Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP, IM BADLY INFECTED![RESOLVED]


  • This topic is locked This topic is locked

#1
DNeath

DNeath

    Member

  • Member
  • PipPip
  • 37 posts
Ok, my desktop picture has changed into a screen that says I have fatal errors, I keep getting little warning icons stating that I have spyware please install "such and such" from antispywareupate.net, Ive gotten pop-ups stating Trojandownloader.xs, My Task Manager has been disabled. This thing is really getting nasty, can someone PLEASE HELP ME here.

Ive ran the activescan so here is that log:




Incident Status Location

Adware:Adware/SpyAway Not disinfected C:\WINDOWS\system32\mgmrwmrv.exe
Adware:adware/startpage.aco Not disinfected c:\windows\system32\ntnut32.exe
Spyware:spyware/fastsearchweb Not disinfected c:\windows\system32\shdocpe.dll
Adware:adware/123mania Not disinfected c:\windows\system32\SIPSPI32.dll
Spyware:spyware/virtumonde Not disinfected c:\windows\system32\ssqpp.dll
Adware:adware/tubby Not disinfected c:\windows\system32\WER8274.DLL
Adware:adware/ncase Not disinfected c:\windows\180ax.exe
Adware:adware/topconvert Not disinfected c:\windows\updatetc.exe
Adware:adware/portalscan Not disinfected c:\program files\stc
Adware:adware/surfassistant Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/adlogix Not disinfected Windows Registry
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:Adware/SpyAway Not disinfected C:\WINDOWS\kvmnovef.exe
Possible Virus. Not disinfected C:\WINDOWS\lsduxqlo.exe
Adware:Adware/Adband Not disinfected C:\WINDOWS\system32\LA664.tmp[ism.exe]



Here Is The HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:19 PM, on 3/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {08A3084E-E8C8-4DE1-9FB4-48179982C8DE} - C:\WINDOWS\system32\rqrommk.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {856C2AFA-C61D-4B1F-AE14-2BC52F52377D} - C:\WINDOWS\system32\jkhhi.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {920f9b74-1dd2-11b2-baea-8cad97e0bc6b} - C:\WINDOWS\cfcjqbup.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {AD1D803E-3DFE-4901-BB60-FBF7A67A0105} - C:\WINDOWS\system32\sstqo.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [mdalqzwp] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mdalqzwp.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Trpm] "C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1204955462212
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: rqrommk - C:\WINDOWS\SYSTEM32\rqrommk.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7415 bytes


Here Is my Uninstall List:

AppCore
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
Backup
ccCommon
Enable S3 for USB Device
GearDrvs
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HydraVision
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Visual C++ 2005 Redistributable
Nero Suite
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 HTMLHelp
Norton Confidential Core
Panda ActiveScan
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SPBBC 32bit
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
VIA Integrated Setup Wizard
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2



PLEASE HELP, Last time Upon trying to remove this stuff, I ended up getting an Unknown Hard Error, and had to wipe everything from my harddrive :)
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download VundoFix from Here to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following:
  • The contenst of the SDFix Report.txt
  • The contents of Vundofix.txt
  • The contents of Combofix.txt

Regards,
RatHat
  • 0

#3
DNeath

DNeath

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thanks RatHat, This is greatly appreciated!! So here are the logs, The Vundo Fix wouldnt run though, Im going to post the logs in order...Shall Post Vundos error message accordingly. Also wanted to say, that the desktop is normal now, and havent had any popups.....


SDFix: Version 1.154

Run by Dustin on Sun 03/09/2008 at 09:53 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Killing PID 1036 'mgmrwmrv.exe'

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\trwnrecd\1.png - Deleted
C:\WINDOWS\trwnrecd\2.png - Deleted
C:\WINDOWS\trwnrecd\3.png - Deleted
C:\WINDOWS\trwnrecd\4.png - Deleted
C:\WINDOWS\trwnrecd\5.png - Deleted
C:\WINDOWS\trwnrecd\6.png - Deleted
C:\WINDOWS\trwnrecd\7.png - Deleted
C:\WINDOWS\trwnrecd\8.png - Deleted
C:\WINDOWS\trwnrecd\9.png - Deleted
C:\WINDOWS\trwnrecd\bottom-rc.gif - Deleted
C:\WINDOWS\trwnrecd\config.png - Deleted
C:\WINDOWS\trwnrecd\content.png - Deleted
C:\WINDOWS\trwnrecd\download.gif - Deleted
C:\WINDOWS\trwnrecd\frame-bg.gif - Deleted
C:\WINDOWS\trwnrecd\frame-bottom-left.gif - Deleted
C:\WINDOWS\trwnrecd\frame-h1bg.gif - Deleted
C:\WINDOWS\trwnrecd\head.png - Deleted
C:\WINDOWS\trwnrecd\icon.png - Deleted
C:\WINDOWS\trwnrecd\indexwp.html - Deleted
C:\WINDOWS\trwnrecd\main.css - Deleted
C:\WINDOWS\trwnrecd\memory-prots.png - Deleted
C:\WINDOWS\trwnrecd\net.png - Deleted
C:\WINDOWS\trwnrecd\pc.gif - Deleted
C:\WINDOWS\trwnrecd\pc-mag.gif - Deleted
C:\WINDOWS\trwnrecd\poloska1.png - Deleted
C:\WINDOWS\trwnrecd\poloska2.png - Deleted
C:\WINDOWS\trwnrecd\poloska3.png - Deleted
C:\WINDOWS\trwnrecd\promowp1.html - Deleted
C:\WINDOWS\trwnrecd\promowp2.html - Deleted
C:\WINDOWS\trwnrecd\promowp3.html - Deleted
C:\WINDOWS\trwnrecd\promowp4.html - Deleted
C:\WINDOWS\trwnrecd\promowp5.html - Deleted
C:\WINDOWS\trwnrecd\reg.png - Deleted
C:\WINDOWS\trwnrecd\repair.png - Deleted
C:\WINDOWS\trwnrecd\scr-1.png - Deleted
C:\WINDOWS\trwnrecd\scr-2.png - Deleted
C:\WINDOWS\trwnrecd\start.png - Deleted
C:\WINDOWS\trwnrecd\styles.css - Deleted
C:\WINDOWS\trwnrecd\top-rc.gif - Deleted
C:\WINDOWS\trwnrecd\vline.gif - Deleted
C:\WINDOWS\trwnrecd\wp.png - Deleted
C:\WINDOWS\PerfInfo\lgCqB0L10Nwp.exe - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\system32\mgmrwmrv.exe - Deleted



Folder C:\WINDOWS\PerfInfo - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 22:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 8 Mar 2008 89,088 ..SHR --- "C:\Documents and Settings\Dustin\My Documents\àdobe\mmc.exe"
Fri 18 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"

Finished!


Vundo:

Run-time error '309':
Component 'comdlg32.ocx' or one of it's dependencies nor correctly registered: a file is missing or invalid

ComboFix 08-03-09.1 - Dustin 2008-03-09 22:22:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.68 [GMT -4:00]
Running from: C:\Documents and Settings\Dustin\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\mdalqzwp.dll
C:\Documents and Settings\Dustin\My Documents\DOBE~1
C:\Documents and Settings\Dustin\My Documents\DOBE~1\?dobe\
C:\Documents and Settings\Dustin\My Documents\DOBE~1\mmc.exe
C:\Program Files\seekmo
C:\Program Files\seekmo\seekmohook.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cfcjqbup.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\ddccy.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\ihhkj.ini
C:\WINDOWS\system32\ihhkj.ini2
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\rqrommk.dll
C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 21:43 . 2008-03-09 21:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-09 21:23 . 2008-03-09 22:05 <DIR> d-------- C:\SDFix
2008-03-09 16:15 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\rcpdllheusoe.sys
2008-03-09 15:36 . 2008-03-09 15:36 <DIR> d-------- C:\Program Files\180searchassistant
2008-03-09 15:36 . 2008-03-09 15:36 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 02:49 . 2008-03-09 02:53 198,676,480 --a------ C:\29D.tmp
2008-03-09 02:34 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 02:32 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\tgifeboxdlju.sys
2008-03-09 01:33 . 2008-03-09 16:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 01:33 . 2008-03-09 15:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-09 01:33 . 2008-03-09 15:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-09 01:33 . 2008-03-09 15:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 00:26 . 2008-03-09 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-09 00:16 . 2008-03-09 00:16 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Grisoft
2008-03-09 00:15 . 2008-03-09 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 00:15 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-08 21:58 . 2008-03-08 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\zango
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\stc
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\180solutions
2008-03-08 20:15 . 2008-03-08 20:39 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Symantec
2008-03-08 20:12 . 2008-03-08 20:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-03-08 20:12 . 2008-03-09 16:34 <DIR> d-------- C:\Program Files\Norton 360
2008-03-08 20:12 . 2008-03-08 20:12 26,880 --a------ C:\WINDOWS\didduid.ini
2008-03-08 20:11 . 2008-03-08 20:14 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-08 20:11 . 2008-03-08 20:14 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-08 20:11 . 2008-03-08 20:14 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-08 20:11 . 2008-03-08 20:14 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-08 20:10 . 2008-03-08 20:14 <DIR> d-------- C:\Program Files\Symantec
2008-03-08 20:10 . 2008-03-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-08 19:33 . 2008-03-08 19:33 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-03-08 17:56 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-08 17:56 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-08 17:56 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-08 17:56 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-08 17:56 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-08 17:56 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-08 17:56 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-08 17:56 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-08 17:56 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-08 17:47 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-08 09:15 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-08 09:15 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-08 09:15 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-08 07:47 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-08 07:39 . 2008-03-08 07:39 22,272 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 07:39 . 2008-03-08 07:39 20,736 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-08 07:31 . 2008-03-08 07:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-08 07:30 . 2008-03-09 21:45 <DIR> d-------- C:\WINDOWS\trwnrecd
2008-03-08 07:30 . 2008-03-08 07:30 201,216 --a------ C:\WINDOWS\gnulcjkv.dll
2008-03-08 07:30 . 2008-03-08 07:30 88,593 --a------ C:\WINDOWS\kvmnovef.exe
2008-03-08 07:30 . 2008-03-08 07:30 34,304 --a------ C:\WINDOWS\lsduxqlo.exe
2008-03-08 07:29 . 2008-03-08 07:29 295,819 --a------ C:\WINDOWS\system32\LA664.tmp
2008-03-08 07:28 . 2008-03-08 07:29 229,532 --a------ C:\WINDOWS\system32\L8918.tmp
2008-03-08 07:20 . 2008-03-08 23:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-08 06:46 . 2008-03-08 06:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-08 06:46 . 2008-03-08 06:46 169 --a------ C:\WINDOWS\RtlRack.ini
2008-03-08 06:30 . 2008-03-09 22:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\peernet
2008-03-08 06:20 . 2008-03-08 06:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-08 06:16 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-08 06:14 . 2008-03-08 06:14 <DIR> d-------- C:\WINDOWS\EHome
2008-03-08 05:45 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-08 05:45 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-08 05:45 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-08 05:06 . 2005-05-23 10:34 2,920,448 --------- C:\WINDOWS\UNNMP.exe
2008-03-08 05:06 . 2005-11-14 07:11 49,870 --------- C:\WINDOWS\UNNMP.cfg
2008-03-08 05:05 . 2008-03-09 16:32 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 05:04 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-08 05:03 . 2008-03-08 05:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 04:53 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\VIA
2008-03-08 04:53 . 2006-06-14 04:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-08 04:53 . 2006-02-14 20:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-03-08 04:53 . 2006-06-14 05:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-03-08 04:53 . 2003-06-12 06:31 75,904 -ra------ C:\WINDOWS\system32\drivers\viasraid.sys
2008-03-08 04:53 . 2004-08-04 02:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-03-08 04:53 . 2004-08-04 02:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-03-08 04:53 . 2006-06-14 04:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-03-08 04:53 . 2004-08-04 02:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-03-08 04:53 . 2008-03-08 04:53 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Gigabyte
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\AvRack
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2008-03-08 04:50 . 2001-10-18 00:00 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 04:46 . 2008-03-08 04:47 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 21:43 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-06 21:43 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-05 19:34 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-05 19:34 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-05 19:34 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-05 19:34 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-05 19:34 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-05 19:34 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-05 19:34 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-05 19:34 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-02-04 20:27 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-02-04 20:27 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-02-04 20:27 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-02-01 22:55 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-02-01 01:51 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-02-01 01:51 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-02-01 01:51 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-01-29 17:01 16,168 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-01-15 17:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-23 22:08 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-08 20:13 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll" [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Trpm"="C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 14:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 04:58 65536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2008-03-08 04:53:49 561152]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 06:31]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 22:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 22:28:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-03-09 22:32:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-10 02:32:32
.
2008-03-09 04:07:30 --- E O F ---
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\29D.tmp
C:\WINDOWS\gnulcjkv.dll
C:\WINDOWS\kvmnovef.exe
C:\WINDOWS\lsduxqlo.exe
C:\WINDOWS\system32\LA664.tmp
C:\WINDOWS\system32\L8918.tmp

