-22 05:45 57,344 ----a-w C:\Program Files\Zlib.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2005-09-29 09:44 597104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 14:16 5058560]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 17:24 86016]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2003-09-15 01:00 126976]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 10:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 02:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 17:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2004-08-04 02:56 11776 C:\WINDOWS\SYSTEM32\regsvr32.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 11:27 28672]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 20:47 204800]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2003-10-06 11:05 53248]
"Tgcmd"="c:\@Home\tioga\bin\tgcmd.exe" [2000-03-10 18:59 598016]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-02 19:46 270336]
"nwiz"="nwiz.exe" [2003-10-06 14:16 741376 C:\WINDOWS\SYSTEM32\nwiz.exe]
"kdx"="C:\WINDOWS\kdx\KHost.exe" [2004-01-20 11:45 1757184]
"PDUiP6000DMon"="C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe" [2004-05-31 13:26 57344]
"PDUiP6000DTskbr"="C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe" [2004-05-28 09:29 69632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-11 17:52 98304]
"Launch LGDCore"="C:\Program Files\Logitech\G-series Software\LGDCore.exe" [2005-08-23 08:36 1110079]
"Launch LCDMon"="C:\Program Files\Logitech\G-series Software\LCDMon.exe" [2005-08-23 08:22 188416]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46 57344]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-14 20:47 180269]
"Motive SmartBridge"="C:\PROGRA~1\VIRTUA~1\SMARTB~1\SprintDSLAlert.exe" [2007-07-06 07:00 438359]
"SSP Notifier"="C:\Program Files\Fisher-Price\FP3 Player\sspnotifier.exe" [2006-07-12 11:44 20480]
"MWLExe"="C:\Program Files\Mcafee\MWL\MWLGui.exe" [2007-07-28 09:32 1279336]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 22:33 582992]

C:\Documents and Settings\Matthew\Start Menu\Programs\Startup\
Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-04-04 12:10:52]
PictureProject In Touch.lnk - C:\Program Files\Nikon\PictureProject In Touch\PictureProjectInTouch.exe [2005-03-21 17:30:34]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-08 17:36:15]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Forget Me Not.lnk - C:\Program Files\Mindscape\CreataParty\PMREMIND.EXE [2005-10-10 20:24:47]
Gomez PEER.lnk - C:\Program Files\Gomez\GomezPEER\bin\GomezPEER.exe [2004-03-14 16:19:25]
Kodak EasyShare software.lnk - C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe [2003-09-18 10:47:10]
KODAK Software Updater.lnk - C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2005-12-11 18:03:15]
Virtual Assistant.lnk - C:\Program Files\Virtual Assistant\bin\matcli.exe [2006-12-21 16:11:39]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

S2 ptssvc;ptssvc;C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe [2001-08-15 06:43]
S3 Wdm1;USB Bridge Cable Driver;C:\WINDOWS\system32\Drivers\usbbc.sys [2003-07-01 12:51]

*Newly Created Service* - DCFS2K
.
Contents of the 'Scheduled Tasks' folder
"2007-11-15 06:48:56 C:\WINDOWS\Tasks\McDefragTask.job"
- C:\WINDOWS\system32\defrag.exe
"2007-12-01 06:03:01 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe.4158 0
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 10:40:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-07 10:41:39
ComboFix-quarantined-files.txt 2008-01-07 15:41:24
ComboFix2.txt 2008-01-07 14:43:05
ComboFix3.txt 2008-01-06 23:36:32
.
2007-12-06 01:14:19 --- E O F ---
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am

Re: Ready for next step

Unread postby Katana » January 7th, 2008, 4:14 pm

There is obviously still a lot of malware hiding.

These tools are safe to download and transfer to the infected PC, they will not run automatically.
Since you will have to transfer some programs over, I have attached a file to this post.
Just open the zip file and use the contents of the text file inside with OTMoveIt where instructed.

Programs to Download
download LINK >>> OTMoveIt by OldTimer. <<< LINK
Download LINK >>> SDFix <<< LINK
Now download the file attached to this post.

While you are downloading files and transfering, please download a fresh copy of ComboFix as it has been updated.
Just delete the Combofix.exe that you already have.
You do not need to run it yet, I am just trying to save you time transferring things

Download Combofix from one of the links below :

ComboFix.exe 1
ComboFix.exe 2
ComboFix.exe 3

Transfer all 4 files to the infected PC
=========================================================================================

On the infected PC......

OTMoveIt
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    Contents of the Text file
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
  • Copy and paste the contents of the results box as a reply to this topic
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\\_OTMoveIt\\MovedFiles\\********_******.log
(where "********_******" is the "date_time")

SD Fix
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F5 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
You do not have the required permissions to view the files attached to this post.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Ready for next step

Unread postby julie0527 » January 7th, 2008, 9:30 pm

OTmoveit results below:


C:\WINDOWS\SYSTEM32\A3.0LL moved successfully.
C:\WINDOWS\SYSTEM32\ACYPKEDR.0LL moved successfully.
C:\WINDOWS\SYSTEM32\ADSLD.0LL moved successfully.
C:\WINDOWS\SYSTEM32\ADSN.0LL moved successfully.
C:\WINDOWS\SYSTEM32\ADSND.0LL moved successfully.
C:\WINDOWS\SYSTEM32\AFOMBYLE.0XE moved successfully.
C:\WINDOWS\SYSTEM32\AJBYUCSE.0LL moved successfully.
C:\WINDOWS\SYSTEM32\AJIUWTMN.0XE moved successfully.
C:\WINDOWS\SYSTEM32\AJTIWBS.0LL moved successfully.
C:\WINDOWS\SYSTEM32\ATMLI.0LL moved successfully.
C:\WINDOWS\SYSTEM32\AVICA.0LL moved successfully.
C:\WINDOWS\SYSTEM32\AVXBRJNI.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BDIIORD.0LL moved successfully.
C:\WINDOWS\SYSTEM32\BHOFTBUH.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BIBHCVNO.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BJKHTVUC.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BKLULAXK.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BKWJAPFF.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BPDEIPGF.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\bpggtluh.dll
C:\WINDOWS\SYSTEM32\bpggtluh.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\bpggtluh.dll moved successfully.
C:\WINDOWS\SYSTEM32\BQTFEVKR.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BRNOVEUJ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BROMXHIC.0XE moved successfully.
C:\WINDOWS\SYSTEM32\BROWSE.0LL moved successfully.
C:\WINDOWS\SYSTEM32\BTHC.0LL moved successfully.
C:\WINDOWS\SYSTEM32\BTYYBVYB.0LL moved successfully.
C:\WINDOWS\SYSTEM32\CGCQUJRC.0LL moved successfully.
C:\WINDOWS\SYSTEM32\CKMADMLD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\CKSRSCET.0XE moved successfully.
C:\WINDOWS\SYSTEM32\CMCFG3.0LL moved successfully.
C:\WINDOWS\SYSTEM32\CNJYRCNY.0XE moved successfully.
C:\WINDOWS\SYSTEM32\CNMLM6.0LL moved successfully.
C:\WINDOWS\SYSTEM32\CONSOL.0LL moved successfully.
C:\WINDOWS\SYSTEM32\CPEYEAJ.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\cqowstgh.dll
C:\WINDOWS\SYSTEM32\cqowstgh.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\cqowstgh.dll moved successfully.
C:\WINDOWS\SYSTEM32\CTDPROX.0LL moved successfully.
C:\WINDOWS\SYSTEM32\CTMEDEN.0LL moved successfully.
C:\WINDOWS\SYSTEM32\CTOSUSE.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\cvufvasj.dll
C:\WINDOWS\SYSTEM32\cvufvasj.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\cvufvasj.dll moved successfully.
C:\WINDOWS\SYSTEM32\D3D8TH.0LL moved successfully.
C:\WINDOWS\SYSTEM32\D3DR.0LL moved successfully.
C:\WINDOWS\SYSTEM32\d3dx9_2.11 moved successfully.
File/Folder C:\WINDOWS\SYSTEM32\d3dx9_2.dll not found.
C:\WINDOWS\SYSTEM32\DAKJTQGF.0LL moved successfully.
C:\WINDOWS\SYSTEM32\DBGHEL.0LL moved successfully.
C:\WINDOWS\SYSTEM32\DCEIDMCW.0LL moved successfully.
C:\WINDOWS\SYSTEM32\DDIIPAPX.0LL moved successfully.
C:\WINDOWS\SYSTEM32\DEDICWIG.0LL moved successfully.
C:\WINDOWS\SYSTEM32\DFFJXHCE.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DGTMPRNV.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DHBAJFIB.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DHULRBCM.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DLPWEXAO.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DMFPNTMX.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DMTUIKYL.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DNBOUAXO.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DNLHGALH.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DNPFDPBJ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DPCUETXY.0LL moved successfully.
C:\WINDOWS\SYSTEM32\DQHPUYDB.0LL moved successfully.
C:\WINDOWS\SYSTEM32\DUTFJJKX.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DYOFSJST.0LL moved successfully.
C:\WINDOWS\SYSTEM32\EACKWXQR.0XE moved successfully.
C:\WINDOWS\SYSTEM32\EFAUGRXJ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\EJOHYADK.0LL moved successfully.
C:\WINDOWS\SYSTEM32\EMGWTKVC.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\enpvread.dll
C:\WINDOWS\SYSTEM32\enpvread.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\enpvread.dll moved successfully.
C:\WINDOWS\SYSTEM32\EQXYAKSX.0LL moved successfully.
C:\WINDOWS\SYSTEM32\EWDNECWI.0XE moved successfully.
C:\WINDOWS\SYSTEM32\FBUPQUET.0XE moved successfully.
C:\WINDOWS\SYSTEM32\FIMILHLD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\FKCTXGEK.0XE moved successfully.
C:\WINDOWS\SYSTEM32\FMVPHYFU.0LL moved successfully.
C:\WINDOWS\SYSTEM32\FNPXBDPA.0XE moved successfully.
C:\WINDOWS\SYSTEM32\FOXDOGLE.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\fybopbkg.dll
C:\WINDOWS\SYSTEM32\fybopbkg.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\fybopbkg.dll moved successfully.
C:\WINDOWS\SYSTEM32\GBXQVOJQ.0LL moved successfully.
C:\WINDOWS\SYSTEM32\GLFXVOSQ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\GTFQLXOR.0XE moved successfully.
C:\WINDOWS\SYSTEM32\GWSOSXSW.0XE moved successfully.
C:\WINDOWS\SYSTEM32\GXINAMPX.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\hamjmuqg.dll
C:\WINDOWS\SYSTEM32\hamjmuqg.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\hamjmuqg.dll moved successfully.
C:\WINDOWS\SYSTEM32\HBGEAOMD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\HCVESQER.0XE moved successfully.
C:\WINDOWS\SYSTEM32\HEHGIKHC.0XE moved successfully.
C:\WINDOWS\SYSTEM32\HNIQOLHK.0LL moved successfully.
C:\WINDOWS\SYSTEM32\HNNVQCKV.0XE moved successfully.
C:\WINDOWS\SYSTEM32\HRQLEYUK.0XE moved successfully.
C:\WINDOWS\SYSTEM32\ILGDQHQY.0XE moved successfully.
C:\WINDOWS\SYSTEM32\IMSXTBHK.0LL moved successfully.
C:\WINDOWS\SYSTEM32\INYVEDJP.0XE moved successfully.
C:\WINDOWS\SYSTEM32\JAHNYAYL.0XE moved successfully.
C:\WINDOWS\SYSTEM32\JAYACIGU.0XE moved successfully.
C:\WINDOWS\SYSTEM32\JCPBXLMI.0XE moved successfully.
C:\WINDOWS\SYSTEM32\JGMRJHUU.0XE moved successfully.
C:\WINDOWS\SYSTEM32\JKDYERWL.0LL moved successfully.
C:\WINDOWS\SYSTEM32\JNWXRCWX.0LL moved successfully.
C:\WINDOWS\SYSTEM32\JQWEEVYN.0LL moved successfully.
C:\WINDOWS\SYSTEM32\KBCRYHBW.0XE moved successfully.
C:\WINDOWS\SYSTEM32\KCJWGBXU.0XE moved successfully.
C:\WINDOWS\SYSTEM32\KCYDIGLT.0XE moved successfully.
C:\WINDOWS\SYSTEM32\KOSNSXMN.0XE moved successfully.
C:\WINDOWS\SYSTEM32\KPNFOSUI.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\kskfhhqg.dll
C:\WINDOWS\SYSTEM32\kskfhhqg.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\kskfhhqg.dll moved successfully.
C:\WINDOWS\SYSTEM32\KSMRHCTD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\KVGCXOJD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\LESMTRQS.0LL moved successfully.
C:\WINDOWS\SYSTEM32\LFOOGUNF.0XE moved successfully.
C:\WINDOWS\SYSTEM32\LGUOEOUN.0XE moved successfully.
C:\WINDOWS\SYSTEM32\LJOWSFHG.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\lxjygbrm.dll
C:\WINDOWS\SYSTEM32\lxjygbrm.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\lxjygbrm.dll moved successfully.
C:\WINDOWS\SYSTEM32\MHKYHRPU.0XE moved successfully.
C:\WINDOWS\SYSTEM32\MMWDNKFQ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\MSXJVBTE.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\muxgcjtq.dll
C:\WINDOWS\SYSTEM32\muxgcjtq.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\muxgcjtq.dll moved successfully.
C:\WINDOWS\SYSTEM32\NEVRRUHG.0XE moved successfully.
C:\WINDOWS\SYSTEM32\NIUOGRKJ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\NMJDNTXN.0LL moved successfully.
C:\WINDOWS\SYSTEM32\NOYKBQWP.0XE moved successfully.
C:\WINDOWS\SYSTEM32\NPSPFJDU.0XE moved successfully.
C:\WINDOWS\SYSTEM32\NQDMVTVS.0XE moved successfully.
C:\WINDOWS\SYSTEM32\NREETITT.0XE moved successfully.
C:\WINDOWS\SYSTEM32\NSUEIQAS.0XE moved successfully.
C:\WINDOWS\SYSTEM32\OIPBOVQK.0LL moved successfully.
C:\WINDOWS\SYSTEM32\ORRABPCF.0LL moved successfully.
C:\WINDOWS\SYSTEM32\ORVMPEHP.0XE moved successfully.
C:\WINDOWS\SYSTEM32\OVWGTQAT.0LL moved successfully.
C:\WINDOWS\SYSTEM32\PEITOHKX.0LL moved successfully.
C:\WINDOWS\SYSTEM32\PFORILOC.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PGCNCGOK.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PGINAADV.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PHCIMYRD.0LL moved successfully.
C:\WINDOWS\SYSTEM32\PKFMJUOG.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PMBBAREW.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PQBMXQQL.0LL moved successfully.
C:\WINDOWS\SYSTEM32\PUEWBBOL.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PURYUKWD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PXEVUDRO.0XE moved successfully.
C:\WINDOWS\SYSTEM32\PXUWFAKR.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QBQMVUWQ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QJGDBASM.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QLRCLLGW.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QNPECMLR.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QNPGUBIA.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QOWTAOGV.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QPTREWHG.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\qrwksbpe.dll
C:\WINDOWS\SYSTEM32\qrwksbpe.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\qrwksbpe.dll moved successfully.
C:\WINDOWS\SYSTEM32\QURYURYQ.0LL moved successfully.
C:\WINDOWS\SYSTEM32\QVNWEJXV.0XE moved successfully.
C:\WINDOWS\SYSTEM32\QXCBPWWX.0XE moved successfully.
C:\WINDOWS\SYSTEM32\RBRNIOOW.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\rcvwvtrr.dll
C:\WINDOWS\SYSTEM32\rcvwvtrr.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\rcvwvtrr.dll moved successfully.
C:\WINDOWS\SYSTEM32\RFSGHWCW.0LL moved successfully.
C:\WINDOWS\SYSTEM32\RJJYMAXI.0XE moved successfully.
C:\WINDOWS\SYSTEM32\RMODASBH.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\rowthwjg.dll
C:\WINDOWS\SYSTEM32\rowthwjg.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\rowthwjg.dll moved successfully.
C:\WINDOWS\SYSTEM32\RQENJDLK.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\rtmcvrgk.dll
C:\WINDOWS\SYSTEM32\rtmcvrgk.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\rtmcvrgk.dll moved successfully.
C:\WINDOWS\SYSTEM32\RXDIITCD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\RYJGFCTV.0XE moved successfully.
C:\WINDOWS\SYSTEM32\SCUWVDLY.0XE moved successfully.
C:\WINDOWS\SYSTEM32\SEGPWGIO.0XE moved successfully.
C:\WINDOWS\SYSTEM32\SHAQSUWK.0LL moved successfully.
C:\WINDOWS\SYSTEM32\STUMYUQT.0LL moved successfully.
C:\WINDOWS\SYSTEM32\SXSUDHUF.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TAAWFBRD.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TBQTEDDL.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TCHWUPXA.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TDLGOLSN.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TIGNLUVJ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TKKILDIS.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TNXQEYHP.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TQCELJBC.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TTFJHROT.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TWGNGGTC.0XE moved successfully.
C:\WINDOWS\SYSTEM32\TWTPLUDA.0XE moved successfully.
C:\WINDOWS\SYSTEM32\UAJUWBSA.0LL moved successfully.
C:\WINDOWS\SYSTEM32\UASXVWWT.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\ubhpwagt.dll
C:\WINDOWS\SYSTEM32\ubhpwagt.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\ubhpwagt.dll moved successfully.
C:\WINDOWS\SYSTEM32\UCKXROGC.0XE moved successfully.
C:\WINDOWS\SYSTEM32\UDDWHLXY.0XE moved successfully.
C:\WINDOWS\SYSTEM32\UFSJARYY.0XE moved successfully.
C:\WINDOWS\SYSTEM32\UQSHQMPJ.0XE moved successfully.
C:\WINDOWS\SYSTEM32\USCCFQNV.0XE moved successfully.
C:\WINDOWS\SYSTEM32\UTVQRRSG.0LL moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\vbrjhsob.dll
C:\WINDOWS\SYSTEM32\vbrjhsob.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\vbrjhsob.dll moved successfully.
C:\WINDOWS\SYSTEM32\VCJUKORQ.0LL moved successfully.
C:\WINDOWS\SYSTEM32\VCNAUGDW.0XE moved successfully.
C:\WINDOWS\SYSTEM32\VCOGHMJC.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\voospell.dll
C:\WINDOWS\SYSTEM32\voospell.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\voospell.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\vymjcoil.dll
C:\WINDOWS\SYSTEM32\vymjcoil.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\vymjcoil.dll moved successfully.
C:\WINDOWS\SYSTEM32\WCVRLIQJ.0LL moved successfully.
C:\WINDOWS\SYSTEM32\WDIFRVFG.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WHLDMHBT.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WHLXWSEL.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WLQFHNAP.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WPFLHIDE.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WQJJPCYG.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WRWLXCYP.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WVJHFNAX.0XE moved successfully.
C:\WINDOWS\SYSTEM32\WYLJVQIW.0LL moved successfully.
C:\WINDOWS\SYSTEM32\XASMIEXP.0LL moved successfully.
C:\WINDOWS\SYSTEM32\XDUQCJKG.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\xlfmkhfl.dll
C:\WINDOWS\SYSTEM32\xlfmkhfl.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\xlfmkhfl.dll moved successfully.
C:\WINDOWS\SYSTEM32\XOLJOLQA.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\xtbndrad.dll
C:\WINDOWS\SYSTEM32\xtbndrad.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\xtbndrad.dll moved successfully.
C:\WINDOWS\SYSTEM32\XXJMVATI.0XE moved successfully.
C:\WINDOWS\SYSTEM32\YASLXQLF.0XE moved successfully.
C:\WINDOWS\SYSTEM32\YCWXIGIX.0LL moved successfully.
C:\WINDOWS\SYSTEM32\YFACCNNA.0XE moved successfully.
C:\WINDOWS\SYSTEM32\YFWSFVFL.0XE moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\ygdwdlqe.dll
C:\WINDOWS\SYSTEM32\ygdwdlqe.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\ygdwdlqe.dll moved successfully.
C:\WINDOWS\SYSTEM32\YPOGGOTH.0XE moved successfully.
C:\WINDOWS\SYSTEM32\YRAWEMXB.0XE moved successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\HMEEWWYK.0YS moved successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\vidid35x9.sys moved successfully.
C:\WINDOWS\Downloaded Program Files\MiniInstaller.exe moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1 moved successfully.
C:\Program Files\Imastant moved successfully.

Created on 01/07/2008 20:22:49

------------------------------------------------------------------------------------------

SD Fix-Report.txt:

SDFix: Version 1.124

Run by Matthew on Mon 01/07/2008 at 08:39 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\PROGRA~1\WINDOW~2\RTESEJ~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\D3DX9_2.10 - Deleted
C:\WINDOWS\tcb.pmw - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 20:53:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000058

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 29 Jan 2007 4 A..H. --- "C:\WINDOWS\uccspecb.sys"
Tue 18 Sep 2007 644 A.SH. --- "C:\WINDOWS\SYSTEM32\mrxofpgb.tmp"
Sun 30 Sep 2007 294 ..SH. --- "C:\WINDOWS\SYSTEM32\obdekini.tmp"
Tue 3 Aug 2004 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 2 Sep 2004 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
Sun 19 Jun 2005 12,370,432 ...H. --- "C:\Documents and Settings\Matthew\My Documents\~WRL1680.tmp"
Wed 21 Nov 2007 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Wed 21 Nov 2007 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"

Finished!

----------------------------------------------------------------------------------------------------------------

I'm still unable to download anything so I have another symantec scan started but it takes hours. Thank you again for your help!
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am

Re: Ready for next step

Unread postby julie0527 » January 8th, 2008, 7:17 am

Symantec scan said no viruses...yay! What should I do next?

Thanks!
julie0527
Regular Member
 
Posts: 22
Joined: November 30th, 2007, 8:35 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 61 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware