Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help removing UDXFYTW.SYS [Solved]

Started by elvisxb , Dec 02 2008 09:15 PM

  • This topic is locked This topic is locked

#31
fenzodahl512
Posted 11 December 2008 - 11:18 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts

... It came back after i restarted my comp -_-


*fenzodahl512 scratch his head..


Ok deer, what comes back?.. Elaborate please?.. :)


Do this please...

Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

  • 0

Advertisements

#32
elvisxb
Posted 12 December 2008 - 04:43 PM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-12 17:43:33
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xF44AC040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xF44A8930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xF44B3A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xF44AC510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xF44B2870]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xF44B2AA0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xF44B5FD0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xF44AC600]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xF44A8F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xF44B46E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xF44B4440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xF44B2580]
SSDT spni.sys ZwEnumerateKey [0xF74E1CA2]
SSDT spni.sys ZwEnumerateValueKey [0xF74E2030]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xF44B48B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xF44A8D70]
SSDT spni.sys ZwOpenKey [0xF74C30C0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xF44B2350]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xF44B2150]
SSDT spni.sys ZwQueryKey [0xF74E2108]
SSDT spni.sys ZwQueryValueKey [0xF74E1F88]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xF44B5250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xF44B4CB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xF44ABC00]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xF44B5080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xF44AC220]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xF44A9120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xF44B4140]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xF44B2CD0]

INT 0x62 ? 86FD9BF8
INT 0x63 ? 86EA3BF8
INT 0x82 ? 86FD9BF8
INT 0xA4 ? 86EA3BF8
INT 0xB4 ? 86EA3BF8

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 10, C5, 4A, F4, 70, 28, 4B, ... ]
? spni.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6B2B62C 5 Bytes JMP 86EA31D8

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \Windows\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F6E2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74F4C4C] spni.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74F4CA0] spni.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74C4040] spni.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74C413C] spni.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74C40BE] spni.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74C47FC] spni.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74C46D2] spni.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86EA32D8
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F44B0CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F44B11C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F44B1320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F44B0E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F44B0E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F44B0CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F44B11C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F44B1320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F44B0CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F44B1320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F44B11C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F44B0E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F44B1320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F44B11C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F44B0CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F44B0E10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F44B0CA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F44B11C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F44B1320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F44BE330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F44A9670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F44A95C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F44A9770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F44A92D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86FD81F8
Device \FileSystem\Fastfat \FatCdrom 8692E1F8
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 86EA21F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F6C1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86F6C1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86F6C1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86F6C1F8
Device \Driver\usbuhci \Device\USBPDO-1 86EA21F8
Device \Driver\usbuhci \Device\USBPDO-2 86EA21F8
Device \Driver\usbehci \Device\USBPDO-3 86E801F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{B6C841C7-DC8F-4EE8-80E6-FC9750C53A3C} 86BA11F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FDA1F8
Device \Driver\Cdrom \Device\CdRom0 86E611F8
Device \Driver\Cdrom \Device\CdRom1 86E611F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 86FD91F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86FD91F8
Device \Driver\atapi \Device\Ide\IdePort0 86FD91F8
Device \Driver\atapi \Device\Ide\IdePort1 86FD91F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 86FD91F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86BA11F8
Device \Driver\NetBT \Device\NetbiosSmb 86BA11F8
Device \Driver\smbusp \Device\SMBus0 86E4E1F8
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 86EA21F8
Device \Driver\usbuhci \Device\USBFDO-1 86EA21F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 869B2500
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\usbuhci \Device\USBFDO-2 86EA21F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 869B2500
Device \Driver\usbehci \Device\USBFDO-3 86E801F8
Device \Driver\Ftdisk \Device\FtControl 86FDA1F8
Device \FileSystem\Fastfat \Fat 8692E1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 869511F8

---- Processes - GMER 1.0.14 ----

Process C:\Windows\system32\afisicx.exe (*** hidden *** ) 732
Process C:\Windows\system32\tdydowkc.exe (*** hidden *** ) 1144
Process C:\Windows\system32\wsldoekd.exe (*** hidden *** ) 1348
Process C:\Windows\system32\noytcyr.exe (*** hidden *** ) 1656
Process C:\Windows\system32\roytctm.exe (*** hidden *** ) 1924

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -166386092
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 413605899
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0x9F 0x96 0xE9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0x9F 0x96 0xE9 ...
Reg HKLM\SOFTWARE\Classes\.application\bootstrap@ bootstrap.application.1
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x8F 0xA2 0x6F 0x05 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{a7b5472d-a8fe-4bf7-94db-41210b295769}@Model 310
Reg HKLM\SOFTWARE\Classes\CLSID\{a7b5472d-a8fe-4bf7-94db-41210b295769}@Therad 31
Reg HKLM\SOFTWARE\Classes\CLSID\{a7b5472d-a8fe-4bf7-94db-41210b295769}@MData 0x2B 0x8F 0x78 0x29 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}@jafblbkabhdhoiholbnm 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}@kafblbkapgpmialkjjmkke 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}@fafblbkaeifn 0x66 0x61 0x70 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}@jacklggjdklpbopgemdp 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}@kacklggjjkglcclbdlifli 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}@facklggjokam 0x66 0x61 0x6D 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}@iadkfagndmejijgioo 0x6B 0x61 0x69 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}@habkllemgdioopnp 0x6B 0x61 0x68 0x64 ...

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\LocalService\Cookies\system@africa401k[1].txt 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SJKFD9E7\2col_lg_african_sunset[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SJKFD9E7\3col_sm_african_map[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SJKFD9E7\3col_sm_south_africa_coast[1].jpg 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SJKFD9E7\cookies[1].js 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SJKFD9E7\ga[1].js 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SJKFD9E7\__utm[1].gif 0 bytes

---- EOF - GMER 1.0.14 ----
  • 0

#33
fenzodahl512
Posted 12 December 2008 - 09:53 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. Delete your version of ComboFix and download a latest copy from below and save it to Desktop..

Link 1
Link 2
Link 3



DON'T run it yet!!


Now, lets do this..


The steps that I am about to suggest involve modifying the registry. Modfying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot perform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go HERE and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.

For detailed instruction on how to back-up registry via ERUNT, please visit HERE



NEXT


Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :processes
explorer.exe

:services
afisicx
tdydowkc
wsldoekd
noytcyr
roytctm

:files
C:\Windows\system32\afisicx.exe
C:\Windows\system32\tdydowkc.exe
C:\Windows\system32\wsldoekd.exe
C:\Windows\system32\noytcyr.exe
C:\Windows\system32\roytctm.exe

:reg
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}]

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



now, run ComboFix.. Post these logs in your next reply..


1. OTMoveIt3
2. ComboFix
  • 0

#34
elvisxb
Posted 13 December 2008 - 10:37 PM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
When I tried to use OTMoveIt, it says its unable to stop service afisicx, noytcyr and roytctm. then it freezes on me
  • 0

#35
fenzodahl512
Posted 13 December 2008 - 11:29 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. do the OTMoveIt3 step again but this time with this script..

:processes
explorer.exe

:files
C:\Windows\system32\afisicx.exe
C:\Windows\system32\tdydowkc.exe
C:\Windows\system32\wsldoekd.exe
C:\Windows\system32\noytcyr.exe
C:\Windows\system32\roytctm.exe

:reg
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}]
[-HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}]

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]


Then run ComboFix again and post OTMoveIt3 and ComboFix log here :)
  • 0

#36
elvisxb
Posted 14 December 2008 - 08:25 AM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Windows\system32\afisicx.exe moved successfully.
C:\Windows\system32\tdydowkc.exe moved successfully.
C:\Windows\system32\wsldoekd.exe moved successfully.
C:\Windows\system32\noytcyr.exe moved successfully.
C:\Windows\system32\roytctm.exe moved successfully.
========== REGISTRY ==========
Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}\\ not found.
Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}\\ not found.
Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}\\ not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\mta115537.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta85186.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta94628.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta96129.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_2f0.dat scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_554.dat scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_728.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12142008_092033

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\Windows\temp\mta115537.dll not found!
C:\Windows\temp\mta85186.dll unregistered successfully.
C:\Windows\temp\mta85186.dll moved successfully.
C:\Windows\temp\mta94628.dll unregistered successfully.
C:\Windows\temp\mta94628.dll moved successfully.
C:\Windows\temp\mta96129.dll unregistered successfully.
C:\Windows\temp\mta96129.dll moved successfully.
C:\Windows\temp\Perflib_Perfdata_2f0.dat moved successfully.
File C:\Windows\temp\Perflib_Perfdata_554.dat not found!
File C:\Windows\temp\Perflib_Perfdata_728.dat not found!
  • 0

#37
elvisxb
Posted 14 December 2008 - 09:59 AM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
disregard that one. I had to system restore because of a Security Zone error that wouldn't let me download files. x_x

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\Windows\system32\afisicx.exe moved successfully.
C:\Windows\system32\tdydowkc.exe moved successfully.
C:\Windows\system32\wsldoekd.exe moved successfully.
C:\Windows\system32\noytcyr.exe moved successfully.
C:\Windows\system32\roytctm.exe moved successfully.
========== REGISTRY ==========
Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}\\ not found.
Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}\\ not found.
Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}\\ not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\mta39865.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta55704.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta64925.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta65072.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta74586.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta81116.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\mta94535.dll scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_4d0.dat scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_540.dat scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_670.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12142008_105331

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\Windows\temp\mta39865.dll not found!
File C:\Windows\temp\mta55704.dll not found!
C:\Windows\temp\mta64925.dll unregistered successfully.
C:\Windows\temp\mta64925.dll moved successfully.
C:\Windows\temp\mta65072.dll unregistered successfully.
C:\Windows\temp\mta65072.dll moved successfully.
C:\Windows\temp\mta74586.dll unregistered successfully.
C:\Windows\temp\mta74586.dll moved successfully.
C:\Windows\temp\mta81116.dll unregistered successfully.
C:\Windows\temp\mta81116.dll moved successfully.
C:\Windows\temp\mta94535.dll unregistered successfully.
C:\Windows\temp\mta94535.dll moved successfully.
File C:\Windows\temp\Perflib_Perfdata_4d0.dat not found!
C:\Windows\temp\Perflib_Perfdata_540.dat moved successfully.
File C:\Windows\temp\Perflib_Perfdata_670.dat not found!
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\byu37td0.default\XUL.mfl moved successfully.
  • 0

#38
elvisxb
Posted 14 December 2008 - 10:17 AM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
ComboFix 08-12-13.03 - User 2008-12-14 11:03:30.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.629 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\system32\comsa32.sys
c:\windows\system32\Install.txt
c:\windows\system32\mabidwe.exe
c:\windows\system32\soxpeca.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\udxfytw.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_NOYTCYR
-------\Legacy_ROYTCTM
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2008-11-14 to 2008-12-14 )))))))))))))))))))))))))))))))
.

2008-12-14 10:40 . 2008-12-14 10:40 <DIR> d-------- c:\program files\Zone Labs
2008-12-14 09:20 . 2008-12-14 10:41 <DIR> d-------- C:\RECYCLER(2)
2008-12-12 17:32 . 2008-12-12 17:32 <DIR> d-------- c:\program files\AviSynth 2.5
2008-12-12 17:31 . 2008-12-12 17:31 <DIR> d-------- c:\program files\eRightSoft
2008-12-11 18:17 . 2008-12-11 18:57 59,392 --a------ c:\windows\system32\msnioed.exe
2008-12-11 15:12 . 2008-12-11 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier
2008-12-05 17:21 . 2008-12-05 17:21 <DIR> d-------- C:\_OTMoveIt
2008-12-03 18:39 . 2008-12-03 18:40 <DIR> d-------- c:\windows\ERUNT
2008-12-03 18:37 . 2008-12-14 10:42 <DIR> d-------- c:\documents and settings\Administrator.ELVIS-COMP-
2008-12-03 18:20 . 2008-12-03 20:53 <DIR> d-------- C:\SDFix
2008-12-02 19:47 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 19:44 . 2008-12-02 19:44 <DIR> d-------- c:\program files\ERUNT
2008-12-02 19:19 . 2008-12-04 20:16 <DIR> d-------- C:\rsit
2008-12-02 19:19 . 2008-12-02 19:27 <DIR> d-------- c:\program files\trend micro
2008-12-01 20:24 . 2008-12-06 19:35 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 20:24 . 2008-12-01 20:24 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2008-12-01 20:24 . 2008-12-01 20:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-01 20:24 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-01 20:24 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-25 13:02 . 2008-11-25 13:02 <DIR> d-------- c:\program files\microsoft frontpage
2008-11-24 14:32 . 2008-11-24 14:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2008-11-22 19:15 . 2008-11-22 20:54 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-22 18:49 . 2008-11-22 18:49 <DIR> d-------- c:\program files\IObit
2008-11-22 18:43 . 2008-11-22 18:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 18:31 . 2008-11-22 18:31 62 ---hs---- c:\windows\system32\@#$#.htm
2008-11-19 18:54 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll
2008-11-19 00:09 . 2008-11-19 00:09 <DIR> d-------- c:\documents and settings\User\Application Data\Ubisoft
2008-11-19 00:09 . 2008-11-19 00:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ubisoft
2008-11-17 22:28 . 2008-12-01 19:42 7,875 --a------ C:\xp_emergencyutil.zip
2008-11-15 21:46 . 2008-11-15 21:46 <DIR> d-------- c:\program files\Ventrilo
2008-11-15 21:46 . 2008-11-15 21:46 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2008-11-15 21:45 . 2008-11-22 18:42 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-14 13:17 . 2008-11-14 13:18 <DIR> d-------- c:\program files\iTunes
2008-11-14 13:17 . 2008-11-14 13:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-12 23:37 --------- d-----w c:\documents and settings\User\Application Data\Move Networks
2008-12-12 00:09 --------- d-----w c:\program files\Warcraft III
2008-12-10 23:14 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2008-12-07 22:44 --------- d-----w c:\program files\Java
2008-12-03 01:17 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-02 02:08 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-22 23:43 --------- d-----w c:\program files\Lavasoft
2008-11-22 23:43 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-19 19:46 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-16 02:46 --------- d-----w c:\documents and settings\User\Application Data\Ventrilo
2008-11-15 21:22 --------- d-----w c:\program files\World of Warcraft
2008-11-14 18:17 --------- d-----w c:\program files\iPod
2008-11-14 17:51 --------- d-----w c:\program files\Safari
2008-11-08 05:26 --------- d-----w c:\program files\Guild Wars
2008-11-04 06:06 --------- d-----w c:\program files\StepMania
2008-10-29 02:47 --------- d-----w c:\program files\LimeWirepr
2008-10-25 10:39 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-10-18 19:28 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-17 21:18 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-16 22:57 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-07-31 16:34 139 ---ha-w c:\program files\Desktop.ini
2005-03-11 01:51 32 -c--a-r c:\documents and settings\All Users\hash.dat
2004-10-13 16:24 1,694,208 --sha-w c:\windows\FlyakiteOSX\Backup\msmsgs.exe
2005-02-19 22:32 56 --sha-r c:\windows\system32\88105EFAED.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_17.32.19.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-14 02:45:45 21,061,632 ----a-w c:\windows\ERDNT\12-13-2008\Users\00000001\ntuser.dat
+ 2008-12-14 02:45:45 1,773,568 ----a-w c:\windows\ERDNT\12-13-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\2008-12-14\ERDNT.EXE
+ 2008-12-14 15:53:18 21,061,632 ----a-w c:\windows\ERDNT\2008-12-14\Users\00000001\ntuser.dat
+ 2008-12-14 15:53:18 1,773,568 ----a-w c:\windows\ERDNT\2008-12-14\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\12-10-2008\ERDNT.EXE
+ 2008-12-10 19:29:12 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-10-2008\Users\00000001\ntuser.dat
+ 2008-12-10 19:29:12 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-10-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\12-11-2008\ERDNT.EXE
+ 2008-12-11 18:22:20 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-11-2008\Users\00000001\ntuser.dat
+ 2008-12-11 18:22:21 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-11-2008\Users\00000002\UsrClass.dat
+ 2008-12-12 22:13:39 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-12-2008\Users\00000001\ntuser.dat
+ 2008-12-12 22:13:40 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-12-2008\Users\00000002\UsrClass.dat
+ 2008-12-14 02:20:48 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-13-2008\Users\00000001\ntuser.dat
+ 2008-12-14 02:20:48 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-13-2008\Users\00000002\UsrClass.dat
+ 2008-12-14 13:30:49 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-14-2008\Users\00000001\ntuser.dat
+ 2008-12-14 13:30:50 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-14-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\12-6-2008\ERDNT.EXE
+ 2008-12-06 05:17:26 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-6-2008\Users\00000001\ntuser.dat
+ 2008-12-06 05:17:27 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-6-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\12-7-2008\ERDNT.EXE
+ 2008-12-07 13:06:02 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-7-2008\Users\00000001\ntuser.dat
+ 2008-12-07 13:06:03 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-7-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\12-8-2008\ERDNT.EXE
+ 2008-12-08 19:35:34 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-8-2008\Users\00000001\ntuser.dat
+ 2008-12-08 19:35:35 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-8-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\12-9-2008\ERDNT.EXE
+ 2008-12-09 19:27:16 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\12-9-2008\Users\00000001\ntuser.dat
+ 2008-12-09 19:27:16 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\12-9-2008\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-05\ERDNT.EXE
+ 2008-12-06 04:41:38 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-05\Users\00000001\ntuser.dat
+ 2008-12-06 04:41:39 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-05\Users\00000002\UsrClass.dat
+ 2008-12-12 00:26:49 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-11\Users\00000001\ntuser.dat
+ 2008-12-12 00:26:50 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-11\Users\00000002\UsrClass.dat
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-14\ERDNT.EXE
+ 2008-12-14 15:46:28 21,061,632 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-14\Users\00000001\ntuser.dat
+ 2008-12-14 15:46:29 1,773,568 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-14\Users\00000002\UsrClass.dat
+ 2008-12-12 00:31:42 507,904 ----a-w c:\windows\ERDNT\Hiv-backup(2)\Users(2)\00000001(2)\ntuser.dat
+ 2008-12-12 00:31:42 1,224,704 ----a-w c:\windows\ERDNT\Hiv-backup(2)\Users(2)\00000002(2)\UsrClass.dat
+ 2008-12-12 00:31:44 21,061,632 ----a-w c:\windows\ERDNT\Hiv-backup(2)\Users(2)\00000003(2)\ntuser.dat
+ 2008-12-12 00:31:44 1,773,568 ----a-w c:\windows\ERDNT\Hiv-backup(2)\Users(2)\00000004(2)\UsrClass.dat
+ 2008-12-12 00:31:44 491,520 ----a-w c:\windows\ERDNT\Hiv-backup(2)\Users(2)\00000005(2)\ntuser.dat
+ 2008-12-12 00:31:45 1,224,704 ----a-w c:\windows\ERDNT\Hiv-backup(2)\Users(2)\00000006(2)\UsrClass.dat
- 2008-11-19 23:54:28 148,888 ----a-w c:\windows\FlyakiteOSX\Backup\javaws.exe
+ 2008-11-10 10:43:39 148,888 ----a-w c:\windows\FlyakiteOSX\Backup\javaws.exe
- 2008-12-04 23:14:34 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-14 15:55:23 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-04 23:14:34 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-14 15:55:23 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-11 18:35:56 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008120120081208\index.dat
+ 2008-12-12 00:01:45 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008121120081212\index.dat
+ 2008-12-14 15:55:23 114,688 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-22 23:20:37 1,552,152 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-14 16:09:12 1,552,152 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-11-19 23:54:28 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-10 10:43:37 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-19 23:54:28 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-10 10:43:38 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-19 23:54:28 136,600 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-10 10:43:39 136,600 ----a-w c:\windows\system32\javaws.exe
- 2008-07-15 17:14:35 4,996 -c--a-w c:\windows\system32\Restore\rstrlog.dat
+ 2008-12-14 15:43:07 664,964 -c--a-w c:\windows\system32\Restore\rstrlog.dat
- 2006-02-27 03:06:20 4,212 -c-h--w c:\windows\system32\zllictbl.dat
+ 2008-12-11 23:08:00 4,212 -c-h--w c:\windows\system32\zllictbl.dat
+ 2008-12-14 16:09:22 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1e0.dat
+ 2008-12-14 16:09:21 16,384 ----atw c:\windows\temp\Perflib_Perfdata_2b4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"STYLEXP"="c:\program files\TGTSoft\StyleXP\StyleXP.exe" [2004-10-25 1118208]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2006-02-23 188416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="c:\program files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 90112]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2003-06-19 116224]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"razer"="c:\program files\Razer\Copperhead\razerhid.exe" [2005-10-08 155648]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 2051096]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 2095640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 94208]
"System Files Updater"="c:\windows\FlyakiteOSX\Tools\System Files Updater.exe" [2006-02-25 118485]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

c:\documents and settings\User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Transparent Windows.lnk - c:\documents and settings\User\Application Data\Microsoft\Installer\{3105352A-DA47-473F-9D85-3867FE9EDF35}\_609D529CCA3C1366DBDAE8.exe [2008-05-04 10134]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.wmv3"= c:\progra~1\COMBIN~1\Filters\wmv9vcm.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MiniEYE-MiniREAD Launch.lnk]
backup=c:\windows\pss\MiniEYE-MiniREAD Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Account Setup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMWDInstallFilename]
--a--c--- 2004-01-12 14:29 102400 c:\progra~1\AIM\AIMWDI~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a--c--- 2004-08-04 02:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeadAIM]
--a------ 2003-06-19 01:38 116224 c:\program files\AIM\DeadAIM.ocm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a--c--- 2001-08-23 07:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a--c--- 2004-08-04 00:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2005-08-11 14:30 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2005-08-11 14:30 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1686016 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a--c--- 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a--c--- 2002-08-28 20:39 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
-ra--c--- 2001-07-09 05:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra--c--- 2001-07-09 05:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-02 21:46 13529088 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a------ 2007-09-04 18:25 81920 c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 21:46 94208 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a--c--- 2002-08-28 20:39 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a--c--- 2002-08-28 20:39 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
-----c--- 2003-10-31 18:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
--a------ 2002-06-26 16:36 90112 c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
--a--c--- 2004-10-25 14:36 1118208 c:\program files\TGTSoft\StyleXP\StyleXP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-03-04 15:07 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
--a--c--- 2005-03-04 11:01 88209 c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-02 21:46 1630208 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"NVSvc"=2 (0x2)
"Netlogon"=3 (0x3)
"navapsvc"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SONY_MEDIAMGR"=3 (0x3)
"LmHosts"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"ImapiService"=3 (0x3)
"IDriverT"=3 (0x3)
"clr_optimization_v2.0.50727_32"=3 (0x3)
"CiSvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"Apache"=2 (0x2)
"ALG"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"usnjsvc"=3 (0x3)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"npkcsvc"=2 (0x2)
"MDM"=2 (0x2)
"mabidwe"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWirepr\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16785:TCP"= 16785:TCP:BitComet 16785 TCP
"16785:UDP"= 16785:UDP:BitComet 16785 UDP
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)

R3 Razerlow;Razer Copperhead Driver;c:\windows\system32\Drivers\Razerlow.sys [2007-04-25 19020]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 uisp;Freescale USB JW32 driver;c:\windows\system32\Drivers\usbicp.sys [2007-04-25 162900]
S3 VGAUTI;VGAUTI;\??\c:\windows\system32\DRIVERS\VGAUTI.sys [2005-06-19 37880]
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-13 c:\windows\Tasks\CAAntiSpywareScan_Daily as User at 7 16 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe []

2008-12-08 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-10-22 10:13]

2007-11-24 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2007-10-22 10:13]

2007-11-24 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-New - c:\progra~1\NEWDOT~1\NEWDOT~2.DLL


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: >>> FREE PORN GALLERIES <<< - java script:{document.location='http://sexmaxx.com/freegalleries.htm';}
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Download ALL with IDA - c:\program files\IDA\idaieall.htm
IE: Download with IDA - c:\program files\IDA\idaie.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
IE: {{28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC}
IE: {{28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 11:09:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\cscui.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
c:\program files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
c:\program files\Razer\Copperhead\razertra.exe
c:\program files\Razer\Copperhead\razerofa.exe
c:\program files\Transparent Windows\Transparent.exe
.
**************************************************************************
.
Completion time: 2008-12-14 11:16:41 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2008-12-14 16:16:19
ComboFix2.txt 2008-12-12 00:32:09
ComboFix3.txt 2008-12-06 04:46:22
ComboFix4.txt 2008-12-05 22:34:06

Pre-Run: 25,540,911,104 bytes free
Post-Run: 25,492,180,992 bytes free

393 --- E O F --- 2008-08-28 06:08:32
  • 0

#39
fenzodahl512
Posted 14 December 2008 - 11:58 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
[*]Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
[*]Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

:processes
explorer.exe

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mabidwe"=-

:commands
[purity]
[emptytemp]
[start explorer]
[reboot]

[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt3
[/list]If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Then run GMER and update >> run Malwarebytes' again.. Post these logs in your next reply..

1. OTMoveIt3
2. Malwarebytes'
3. Attach GMER log
  • 0

#40
elvisxb
Posted 14 December 2008 - 02:50 PM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\mabidwe deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\Perflib_Perfdata_1e0.dat scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_2b4.dat scheduled to be deleted on reboot.
File delete failed. C:\Windows\temp\Perflib_Perfdata_488.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12142008_151407

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Windows\temp\Perflib_Perfdata_1e0.dat moved successfully.
File C:\Windows\temp\Perflib_Perfdata_2b4.dat not found!
File C:\Windows\temp\Perflib_Perfdata_488.dat not found!
  • 0

Advertisements

#41
elvisxb
Posted 14 December 2008 - 07:03 PM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Malwarebytes' Anti-Malware 1.31
Database version: 1490
Windows 5.1.2600 Service Pack 2

12/14/2008 8:00:02 PM
mbam-log-2008-12-14 (20-00-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 168541
Time elapsed: 1 hour(s), 34 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msnioed.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5F45823C-3A38-4334-8B0C-1C20657F6CF6}\RP9\A0002014.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#42
fenzodahl512
Posted 15 December 2008 - 04:24 AM

fenzodahl512

  • Malware Removal
  • 9,863 posts
pssstt.. run GMER again as you did before and attach its fresh report here.. Then, tell me, how is the computer now? :)
  • 0

#43
elvisxb
Posted 15 December 2008 - 06:37 PM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-12-15 19:35:37
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT 86D84DA8 ZwConnectPort
SSDT spqz.sys ZwCreateKey [0xF74C30E0]
SSDT spqz.sys ZwEnumerateKey [0xF74E1CA2]
SSDT spqz.sys ZwEnumerateValueKey [0xF74E2030]
SSDT spqz.sys ZwOpenKey [0xF74C30C0]
SSDT spqz.sys ZwQueryKey [0xF74E2108]
SSDT spqz.sys ZwQueryValueKey [0xF74E1F88]
SSDT spqz.sys ZwSetValueKey [0xF74E219A]

INT 0x62 ? 86FD9BF8
INT 0x63 ? 86EB4F00
INT 0x82 ? 86FD9BF8
INT 0xA4 ? 86EB4F00
INT 0xB4 ? 86EB4F00

---- Kernel code sections - GMER 1.0.14 ----

? spqz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F6B3F62C 5 Bytes JMP 86EB44E0

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 0267A68D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!GetScrollInfo 7E420DA2 7 Bytes JMP 0267A615 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!ShowScrollBar 7E42F2B3 5 Bytes JMP 0267A711 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!GetScrollPos 7E42F6C4 5 Bytes JMP 0267A63D C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!SetScrollPos 7E42F710 5 Bytes JMP 0267A6B8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!GetScrollRange 7E42F747 5 Bytes JMP 0267A662 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!SetScrollRange 7E42F95B 5 Bytes JMP 0267A6E3 C:\Program Files\Winamp\Plugins\gen_jumpex.dll
.text C:\Program Files\Winamp\winamp.exe[388] USER32.dll!EnableScrollBar 7E467DDD 7 Bytes JMP 0267A5ED C:\Program Files\Winamp\Plugins\gen_jumpex.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \Windows\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F6E2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74F4C4C] spqz.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74F4CA0] spqz.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74C4040] spqz.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74C413C] spqz.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74C40BE] spqz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74C47FC] spqz.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74C46D2] spqz.sys
IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86EB45E0

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 86FD81F8
Device \FileSystem\Fastfat \FatCdrom 865EA1F8
Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 86EA41F8
Device \Driver\usbuhci \Device\USBPDO-1 86EA41F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F6C1F8
Device \Driver\dmio \Device\DmControl\DmConfig 86F6C1F8
Device \Driver\dmio \Device\DmControl\DmPnP 86F6C1F8
Device \Driver\dmio \Device\DmControl\DmInfo 86F6C1F8
Device \Driver\usbuhci \Device\USBPDO-2 86EA41F8
Device \Driver\usbehci \Device\USBPDO-3 86E821F8
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{B6C841C7-DC8F-4EE8-80E6-FC9750C53A3C} 86B231F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 86FDA1F8
Device \Driver\Cdrom \Device\CdRom0 86E631F8
Device \Driver\Cdrom \Device\CdRom1 86E631F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 86FD91F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86FD91F8
Device \Driver\atapi \Device\Ide\IdePort0 86FD91F8
Device \Driver\atapi \Device\Ide\IdePort1 86FD91F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 86FD91F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 86B231F8
Device \Driver\NetBT \Device\NetbiosSmb 86B231F8
Device \Driver\smbusp \Device\SMBus0 86E501F8
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 86EA41F8
Device \Driver\usbuhci \Device\USBFDO-1 86EA41F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86AF31F8
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-2 86EA41F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 86AF31F8
Device \Driver\usbehci \Device\USBFDO-3 86E821F8
Device \Driver\Ftdisk \Device\FtControl 86FDA1F8
Device \FileSystem\Fastfat \Fat 865EA1F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 86ABE500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -166386092
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 413605899
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0x9F 0x96 0xE9 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0x9F 0x96 0xE9 ...
Reg HKLM\SOFTWARE\Classes\.application\bootstrap@ bootstrap.application.1
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x8F 0xA2 0x6F 0x05 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{a7b5472d-a8fe-4bf7-94db-41210b295769}@Model 310
Reg HKLM\SOFTWARE\Classes\CLSID\{a7b5472d-a8fe-4bf7-94db-41210b295769}@Therad 31
Reg HKLM\SOFTWARE\Classes\CLSID\{a7b5472d-a8fe-4bf7-94db-41210b295769}@MData 0x2B 0x8F 0x78 0x29 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}@jafblbkabhdhoiholbnm 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}@kafblbkapgpmialkjjmkke 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{1A2494C6-D57C-F622-9EEB-25F3A1787970}@fafblbkaeifn 0x66 0x61 0x70 0x6E ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}@jacklggjdklpbopgemdp 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}@kacklggjjkglcclbdlifli 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{38D97035-5EA0-83AE-0F39-FA766A22A1A1}@facklggjokam 0x66 0x61 0x6D 0x6D ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}@iadkfagndmejijgioo 0x6B 0x61 0x69 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BF9DE1D7-DE21-AC16-C4F8-92A74B34600F}@habkllemgdioopnp 0x6B 0x61 0x68 0x64 ...

---- EOF - GMER 1.0.14 ----


My computer is running perfectly. thanks for your help again :)
  • 0

#44
fenzodahl512
Posted 15 December 2008 - 08:48 PM

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok.. Lets wrap it up...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

And another excellent article by CastleCops Malware Prevention: Prevent Re-infection

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512
  • 0

#45
elvisxb
Posted 15 December 2008 - 09:50 PM

elvisxb

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
The udxfytw.sys doesn't seem to be returning and my computer is running smoother than ever. Thanks so much
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP