Question

Trojan.Vundo: I just ran SDfix.exe and ComboFix.exe, now uploading logs

Asked by: slamond

uploading logs

This is a Dell Inspiron 1300 notebook running WindowsXP.

Awaiting further instructions....

report2.txt
- 5 KB
SDfix log
log.txt
- 9 KB
ComboFix log

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

Plus...

30 Day FREE access, no risk, no obligation
Collaborate with the world's top tech experts
Unlimited access to our exclusive solution database
Never be left without tech help again

Subscribe Now

Asked On: 2008-04-11 at 11:04:12ID23315983
Tags: Trojan.Vundo
Topics: Anti-Virus
,; Desktop Anti-Virus
Participating Experts: 2
Points: 500
Comments: 43

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

"The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
"Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
"Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Free Tech Articles

WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Watch More

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

by: slamondPosted on 2008-04-11 at 11:32:06ID: 21336882

The system is still pathetically slow as I try to update the Norton AV list and reinstall Windows Defender. I'm still getting the continuously popping-up message that NAV found Trojan.Vundo at tuvsqno.dll and is unable to delete it.

by: rpggamergirlPosted on 2008-04-11 at 17:37:48ID: 21339273

It's a vundo rootkit.
Still some vundo files there that need to be removed.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\ocljqjxw.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\xpvekwxd.dll
C:\WINDOWS\system32\tuvsqno.dll
C:\WINDOWS\system32\wnfltbvw.dll

RenV::
C:\Program Files\Messenger\msmsgs .exe

DirLook::
C:\WINDOWS\c3VzYW4

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82bb645b-b2e0-484e-a342-a63a9709c158}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8395B43-42CF-4C9D-AE69-36EFF2703EF5}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqno]

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together.

by: slamondPosted on 2008-04-14 at 12:31:37ID: 21352999

Here's the log after the 2nd run of ComboFix.exe, executed by dropping the CFScript.txt file onto it..........

ComboFix 08-04-10.9 - susan 2008-04-14 13:24:43.2 -
NTFSx86
Running from: C:\ComboFix\ComboFix.exe
Command switches used :: C:\ComboFix\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

((((((((((((((((((((((((((((((((((((((( Other
Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acwjgkox.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\dbnccomc.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\sgnsfrgs.dll
C:\WINDOWS\system32\sgrfsngs.ini
C:\WINDOWS\system32\tbxvbdpd.dll
C:\WINDOWS\system32\vsbnmmyh.dll
C:\WINDOWS\system32\wnfltbvw.dll
C:\WINDOWS\system32\xokgjwca.ini

.
((((((((((((((((((((((((( Files Created from
2008-03-14 to 2008-04-14
)))))))))))))))))))))))))))))))
.

2008-04-14 11:46 . 2008-04-14 11:46      3,648      --a------
C:\WINDOWS\system32\uhifgrwd.dll
2008-04-11 13:33 . 2008-04-11 13:33      3,648      --a------
C:\WINDOWS\system32\sbvmhmdv.dll
2008-04-11 13:32 . 2008-04-14 11:45      101,091      --a------
C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------
C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------
C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------
C:\Documents and Settings\Administrator\Application
Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M
Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 17:54      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program
Files\WindSolutions
2008-04-11 15:49      ---------      d-----w      C:\Program
Files\DellSupport
2008-04-06 00:49      ---------      d-----w      C:\Program
Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program
Files\FinePixViewer
2007-02-19 02:08      88      --sh--r
C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w
C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w 1,694,208 2008-01-01 19:00:58
C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]

(((((((((((((((((((((((((((((
snapshot@2008-04-11_13.32.25.40
)))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00:00      114,688      ----a-w
C:\WINDOWS\system32\dllcache\aclui.dll
+ 2004-08-04 10:00:00      98,304      ----a-w
C:\WINDOWS\system32\dllcache\ahui.exe
+ 2004-08-04 10:00:00      580,608      ----a-w
C:\WINDOWS\system32\dllcache\autofmt.exe
+ 2004-08-04 10:00:00      71,680      ----a-w
C:\WINDOWS\system32\dllcache\blastcln.exe
+ 2004-08-04 10:00:00      11,776      ----a-w
C:\WINDOWS\system32\dllcache\chkdsk.exe
+ 2004-08-04 10:00:00      10,752      ----a-w
C:\WINDOWS\system32\dllcache\clb.dll
+ 2004-08-04 10:00:00      102,912      ----a-w
C:\WINDOWS\system32\dllcache\clipbrd.exe
+ 2004-08-04 10:00:00      17,408      ----a-w
C:\WINDOWS\system32\dllcache\compact.exe
+ 2004-08-04 10:00:00      13,824      ----a-w
C:\WINDOWS\system32\dllcache\convert.exe
+ 2004-08-04 10:00:00      15,360      ----a-w
C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2004-08-04 10:00:00      82,432      ----a-w
C:\WINDOWS\system32\dllcache\dfrgfat.exe
+ 2004-08-04 10:00:00      85,504      ----a-w
C:\WINDOWS\system32\dllcache\diantz.exe
+ 2004-08-04 10:00:00      224,768      ----a-w
C:\WINDOWS\system32\dllcache\dmadmin.exe
+ 2004-08-04 10:00:00      83,456      ----a-w
C:\WINDOWS\system32\dllcache\dpvsetup.exe
+ 2004-08-04 10:00:00      45,568      ----a-w
C:\WINDOWS\system32\dllcache\drwtsn32.exe
+ 2004-08-04 10:00:00      1,298,432      ----a-w
C:\WINDOWS\system32\dllcache\dxdiag.exe
+ 2004-08-04 10:00:00      39,424      ----a-w
C:\WINDOWS\system32\dllcache\esentutl.exe
+ 2004-08-04 10:00:00      193,024      ----a-w
C:\WINDOWS\system32\dllcache\eudcedit.exe
+ 2004-08-04 10:00:00      45,568      ----a-w
C:\WINDOWS\system32\dllcache\extrac32.exe
+ 2004-08-04 10:00:00      9,216      ----a-w
C:\WINDOWS\system32\dllcache\finger.exe
+ 2004-08-04 10:00:00      55,296      ----a-w
C:\WINDOWS\system32\dllcache\freecell.exe
+ 2004-08-04 10:00:00      56,320      ----a-w
C:\WINDOWS\system32\dllcache\fsutil.exe
+ 2004-08-04 10:00:00      143,360      ----a-w
C:\WINDOWS\system32\dllcache\fxsclnt.exe
+ 2004-08-04 10:00:00      229,376      ----a-w
C:\WINDOWS\system32\dllcache\fxscover.exe
+ 2004-08-04 10:00:00      39,424      ----a-w
C:\WINDOWS\system32\dllcache\grpconv.exe
+ 2004-08-04 10:00:00      23,552      ----a-w
C:\WINDOWS\system32\dllcache\ipxroute.exe
+ 2004-08-04 10:00:00      75,264      ----a-w
C:\WINDOWS\system32\dllcache\locator.exe
+ 2004-08-04 10:00:00      220,672      ----a-w
C:\WINDOWS\system32\dllcache\logon.scr
+ 2004-08-04 10:00:00      514,560      ----a-w
C:\WINDOWS\system32\dllcache\logonui.exe
+ 2004-08-04 10:00:00      72,704      ----a-w
C:\WINDOWS\system32\dllcache\magnify.exe
+ 2004-08-04 10:00:00      815,104      ----a-w
C:\WINDOWS\system32\dllcache\mmc.exe
+ 2004-08-04 10:00:00      32,768      ----a-w
C:\WINDOWS\system32\dllcache\mnmsrvc.exe
+ 2004-08-04 10:00:00      20,992      ----a-w
C:\WINDOWS\system32\dllcache\msg.exe
+ 2004-08-04 10:00:00      29,184      ----a-w
C:\WINDOWS\system32\dllcache\mshta.exe
+ 2004-08-04 10:00:00      274,944      ----a-w
C:\WINDOWS\system32\dllcache\mstask.dll
+ 2004-08-04 10:00:00      12,288      ----a-w
C:\WINDOWS\system32\dllcache\mstinit.exe
+ 2004-08-04 10:00:00      407,552      ----a-w
C:\WINDOWS\system32\dllcache\mstsc.exe
+ 2004-08-04 10:00:00      111,104      ----a-w
C:\WINDOWS\system32\dllcache\netdde.exe
+ 2004-08-04 10:00:00      329,728      ----a-w
C:\WINDOWS\system32\dllcache\netsetup.exe
+ 2004-08-04 10:00:00      36,864      ----a-w
C:\WINDOWS\system32\dllcache\netstat.exe
+ 2004-08-04 10:00:00      31,744      ----a-w
C:\WINDOWS\system32\dllcache\ntsd.exe
+ 2004-08-04 10:00:00      419,840      ----a-w
C:\WINDOWS\system32\dllcache\ntvdm.exe
+ 2004-08-04 10:00:00      215,552      ----a-w
C:\WINDOWS\system32\dllcache\osk.exe
+ 2004-08-04 10:00:00      49,152      ----a-w
C:\WINDOWS\system32\dllcache\powercfg.exe
+ 2004-08-04 10:00:00      109,568      ----a-w
C:\WINDOWS\system32\dllcache\progman.exe
+ 2004-08-04 10:00:00      16,896      ----a-w
C:\WINDOWS\system32\dllcache\qappsrv.exe
+ 2004-08-04 10:00:00      56,832      ----a-w
C:\WINDOWS\system32\dllcache\rasphone.exe
+ 2004-08-04 10:00:00      7,168      ----a-w
C:\WINDOWS\system32\dllcache\recover.exe
+ 2004-08-04 10:00:00      11,776      ----a-w
C:\WINDOWS\system32\dllcache\regsvr32.exe
+ 2004-08-04 10:00:00      132,608      ----a-w
C:\WINDOWS\system32\dllcache\rsvp.exe
+ 2004-08-04 10:00:00      13,312      ----a-w
C:\WINDOWS\system32\dllcache\savedump.exe
+ 2004-08-04 10:00:00      77,312      ----a-w
C:\WINDOWS\system32\dllcache\sdbinst.exe
+ 2004-08-04 10:00:00      9,728      ----a-w
C:\WINDOWS\system32\dllcache\sfc.exe
+ 2004-08-04 10:00:00      114,688      ----a-w
C:\WINDOWS\system32\dllcache\wscript.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading
Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{86B9E7E9-CE7F-4DA7-B570-ADD685938F7F}]
2008-04-14 13:44      273408      --a------
C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
2007-12-30 13:37      40448      --a------
C:\WINDOWS\system32\tuvsqno.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program
Files\NetWaiting\netWaiting.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ] "Sen"="C:\PROGRA~1\COMMON~1\STEM32~1\explorer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19
393216 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program
Files\Dell\QuickSet\quickset.exe" [ ]
"DVDLauncher"="C:\Program
Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe"
[ ]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe"
[ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "BM3b1cc58d"="C:\WINDOWS\system32\oovcwwrs.dll"
[2008-04-14 13:46 96320]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
[2005-11-04 16:04:48 176128]
KODAK Software Updater.lnk - C:\Program
Files\Kodak\KODAK Software
Updater\7288971\Program\Kodak Software Updater.exe
[2004-02-13 15:12:08 16423]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
[2004-11-11 12:59:36 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"=
C:\WINDOWS\system32\tuvsqno.dll [2007-12-30 13:37 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\tuvsqno]
tuvsqno.dll 2007-12-30 13:37 40448
C:\WINDOWS\system32\tuvsqno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ       msv1_0
C:\WINDOWS\system32\ddaya

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 14:10:05
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software
Update\SoftwareUpdate.exe
"2008-04-11 23:02:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-14 13:40:09 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ayadd.ini 264564 bytes
C:\WINDOWS\system32\ayadd.ini2 345 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tuvsqno.dll
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\oovcwwrs.dll
-> C:\WINDOWS\system32\ddaya.dll
.
------------------------ Other Running Processes
------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\CBA\PDS.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CBA\XFR.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\MSGSYS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-14 13:51:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-04-14 17:50:29 ComboFix2.txt 2008-04-11 17:34:40
Pre-Run: 6,909,997,056 bytes free
Post-Run: 6,969,774,080 bytes free
.
2008-04-08 20:46:42      --- E O F ---

by: slamondPosted on 2008-04-14 at 12:33:02ID: 21353017

Also, let me know when to reactivate NAV, Windows Defender and System Restore.

Thanks.
S.

by: rpggamergirlPosted on 2008-04-14 at 15:28:39ID: 21354492

>>>Also, let me know when to reactivate NAV, Windows Defender <<<
You only turn them off while combofix is running,
You should turn system restore back on....I never advise anyone to turn system restore off while cleaning a system.

There's a vundo file there that's is sticking, we'll use another tool if CF can't remove it.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\uhifgrwd.dll
C:\WINDOWS\system32\sbvmhmdv.dll
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\tuvsqno.dll
C:\WINDOWS\system32\oovcwwrs.dll
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini2

Folder::
C:\WINDOWS\system32\ddaya

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{86B9E7E9-CE7F-4DA7-B570-ADD685938F7F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sen"=-
"BM3b1cc58d"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\tuvsqno]

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together.

by: briancassinPosted on 2008-04-16 at 18:36:00ID: 21373439

You can also try these two tools below after running those I would also download and scan your system with http://www.superantispyware.com

Once the infection is clear
Update your anti virus
Check for old versions of java in add/remove programs if you find anything older then java 6 update 5 1.06 ver. then uninstall them and go to http://www.java.com

You may also want to install the following two tools to prevent future infections
http://www.javacoolsoftware.com - spywareblaster
http://www.siteadvisor.com - tell you of bad websitesin the search engine results and will turn colors when you go onto website indicating if they are dangerous or not.

tools for Vundo:

Vundo Fix
http://www.atribune.org/ccount/click.php?id=4
VirtumundoBegone http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

instructions on how to run these tools can be found here
http://www.bleepingcomputer.com/forums/topic18610.html
I will post them here for convience from the URL above

Removal Steps:
Please print these instructions as they will be needed later when Internet access is not available.

Save these instructions in word or notepad to the desktop where they can be easily found.

Download Vundo Fix and save it to your desktop.

When it has completed downloading, double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will now receive a prompt asking if you want to remove the files, click the YES button. Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click the OK button.

When the computer has shutdown, turn your computer back on.
The WinFixer and Vundo infection should now be removed from your computer.

If you are still having a problem then please perform the following steps.

This step should only be used if the instructions in the previous steps did not remove the infection:
Download VirtumundoBegone and save it to your desktop.

Now reboot into Safe Mode.

This can be done tapping the F8 key as soon as you start your computer

You will be brought to a menu where you can choose to boot into safe mode.

Select safe mode with networking using your arrow keys on the keyboard and then press enter.

When you computer reaches the desktop make sure you log in as the same user which you had performed the previous steps,

Once you are logged into safe mode, double-click VirtumundoBeGone.exe file you just downloaded and follow the instructions.

Exit when it has finished, and reboot back to normal mode.
The WinFixer and Vundo infection should now be removed from your computer

by: slamondPosted on 2008-04-18 at 10:34:39ID: 21387943

New log after latest ComboFix.exe run..........

CFlog041808.txt
- 63 KB
ComboFix log

by: slamondPosted on 2008-04-18 at 10:43:26ID: 21388036

I noticed that the 4-18-08 log states "WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !" but when I check MyComputer/Properties/System Restore
there is no checkmark applied to the disable option.

by: briancassinPosted on 2008-04-18 at 15:24:26ID: 21390083

Do the following

run the vundo removal tools I posted above Vundo is still present...
then
Open notepad and copy the following code between the lines then paste into notepad
as rpggamergirl said before
"Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe"

----------------------------------------------------------begin copy---------------------

File::
C:\WINDOWS\system32\sbvmhmdv.dll
C:\WINDOWS\system32\uhifgrwd.dll
C:\WINDOWS\system32\ulkboyjc.dll
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\MRT.INI
C:\WINDOWS\system32\F48EA6F3DE.sys
C:\WINDOWS\system32\KGyGaAvL.sys

--------------------------------------------------------end copy-----------------------------

also go to control panel add/remove programs and uninstall Viewpoint

go into the registry editor (start run regedit ) and under this key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
remove this value
"Sen"="C:\PROGRA~1\COMMON~1\STEM32~1\explorer.exe" [ ]

Also this here this file is still present
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqno]

remove the entire tuvsqno key

you also have a spybot infection
http://www.sophos.com/security/analyses/viruses-and-spyware/w32spybotv.html
because of the presence of this file
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=

use this program to remove it

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum

by: briancassinPosted on 2008-04-18 at 15:31:22ID: 21390119

Sorry scratch the SDFIX you already ran that ... don't run it

instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

also check control set 01

and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=

also go to c:\program files and see if you see a folder named Soulseek if so Delete it make sure you are showing hidden and system files.

by: slamondPosted on 2008-04-21 at 10:47:56ID: 21404249

After the ComboFix run (but before running the other VundoFix instructions and registry edits).....

ComboFix 08-04-10.9 - susan 2008-04-21 13:34:43.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.84 [GMT -4:00] Running from: C:\ComboFix\ComboFix.exe Command switches used :: C:\ComboFix\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37      <DIR>      d--------      C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 13:32 . 2008-04-17 13:52      101,091      --a------      C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w 1,694,208 2008-01-01 19:00:58 C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]

((((((((((((((((((((((((((((( snapshot_2008-04-18_13.17.18.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system32\LegitCheckControl.DLL
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ] "Sen"="C:\PROGRA~1\COMMON~1\STEM32~1\explorer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqno]
tuvsqno.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 13:38:57 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-21 13:40:33
ComboFix-quarantined-files.txt 2008-04-21 17:40:05 ComboFix2.txt 2008-04-18 17:18:27 ComboFix3.txt 2008-04-14 17:51:05 ComboFix4.txt 2008-04-11 17:34:40
Pre-Run: 6,778,507,264 bytes free
Post-Run: 6,758,416,384 bytes free
.
2008-04-18 20:01:24      --- E O F ---

by: slamondPosted on 2008-04-21 at 10:55:05ID: 21404328

The following key does not exist (I assume a typo)...........

You wrote:

instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

also check control set 01

and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=

by: briancassinPosted on 2008-04-21 at 11:25:07ID: 21404575

I need a combofix after the regedits to see if those entries are still present also before doing this go to start run regedit and then go to edit, find and look for the following
slsk.exe

it should a line value that reads like this

"C:\\Program Files\\Soulseek-Test\\slsk.exe" delete this value

by: slamondPosted on 2008-04-21 at 12:04:22ID: 21404907

I ran VundoFix.exe but it found nothing.
I was unsure if I should run the other Vundo fixer???

Here's the most recent ComboFix log after the registry edits.........

ComboFix 08-04-10.9 - susan 2008-04-21 14:50:28.5 - NTFSx86 Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37      <DIR>      d--------      C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 13:32 . 2008-04-17 13:52      101,091      --a------      C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w 1,694,208 2008-01-01 19:00:58 C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]

((((((((((((((((((((((((((((( snapshot_2008-04-18_13.17.18.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system32\LegitCheckControl.DLL
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 14:54:22 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-21 14:55:51
ComboFix-quarantined-files.txt 2008-04-21 18:55:22 ComboFix2.txt 2008-04-21 17:40:34 ComboFix3.txt 2008-04-18 17:18:27 ComboFix4.txt 2008-04-14 17:51:05 ComboFix5.txt 2008-04-11 17:34:40
Pre-Run: 6,817,079,296 bytes free
Post-Run: 6,797,447,168 bytes free
.
2008-04-18 20:01:24      --- E O F ---

by: slamondPosted on 2008-04-23 at 11:56:56ID: 21424048

While waiting for a response to my latest ComboFix log post, I decided to run VirtumundoBeGone.exe and it looks like nothing was found:

[04/23/2008, 14:47:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\susan\Desktop\VirtumundoBeGone.exe" )
[04/23/2008, 14:47:55] - Detected System Information:
[04/23/2008, 14:47:55] - Windows Version: 5.1.2600, Service Pack 2
[04/23/2008, 14:47:55] - Current Username: susan (Admin)
[04/23/2008, 14:47:55] - Windows is in SAFE mode.
[04/23/2008, 14:47:55] - Searching for Browser Helper Objects:
[04/23/2008, 14:47:55] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/23/2008, 14:47:55] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/23/2008, 14:47:55] - Finished Searching Browser Helper Objects
[04/23/2008, 14:47:55] - Finishing up...
[04/23/2008, 14:47:55] - Nothing found! Exiting...

by: briancassinPosted on 2008-04-23 at 14:14:02ID: 21425481

Look for this in the registry
StubInstaller.exe

once found remove it. that is the only thing I am seeing from your last log.. sorry I did not get back to you sooner for some reason I did not get notification on your post from 4-21

download and run this program
http://www.ccleaner.com anaylyze the system then run it to cleanup all your temporary file and so forth. If it removes quite a bit of things I would then go to start, programs, accessories, system tools, and run disk defragmenter.

How is the machine running now ?

by: slamondPosted on 2008-04-24 at 06:12:44ID: 21430386

Thanks for the post, I will act on it soon.
Before I do, I thought I'd mention that the machine is running much better.
However, Norton AV just popped up with a virus found "W32.Trats!inf" with QuarantineFailed/Access Denied.

I will follow your instructions and then I assume I should run ComoFix.exe to get a log (unless the ccleaner generates one).

by: slamondPosted on 2008-04-24 at 06:27:27ID: 21430536

CCleaner removed 75 Mb very quickly.
Disk Defrag Analysis indicated that defrag is not necessary.
However, I noticed that there's only 16% free space on drive C, not sure how much of an issue that is.
I will advise the user to delete unnecessary programs.

At least one remaining issue is that "W32.Trats!inf" virus.

by: slamondPosted on 2008-04-24 at 06:55:58ID: 21430843

I am running ComboFix and will post a new log ASAP.

by: slamondPosted on 2008-04-24 at 07:17:19ID: 21431083

The latest ComboFix log.........

ComboFix 08-04-22.5 - susan 2008-04-24 9:48:37.6 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.124 [GMT -4:00]Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 09:17 . 2008-04-24 09:17      <DIR>      d--------      C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 13:32 . 2008-04-17 13:52      101,091      --a------      C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 14:45 . 2008-04-07 14:45      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-24 09:48      1,024      --ah-----      C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w 1,694,208 2008-01-01 19:00:58 C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]

((((((((((((((((((((((((((((( snapshot_2008-04-18_13.17.18.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-23 19:26:28      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DRV
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DRV
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache.bin
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tfsndres.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\drivers\null.sys
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboard.drv
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.dll
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse.drv
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound.drv
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.drv
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspool.exe
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=

*Newly Created Service* - NAVAP
*Newly Created Service* - NAVEX15
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 20:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-24 05:55:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 09:52:02 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-24 9:54:55
ComboFix-quarantined-files.txt 2008-04-24 13:53:51 ComboFix2.txt 2008-04-21 18:55:52 ComboFix3.txt 2008-04-21 17:40:34 ComboFix4.txt 2008-04-18 17:18:27 ComboFix5.txt 2008-04-14 17:51:05

Pre-Run: 6,767,300,608 bytes free
Post-Run: 6,750,720,000 bytes free

148      --- E O F ---      2008-04-22 23:47:25

by: slamondPosted on 2008-04-25 at 07:45:19ID: 21440048

Just posting a message to confirm that I have posted a new ComboFix log, in case my previous message got blocked my someone's spam filter.

by: briancassinPosted on 2008-04-25 at 11:02:14ID: 21441876

Remove these files

C:\WINDOWS\system32\F48EA6F3DE.sys
C:\WINDOWS\BM3b1cc58d.xml

download and run this tool
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

post the logfile up here

by: slamondPosted on 2008-04-25 at 13:21:23ID: 21442928

The file C:\WINDOWS\system32\F48EA6F3DE.sys did not exists, ut I did delete the otherfile.

It seems incomplete, but here is the RenV.exe log.............

[code]
Ran on Fri 04/25/2008 - 16:14:03.29

----a-w 1,694,208 2008-01-01 19:00:58 C:\Program Files\Messenger\msmsgs .exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 1,694,208 Blocks: 3,309
[/code]

by: briancassinPosted on 2008-04-25 at 14:16:00ID: 21443255

It didn't find anything then... Try doing the following

go to the command prompt and go to the following directory

c:\windows\system32

then type the following

attrib -h

then see what comes up saying not resetting file
Copy and paste those up to here. I want to see if you have files hiding on you

by: slamondPosted on 2008-04-25 at 14:31:31ID: 21443340

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>attrib -h
Not resetting system file - C:\WINDOWS\system32\camoiste.ini
Not resetting system file - C:\WINDOWS\system32\dofxjomg.ini
Not resetting system file - C:\WINDOWS\system32\dofxjomg.tmp
Not resetting system file - C:\WINDOWS\system32\F48EA6F3DE.sys
Not resetting system file - C:\WINDOWS\system32\KGyGaAvL.sys
Not resetting system file - C:\WINDOWS\system32\lwevdeix.ini
Not resetting system file - C:\WINDOWS\system32\wxjqjlco.ini
Not resetting system file - C:\WINDOWS\system32\ylflogff.ini

C:\WINDOWS\system32>

by: briancassinPosted on 2008-04-25 at 15:50:30ID: 21443718

bingo those are the infectors!

Here is what I want you to do since automatically removing through combox fix thus far has not worked.

Download knoppix live cd here and burn it as a bootable CD
http://www.knoppix.org/

Boot the PC with knoppix in the drive and then go to the C:\ drive and delete the following files

C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\F48EA6F3DE.sys
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini

another option would be recovery console put yor windows CD in bootup at the first screen hit R and follow the onscreen prompts when it asks for a password if you never assigned one to the administrator account just press enter. You will then be able to delete the files by going to the directory those files are in
%systemroot%system32 then type del filename.extension
example del ylflogff.ini then press enter

by: rpggamergirlPosted on 2008-04-26 at 06:44:59ID: 21445506

I'm very sorry, I was away with no internet access.

Glad to see briancassin is here.
You could also try deleting those files using Combofix CFScript,
A lot of legit files are showing in combofix log as an empty file..... usually happens with file infectors as antivirus scanners etc ends up deleting them. You might just have to reinstal any programs, .exes that no longer work.

by: briancassinPosted on 2008-04-26 at 08:37:10ID: 21445848

wb rpggamergirl :)

We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6F3DE.sys

by: slamondPosted on 2008-04-28 at 12:07:38ID: 21456696

I downloaded the file KNOPPIX_V5.1.0CD-2006-12-30-EN, about 650 Mb, and burned it to a CD.
I changed the laptop setup to boot from CD first, but after a long delay it boots right into WindowsXP.

Is there something special that has to be done during the burn process to make it a bootbale CD?

Or, did I download the wrong file?

by: briancassinPosted on 2008-04-28 at 19:25:25ID: 21459156

You have to burn it as a bootable image.

You probably burned the iso file direct to the cd. I do not know what you are using to burn the CD but you would need either nero or roxio.

Another way and probably much easier is downloading this program here
http://www.imgburn.com/
install it then put a blank cd in your drive close any prompts that come up then just right click on the knoppix iso and select burn using imgburn. Leave the CD in the drive and reboot you should now be able to boot off the CD.

by: rpggamergirlPosted on 2008-04-29 at 05:59:07ID: 21461718

briancassin,
Thanks, :)

>>>We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6F3DE.sys<<<

Maybe we can leave that file for now, let's first delete those hidden files (below) using CFScript, we haven't tried deleting those yet, that might be all that's needed we'll see. The F48EA6F3DE.sys is dated over a year ago so I'm not sure that's the culprit I could be wrong of course.
Can we please try deleting these files below first using CFScript?

File::
C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini

by: slamondPosted on 2008-04-29 at 06:29:32ID: 21462025

Since my motto is "Simplify", I will first try rpggamergirl's suggestion.

She gives me too much credit regarding my knowledge, but from my recent interaction with briancassin I'll assume I place the list of files in CFScript.txt and drop it onto ComboFix.exe.

by: rpggamergirlPosted on 2008-04-29 at 06:47:58ID: 21462195

Sorry... yes, same thing as you did before, create a CFScript.txt and after you've done that, just drag it over to Combofix.exe.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
and then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply.

by: slamondPosted on 2008-04-29 at 07:08:57ID: 21462395

The latest ComboFix.txt log...........

ComboFix 08-04-22.5 - susan 2008-04-29 9:34:10.7 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT -4:00] Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\susan\Desktop\CFScript.txt
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-24 09:17 . 2008-04-24 09:17      <DIR>      d--------      C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-25 13:02      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 14:45 . 2008-04-07 14:45      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-29 06:07      1,024      --ah-----      C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 17:35      ---------      d-----w      C:\Program Files\Soulseek-Test
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w 1,694,208 2008-01-01 19:00:58 C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]

((((((((((((((((((((((((((((( snapshot_2008-04-18_13.17.18.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-28 19:02:43      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
- 2008-04-11 15:51:48      806,912      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-04-25 15:54:25      3,743,744      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-04-11 15:51:48      8,192      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-04-25 15:54:25      151,552      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DRV
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DRV
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache.bin
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tfsndres.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\drivers\null.sys
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboard.drv
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.dll
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse.drv
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound.drv
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.drv
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspool.exe
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 20:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 05:44:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-29 09:37:24 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-29 9:39:50
ComboFix-quarantined-files.txt 2008-04-29 13:38:46 ComboFix2.txt 2008-04-24 13:54:56 ComboFix3.txt 2008-04-21 18:55:52 ComboFix4.txt 2008-04-21 17:40:34 ComboFix5.txt 2008-04-18 17:18:27

Pre-Run: 6,666,014,720 bytes free
Post-Run: 6,647,566,336 bytes free

162      --- E O F ---      2008-04-24 14:09:32

by: slamondPosted on 2008-04-29 at 09:50:11ID: 21463955

Should I wait for feedback on the latest ComboFix.txt log (posted above) or
should I run that German boot CD ?

I have Nero CD burning software, if you can give me instructions for creating a boot CD using that software.

by: rpggamergirlPosted on 2008-04-29 at 21:38:35ID: 21468113

Combofix had deleted those files.
How is the pc going? Are you still having the "W32.Trats!inf" virus issue?

About the Knoppix bootable iso file.
According to knoppix FAQ(below), just burn the ISO as an image and all the files that makes it bootable should be in their proper place.

http://www.knoppix.net/wiki/Downloading_FAQ#Q:_How_do_I_burn_an_ISO_to_a_CD_using_NERO.3F
>>>"Q: What option do I use to make the CD (or DVD) bootable?
A: None! Do not use any option in your burning software to make the CD bootable. Just burn the ISO as an image, this will put all of the proper files on the CD in the proper locations and the resulting CD will be a perfect copy of the original Knoppix CD and will be bootable. If you take any option that makes a bootable CD, you will end up with a CD that does not boot into Linux/Knoppix."<<<

This NERO tutorial for burning ISO image might help.
http://wizardskeep.org/mainhall/tutor/neroiso.html

by: slamondPosted on 2008-04-30 at 06:49:07ID: 21470641

The laptop is running fine and getting no virus messages.
I will do a full scan to be sure.

I will also follow the Nero instructions and retry booting to Knoppix.

by: slamondPosted on 2008-04-30 at 10:01:20ID: 21472538

OK, I got Knoppix running on the laptop but my new problem is that it's not a Windows-based interface.
I can't even figure out how to get to the C drive to see if any of the files in the list need to be deleted.

by: slamondPosted on 2008-04-30 at 11:38:11ID: 21473417

Disregard my last message.
I figured out how to get to the Windows/System32 folder.
The only target file that I found was C:\WINDOWS\system32\F48EA6F3DE.sys and I deleted it.

This laptop is being returned to a teenager, so I have exhausted my patience with this project and expect that it will boomerang back to me in 6-12 months anyway.

All I need now is some guidance (since EE Customer Service never answered me) on how to split the points on this project.

Thanks to both of you.

by: briancassinPosted on 2008-04-30 at 14:52:43ID: 21474906

to split the points you should have a button that says accept multiple solutions you click on that then assign the points next the comments for the experts that helped and then select one of them as the accepted solution the rest will be assissted solutions

by: briancassinPosted on 2008-04-30 at 14:53:54ID: 21474920

If you want to prevent reinfection I would load the following software

http://www.siteadvisor.com
http://www.javacoolsoftware.com
http://www.mozilla.org - firefox

also ensure you have anti virus on the system and it is up to date and anti spyware

by: rpggamergirlPosted on 2008-05-01 at 03:53:39ID: 21477592

Glad to know all's well.

You might also like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html

As briancassin already posted, just click on the "Accept Multiple Solutions" button to split points.
below link, if it helps:
http://www.experts-exchange.com/help.jsp#hi331

You split the points. Each comment box has a button that says Accept Multiple Solutions. Click that, and you will see a page that allows you to assign points to any of the comments in the thread. There is a grade box at the bottom of the page.

Note: The total of the point splits must equal the original amount you assigned to the question, and no comment can receive fewer than 20 points. The Comment that was posted first is the Accepted Solution, and the rest of the comments are Accepted Solutions.

by: briancassinPosted on 2008-05-01 at 14:49:55ID: 21483045

Thank You, glad I could help :)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

For individual users
Instant access to solutions
Ask your tech questions
Start your 30-day Free Trial

Business Accounts

Perfect for organizations
Multiple users
Save over 36%
Create a Business Account

Answer for Membership

Earn free access
Showcase your knowledge
No credit card required
Sign Up to Answer

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...

Question

Trojan.Vundo: I just ran SDfix.exe and ComboFix.exe, now uploading logs

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

Trojan.Vundo

Anti-Virus

Desktop Anti-Virus

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Need individual assistance?

Our experts are ready to help.

Want to learn from the best?

Read articles from industry experts.

Working on a long term project?

Store your work and research.

What Makes Experts Exchange Unique?

Trusted by the world's most respected brands.

Faithfully serving IT professionals since 1996.

Related Solutions

Free Tech Articles

Cloud Class Webinars

Join the Community

Give a Little. Get a Lot.

Answers

3 Ways to Join

The Experts

The Experts

Testimonials

Testimonials

Testimonials

Business Clients

Business Clients

In the Press

In the Press

In the Press