Folder::
C:\Program Files\180searchassistant
C:\Program Files\zango
C:\Program Files\180solutions

FileLook::
C:\WINDOWS\system32\drivers\rcpdllheusoe.sys
C:\WINDOWS\system32\drivers\tgifeboxdlju.sys

DirLook::
C:\Program Files\Sysmnt
C:\Program Files\stc
C:\WINDOWS\trwnrecd


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next post, please include:
  • The contents of Combofix.txt
  • The MBAM report
  • The contents of Kaspersky.txt
  • A fresh HijackThis log, taken after completing all of the above

Regards,
RatHat
  • 0

#5
DNeath

DNeath

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Here are the new logs you asked for,

ComboFix 08-03-09.1 - Dustin 2008-03-09 23:13:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.85 [GMT -4:00]
Running from: C:\Documents and Settings\Dustin\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Dustin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\29D.tmp
C:\WINDOWS\gnulcjkv.dll
C:\WINDOWS\kvmnovef.exe
C:\WINDOWS\lsduxqlo.exe
C:\WINDOWS\system32\L8918.tmp
C:\WINDOWS\system32\LA664.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\29D.tmp
C:\Program Files\180searchassistant
C:\Program Files\180searchassistant\saap.exe
C:\Program Files\180searchassistant\sac.exe
C:\Program Files\180solutions
C:\Program Files\180solutions\sais.exe
C:\Program Files\zango
C:\Program Files\zango\zango.exe
C:\WINDOWS\gnulcjkv.dll
C:\WINDOWS\kvmnovef.exe
C:\WINDOWS\lsduxqlo.exe
C:\WINDOWS\system32\L8918.tmp
C:\WINDOWS\system32\LA664.tmp

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-09 21:43 . 2008-03-09 21:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-09 21:23 . 2008-03-09 22:05 <DIR> d-------- C:\SDFix
2008-03-09 16:15 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\rcpdllheusoe.sys
2008-03-09 15:36 . 2008-03-09 15:36 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 02:34 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 02:32 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\tgifeboxdlju.sys
2008-03-09 01:33 . 2008-03-09 16:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 01:33 . 2008-03-09 15:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-09 01:33 . 2008-03-09 15:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-09 01:33 . 2008-03-09 15:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 00:26 . 2008-03-09 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-09 00:16 . 2008-03-09 00:16 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Grisoft
2008-03-09 00:15 . 2008-03-09 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 00:15 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-08 21:58 . 2008-03-08 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-08 21:30 . 2008-03-08 21:30 <DIR> d-------- C:\Program Files\stc
2008-03-08 20:15 . 2008-03-08 20:39 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Symantec
2008-03-08 20:12 . 2008-03-08 20:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-03-08 20:12 . 2008-03-09 16:34 <DIR> d-------- C:\Program Files\Norton 360
2008-03-08 20:12 . 2008-03-08 20:12 26,880 --a------ C:\WINDOWS\didduid.ini
2008-03-08 20:11 . 2008-03-08 20:14 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-08 20:11 . 2008-03-08 20:14 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-08 20:11 . 2008-03-08 20:14 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-08 20:11 . 2008-03-08 20:14 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-08 20:10 . 2008-03-08 20:14 <DIR> d-------- C:\Program Files\Symantec
2008-03-08 20:10 . 2008-03-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-08 19:33 . 2008-03-08 19:33 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-03-08 17:56 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-08 17:56 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-08 17:56 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-08 17:56 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-08 17:56 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-08 17:56 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-08 17:56 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-08 17:56 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-08 17:56 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-08 17:47 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-08 09:15 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-08 09:15 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-08 09:15 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-08 07:47 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-08 07:39 . 2008-03-08 07:39 22,272 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 07:39 . 2008-03-08 07:39 20,736 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-08 07:31 . 2008-03-08 07:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-08 07:30 . 2008-03-09 21:45 <DIR> d-------- C:\WINDOWS\trwnrecd
2008-03-08 07:20 . 2008-03-08 23:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-08 06:46 . 2008-03-08 06:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-08 06:46 . 2008-03-08 06:46 169 --a------ C:\WINDOWS\RtlRack.ini
2008-03-08 06:30 . 2008-03-09 22:27 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\peernet
2008-03-08 06:20 . 2008-03-08 06:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-08 06:16 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-08 06:14 . 2008-03-08 06:14 <DIR> d-------- C:\WINDOWS\EHome
2008-03-08 05:45 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-08 05:45 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-08 05:45 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-08 05:06 . 2005-05-23 10:34 2,920,448 --------- C:\WINDOWS\UNNMP.exe
2008-03-08 05:06 . 2005-11-14 07:11 49,870 --------- C:\WINDOWS\UNNMP.cfg
2008-03-08 05:05 . 2008-03-09 16:32 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 05:04 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-08 05:03 . 2008-03-08 05:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 04:53 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\VIA
2008-03-08 04:53 . 2006-06-14 04:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-08 04:53 . 2006-02-14 20:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-03-08 04:53 . 2006-06-14 05:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-03-08 04:53 . 2003-06-12 06:31 75,904 -ra------ C:\WINDOWS\system32\drivers\viasraid.sys
2008-03-08 04:53 . 2004-08-04 02:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-03-08 04:53 . 2004-08-04 02:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-03-08 04:53 . 2006-06-14 04:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-03-08 04:53 . 2004-08-04 02:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-03-08 04:53 . 2008-03-08 04:53 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Gigabyte
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\AvRack
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2008-03-08 04:50 . 2001-10-18 00:00 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 04:46 . 2008-03-08 04:47 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-08 02:00 . 2004-08-04 03:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-08 02:00 . 2004-08-04 03:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-08 02:00 . 2004-08-04 03:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-08 02:00 . 2004-08-04 03:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-08 02:00 . 2007-03-08 11:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-07 19:22 . 2007-03-19 12:18 104,064 --a------ C:\WINDOWS\system32\drivers\viamraid.sys
2008-02-19 21:06 . 2008-02-19 21:06 579,464 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-02-19 21:06 . 2008-02-19 21:06 207,240 --a------ C:\WINDOWS\system32\SymRedir.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 21:43 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-06 21:43 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-05 19:34 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-05 19:34 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-05 19:34 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-05 19:34 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-05 19:34 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-05 19:34 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-05 19:34 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-05 19:34 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-02-04 20:27 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-02-04 20:27 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-02-04 20:27 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-02-01 22:55 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-02-01 01:51 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-02-01 01:51 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-02-01 01:51 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-29 17:01 16,168 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-01-15 17:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- C:\WINDOWS\system32\drivers\rcpdllheusoe.sys ----

Company: Panda Software International
File Description: Anti-malware Driver Support
File Version: 1, 0, 0, 5
Product Name: RKPavProc Driver
Copyright: Copyright © Panda Software 2007
Original file name: RKPavProc.sys

---- C:\WINDOWS\system32\drivers\tgifeboxdlju.sys ----

Company: Panda Software International
File Description: Anti-malware Driver Support
File Version: 1, 0, 0, 5
Product Name: RKPavProc Driver
Copyright: Copyright © Panda Software 2007
Original file name: RKPavProc.sys

---- Directory of C:\Program Files\stc ----

2008-03-08 21:30 24576 --a------ C:\Program Files\stc\csv5p070.exe

---- Directory of C:\Program Files\Sysmnt ----

2008-03-08 21:30 31232 --a------ C:\Program Files\Sysmnt\Ssmgr.exe

---- Directory of C:\WINDOWS\trwnrecd ----

2008-03-08 07:38 49152 --a------ C:\WINDOWS\trwnrecd\Thumbs.db


((((((((((((((((((((((((((((( [email protected]_22.32.05.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-10 02:27:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_648.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-23 22:08 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-08 20:13 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll" [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Trpm"="C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 14:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 04:58 65536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2008-03-08 04:53:49 561152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 06:31]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 22:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 23:15:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-09 23:16:11
ComboFix-quarantined-files.txt 2008-03-10 03:16:02
ComboFix2.txt 2008-03-10 02:32:39
.
2008-03-09 04:07:30 --- E O F ---




Malwarebytes' Anti-Malware 1.08
Database version: 474

Scan type: Quick Scan
Objects scanned: 26779
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\xflock (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PostInstallC (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 10, 2008 1:40:13 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 621256
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\

Scan Statistics:
Total number of scanned objects: 29342
Number of viruses found: 5
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 00:22:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{3A11AA18-C1EE-4997-B173-D36DDB1B7C1E}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{C4F1FEDD-7FAB-4D92-B6BE-31B754DDF3FA}.DAT Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\{F6B61E27-8F32-4B14-B81A-B77D0184EB24}\{97B20B1A-4FF5-49C6-8782-AB5B462B5979}.qbi Infected: VirTool.DOS.TPE skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{1FA5E0DF-DB4D-4A44-ADD5-EEF42634160D}.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{1FA5E0DF-DB4D-4A44-ADD5-EEF42634160D}.sds Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\LightningSand.CFD Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1BD44311.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\3C8B79F9.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\4087956D.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Dustin\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
C:\Documents and Settings\Dustin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temp\~DF329B.tmp Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temp\~DF32B1.tmp Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dustin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dustin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dustin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\HomeNetworking.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\RegClean.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\mdalqzwp.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\QooBox\Quarantine\C\Documents and Settings\Dustin\My Documents\DOBE~1\mmc.exe.vir Infected: Trojan-Downloader.Win32.Agent.kwg skipped
C:\QooBox\Quarantine\C\WINDOWS\cfcjqbup.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\QooBox\Quarantine\C\WINDOWS\gnulcjkv.dll.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\QooBox\Quarantine\C\WINDOWS\kvmnovef.exe.vir Infected: not-virus:Hoax.Win32.Renos.bbw skipped
C:\QooBox\Quarantine\C\WINDOWS\lsduxqlo.exe.vir Infected: Trojan.Win32.Obfuscated.gx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awtqr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcca.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddccc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddccy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ddcyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebcc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\geede.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mljjg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mllji.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ssqpp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-09_222808.57.zip/rqrommk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-09_222808.57.zip/sstqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-09_222808.57.zip ZIP: infected - 2 skipped
C:\SDFix\backups_old1\mgmrwmrv.exe Infected: not-virus:Hoax.Win32.Renos.bbw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP3\A0000024.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP3\A0002042.exe Infected: not-virus:Hoax.Win32.Renos.bbw skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP3\A0002095.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002175.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002176.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002179.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002180.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002182.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002186.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002187.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP4\A0002188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP5\A0002257.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP5\A0002258.exe Infected: not-virus:Hoax.Win32.Renos.bbw skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP5\A0002259.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\System Volume Information\_restore{637E1112-A559-4E72-970F-FA49D9C4E8AA}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A803FE0D-1568-4C76-8D37-E5263B66CFDE}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET6E88.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_65c.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:48 AM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Trpm] "C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1204955462212
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5680 bytes
  • 0

#6
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\Program Files\stc
C:\Program Files\Sysmnt
C:\WINDOWS\trwnrecd


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  • Delete ComboFix and its associated files and folders.
  • Delete VundoFix backups, if present
  • Delete the C:\Deckard folder, if present
  • Delete the C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


Let me know if you have any problems running the combofix uninstall, and also if you are having any further problems with your computer.

Regards,
RatHat
  • 0

#7
DNeath

DNeath

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Had no problems uninstalling Combofix, everything seems to be back to normal now. Thank you so very much!! Can I ask what you would recommend to use so this doesnt happen to me again?

Also here is the log for the last Combofix that I ran :

ComboFix 08-03-09.1 - Dustin 2008-03-10 14:17:32.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.82 [GMT -4:00]
Running from: C:\Documents and Settings\Dustin\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Dustin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\stc
C:\Program Files\stc\csv5p070.exe
C:\Program Files\Sysmnt
C:\Program Files\Sysmnt\Ssmgr.exe
C:\WINDOWS\trwnrecd
C:\WINDOWS\trwnrecd\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.

2008-03-10 01:06 . 2008-03-10 01:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-10 01:06 . 2008-03-10 01:06 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-10 01:06 . 2008-03-10 01:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-10 00:51 . 2008-03-10 00:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-10 00:51 . 2008-03-10 00:51 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Malwarebytes
2008-03-10 00:51 . 2008-03-10 00:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-09 21:43 . 2008-03-09 21:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-09 21:23 . 2008-03-09 22:05 <DIR> d-------- C:\SDFix
2008-03-09 16:15 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\rcpdllheusoe.sys
2008-03-09 15:36 . 2008-03-09 15:36 <DIR> d-------- C:\Program Files\180search assistant
2008-03-09 02:34 . 2007-06-05 11:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-03-09 02:32 . 2007-06-08 10:44 8,576 --a------ C:\WINDOWS\system32\drivers\tgifeboxdlju.sys
2008-03-09 01:33 . 2008-03-09 16:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-09 01:33 . 2008-03-09 15:49 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-09 01:33 . 2008-03-09 15:49 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-09 01:33 . 2008-03-09 15:49 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-09 00:26 . 2008-03-09 00:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-03-09 00:16 . 2008-03-09 00:16 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Grisoft
2008-03-09 00:15 . 2008-03-09 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-09 00:15 . 2007-05-30 08:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-08 21:58 . 2008-03-08 21:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 20:15 . 2008-03-08 20:39 <DIR> d-------- C:\Documents and Settings\Dustin\Application Data\Symantec
2008-03-08 20:12 . 2008-03-08 20:12 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-03-08 20:12 . 2008-03-09 16:34 <DIR> d-------- C:\Program Files\Norton 360
2008-03-08 20:12 . 2008-03-08 20:12 26,880 --a------ C:\WINDOWS\didduid.ini
2008-03-08 20:11 . 2008-03-08 20:14 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-08 20:11 . 2008-03-08 20:14 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-08 20:11 . 2008-03-08 20:14 10,563 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-08 20:11 . 2008-03-08 20:14 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-08 20:10 . 2008-03-08 20:14 <DIR> d-------- C:\Program Files\Symantec
2008-03-08 20:10 . 2008-03-09 16:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-08 19:33 . 2008-03-08 19:33 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-03-08 17:56 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-08 17:56 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-08 17:56 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-08 17:56 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-08 17:56 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-08 17:56 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-08 17:56 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-08 17:56 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-08 17:56 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-08 17:47 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-08 09:15 . 2006-08-21 05:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2008-03-08 09:15 . 2006-08-21 05:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2008-03-08 09:15 . 2006-08-21 08:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2008-03-08 07:47 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-08 07:39 . 2008-03-08 07:39 22,272 --a------ C:\WINDOWS\apphelp32.dll
2008-03-08 07:39 . 2008-03-08 07:39 20,736 --a------ C:\WINDOWS\changeurl_30.dll
2008-03-08 07:31 . 2008-03-10 01:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-08 07:20 . 2008-03-08 23:26 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-08 06:46 . 2008-03-08 06:46 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-03-08 06:46 . 2008-03-08 06:46 169 --a------ C:\WINDOWS\RtlRack.ini
2008-03-08 06:30 . 2008-03-10 00:47 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\provisioning
2008-03-08 06:22 . 2008-03-08 06:22 <DIR> d-------- C:\WINDOWS\peernet
2008-03-08 06:20 . 2008-03-08 06:20 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-08 06:16 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-08 06:14 . 2008-03-08 06:14 <DIR> d-------- C:\WINDOWS\EHome
2008-03-08 05:45 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-08 05:45 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-08 05:45 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-08 05:06 . 2005-05-23 10:34 2,920,448 --------- C:\WINDOWS\UNNMP.exe
2008-03-08 05:06 . 2005-11-14 07:11 49,870 --------- C:\WINDOWS\UNNMP.cfg
2008-03-08 05:05 . 2008-03-09 16:32 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2008-03-08 05:04 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-03-08 05:03 . 2008-03-08 05:03 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:05 <DIR> d-------- C:\Program Files\Ahead
2008-03-08 05:02 . 2008-03-08 05:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-08 04:53 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\VIA
2008-03-08 04:53 . 2006-06-14 04:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-03-08 04:53 . 2006-02-14 20:22 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-03-08 04:53 . 2006-06-14 05:00 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-03-08 04:53 . 2003-06-12 06:31 75,904 -ra------ C:\WINDOWS\system32\drivers\viasraid.sys
2008-03-08 04:53 . 2004-08-04 02:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-03-08 04:53 . 2001-08-17 15:00 54,272 --a--c--- C:\WINDOWS\system32\dllcache\swmidi.sys
2008-03-08 04:53 . 2004-08-04 02:07 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-03-08 04:53 . 2006-06-14 04:47 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-03-08 04:53 . 2004-08-04 02:07 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-03-08 04:53 . 2008-03-08 04:53 22 --a------ C:\WINDOWS\system32\ati64hlp.stb
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\Gigabyte
2008-03-08 04:52 . 2008-03-08 04:52 <DIR> d-------- C:\Program Files\AvRack
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2008-03-08 04:50 . 2001-08-17 14:58 35,840 --a--c--- C:\WINDOWS\system32\dllcache\isapnp.sys
2008-03-08 04:50 . 2001-10-18 00:00 6,144 -ra------ C:\WINDOWS\system32\drivers\viaidexp.sys
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-03-08 04:46 . 2008-03-08 04:53 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-03-08 04:46 . 2008-03-08 04:47 <DIR> d-------- C:\Program Files\ATI Technologies
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-03-08 04:40 . 2001-08-17 14:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-03-08 04:40 . 2001-08-17 15:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-03-08 02:00 . 2004-08-04 03:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-08 02:00 . 2004-08-04 03:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-08 02:00 . 2004-08-04 03:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-08 02:00 . 2004-08-04 03:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-08 02:00 . 2007-03-08 11:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-07 19:22 . 2007-03-19 12:18 104,064 --a------ C:\WINDOWS\system32\drivers\viamraid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-06 21:43 31,408 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-02-06 21:43 13,021 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-02-05 19:34 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-02-05 19:34 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-02-05 19:34 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-02-05 19:34 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-02-05 19:34 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-02-05 19:34 188,464 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-02-05 19:34 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-02-05 19:34 1,612 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-02-04 20:27 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2008-02-04 20:27 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2008-02-04 20:27 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2008-02-01 22:55 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2008-02-01 22:55 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2008-02-01 01:51 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2008-02-01 01:51 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2008-02-01 01:51 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2008-01-29 17:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-29 17:01 16,168 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-01-15 17:54 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-01-15 13:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-13 02:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
.

((((((((((((((((((((((((((((( [email protected]_22.32.05.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-03-10 04:47:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_65c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-23 22:08 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-03-08 20:13 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll" [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [2008-02-23 22:08 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@={4433A54A-1AC8-432F-90FC-85F045CF383C}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@={F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@={476D0EA3-80F9-48B5-B70B-05E677C9C148}

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 04:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"Trpm"="C:\DOCUME~1\Dustin\MYDOCU~1\DOBE~1\mmc.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-21 22:10 335872]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 14:54 65536 C:\WINDOWS\SOUNDMAN.EXE]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"DVDTray"="C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 04:58 65536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 15:37 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [ ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25 6731312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2008-03-08 04:53:49 561152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-06-12 06:31]
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-01-12 22:32]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2008-02-06 17:43]

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 14:20:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-10 14:21:13
ComboFix-quarantined-files.txt 2008-03-10 18:21:02
ComboFix2.txt 2008-03-10 03:16:12
ComboFix3.txt 2008-03-10 02:32:39
.
2008-03-09 04:07:30 --- E O F ---
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
One more thing to get rid of then you are clear to go!

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\180search assistant


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad, and copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Save the Notepad file to your Desktop as OTM.txt.
  • Close OTMoveIt
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets have a clean up. The first thing we need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lets Reset and Re-enable your System Restore to remove any remaining infected files that have been backed up by Windows.

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


On to personal Anti Virus programs. One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

#9
DNeath

DNeath

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thank you very much RatHat!! I went ahead and downloaded Spybot S&D, SpyBlaster and SpyGuard, Would using Norton Anti-virus be acceptable over AVG, since I already have a paid subscription? If not thats fine, as Im all for whatever you suggest. Again Many thanks!!!
  • 0

#10
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
If you have a paid subscription with Norton then its best to keep it. When it expires, then it is worth changing to AVG or Avast, both free and very good.

Make sure you use the immunize feature in Spybot and the protection feature in Spyblaster and you should be good to go. It is also a good idea to run an online scan every now and again, just to make sure nothing has crept in.

Regards,
RatHat
  • 0

#11
DNeath

DNeath

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Again, Thank you so very much!! You've been a great help, took alot of stress off my shoulders.

One last question if you would, Since Im not sure what site I ended up getting these problems from, will these preventive measures stop it from happening again? I think I might know what site it was, and want to stay clear from there if theres a chance the problems will return, but again Im not sure.. would like to return to my normal site visiting, but dont want to chance the return of these problems.
  • 0

#12
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
These preventative methods will help, but will not guarantee that you will be safe. Try using a different browser, Firefox or Opera are both safer than IE. Also be careful when you browse, make sure that your firewall is running and thet you keep as much protection as possible.

If things go wrong again, we are always here!
  • 0

#13
DNeath

DNeath

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thank you very much for your time and help!! Its been greatly appreciated.
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP