BoggyBayouBoy
asked on
Virus - Cant remove
My AV software detects but cant remove this nasty virus.
I get a WinLogon screen that says "Your System is Probably infected with the latest version of Spyware.Cyberlog-x as well as a balloon popup.
I've also tried HijackThis - but it cant remove the files: Here's the snippet from the log.
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F 5D64B74EAF 6} - C:\WINDOWS\system32\opnonl i.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-6 8C0DE02353 A} - C:\WINDOWS\system32\jnghbz lb.dll
O2 - BHO: (no name) - {E21DBCD5-9C8C-4198-962E-1 176DF19172 7} - C:\WINDOWS\system32\jkklk. dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4 5AF8282558 3} - C:\WINDOWS\system32\jnghbz lb.dll
I've also tried removing the files manually, but they have attached themselves to a running program and windows wont let me delete.
Maximum points!
I get a WinLogon screen that says "Your System is Probably infected with the latest version of Spyware.Cyberlog-x as well as a balloon popup.
I've also tried HijackThis - but it cant remove the files: Here's the snippet from the log.
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-6
O2 - BHO: (no name) - {E21DBCD5-9C8C-4198-962E-1
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4
I've also tried removing the files manually, but they have attached themselves to a running program and windows wont let me delete.
Maximum points!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you also show us a hijackthis log with all its entries present?
In some cases, Vundofix may need to be run twice, and some cases a file has to be added in for vundofix.
I'd suggest running vundofix first(since it's the tool specially for vundo removal.
Then if it fail to remove all vundo files, you can then run combofix. Either way, we need to see the resulting logs.
I'd suggest running vundofix first(since it's the tool specially for vundo removal.
Then if it fail to remove all vundo files, you can then run combofix. Either way, we need to see the resulting logs.
ASKER
Heres the entire file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:31 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Intel\Wireless\Bin\Z cfgSvc.exe
C:\WINDOWS\system32\Ati2ev xx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\WINDOWS\system32\svyeof oj.exe
C:\WINDOWS\system32\HPZipm 12.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\ehome\ehtray.ex e
C:\Program Files\iTunes\iTunesHelper. exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.ex e
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\Fonts\svchost.e xe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Citrix\GoToMeeting\1 98\g2mstar t.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Fonts\svchost.e xe
C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
C:\Program Files\Citrix\GoToMeeting\1 98\g2mcomm .exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB CFMonitorS ervice.exe
C:\Program Files\Citrix\GoToMeeting\1 98\g2mlaun cher.exe
C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat. exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.e xe
C:\WINDOWS\system32\vmnetd hcp.exe
C:\Program Files\iPod\bin\iPodService .exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\WINDOWS\system32\wuaucl t.exe
C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\hijackthi s.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F 5D64B74EAF 6} - C:\WINDOWS\system32\opnonl i.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-6 8C0DE02353 A} - C:\WINDOWS\system32\jnghbz lb.dll
O2 - BHO: (no name) - {E21DBCD5-9C8C-4198-962E-1 176DF19172 7} - C:\WINDOWS\system32\jkklk. dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4 5AF8282558 3} - C:\WINDOWS\system32\jnghbz lb.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex e
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.ex e
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.e xe
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\1 98\g2mstar t.exe "/Trigger RunAtLogon"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync .exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
O15 - Trusted Zone: http://*.widgetdev1
O16 - DPF: {7FC1B346-83E6-4774-8D20-1 A6B09B0E73 7} (Windows Live Photo Upload Control) - http://boggyboy.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0 000F8773BF 0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-4 7B7A707FAE 8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeeting.com/default/applets/g2mdlax.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F 61CB7B2E2C D} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-0 43BA1B54AE 3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggablePro tocol.dll
O20 - Winlogon Notify: jnghbzlb - C:\WINDOWS\SYSTEM32\jnghbz lb.dll
O20 - Winlogon Notify: opnonli - C:\WINDOWS\SYSTEM32\opnonl i.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc. exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev xx.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\svyeof oj.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E vtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm 12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QB CFMonitorS ervice.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FC S\Intuit.Q uickBooks. FCS.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER N~1\TmPfw. exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.ex e
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e xe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd hcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat. exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\W LKeeper.ex e
--
End of file - 7767 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:31 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Intel\Wireless\Bin\E
C:\Program Files\Intel\Wireless\Bin\S
C:\Program Files\Intel\Wireless\Bin\W
C:\WINDOWS\system32\spools
C:\Program Files\Intel\Wireless\Bin\Z
C:\WINDOWS\system32\Ati2ev
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\WINDOWS\system32\svyeof
C:\WINDOWS\system32\HPZipm
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\ehome\ehtray.ex
C:\Program Files\iTunes\iTunesHelper.
C:\Program Files\VMware\VMware Workstation\vmware-tray.ex
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\WINDOWS\Fonts\svchost.e
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon
C:\Program Files\Citrix\GoToMeeting\1
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Fonts\svchost.e
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
C:\Program Files\Citrix\GoToMeeting\1
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\Program Files\Citrix\GoToMeeting\1
C:\Program Files\Intel\Wireless\Bin\R
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.e
C:\WINDOWS\system32\vmnetd
C:\Program Files\iPod\bin\iPodService
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\WINDOWS\system32\wuaucl
C:\PROGRA~1\TRENDM~1\INTER
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\hijackthi
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
O2 - BHO: (no name) - {01CD0B31-9154-45F2-9414-F
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-6
O2 - BHO: (no name) - {E21DBCD5-9C8C-4198-962E-1
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.ex
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.e
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Ad
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O15 - Trusted Zone: http://*.widgetdev1
O16 - DPF: {7FC1B346-83E6-4774-8D20-1
O16 - DPF: {82774781-8F4E-11D1-AB1C-0
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-4
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-0
O20 - Winlogon Notify: jnghbzlb - C:\WINDOWS\SYSTEM32\jnghbz
O20 - Winlogon Notify: opnonli - C:\WINDOWS\SYSTEM32\opnonl
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2ev
O23 - Service: DomainService - - C:\WINDOWS\system32\svyeof
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QB
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FC
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTER
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.ex
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.e
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetd
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\W
--
End of file - 7767 bytes
Follow the solution in the link given below analysing your log. Also use the programs mentioned in there.
http://www.windowsbbs.com/showthread.php?t=59762
Event the site which i gave can help you resolve the issue.
http://www.windowsbbs.com/showthread.php?t=59762
Event the site which i gave can help you resolve the issue.
Your Hijackthis log is infected badly ... run combofix and upload the log as suggested above ..
Also do some online scans
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---
Run Kaspersky online virus scan Kaspersky Online Scanner.
http://www.kaspersky.com/virusscanner
After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
Note: You have to use Internet Explorer to do the online scan.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Download and scan with SUPERAntiSpyware Free for Home Users
http://www.superantispyware.com/
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- -
Also do some online scans
--------------------------
Run Kaspersky online virus scan Kaspersky Online Scanner.
http://www.kaspersky.com/virusscanner
After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
Note: You have to use Internet Explorer to do the online scan.
--------------------------
Download and scan with SUPERAntiSpyware Free for Home Users
http://www.superantispyware.com/
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
--------------------------
ASKER
The remove Vundo successfully deleted the opnonli.dll and jnghbz.dll files. however still getting the popups and still have other rogue programs running.
O2 - BHO: (no name) - {08FE7D1C-97CF-430F-BCE1-9 92152FF905 E} - C:\WINDOWS\system32\jkklk. dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-6 8C0DE02353 A} - C:\WINDOWS\system32\mtrryz pw.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4 5AF8282558 3} - C:\WINDOWS\system32\mtrryz pw.dll
Any Idea?
O2 - BHO: (no name) - {08FE7D1C-97CF-430F-BCE1-9
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-6
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-4
Any Idea?
SDBot variant is there among the vundo/conhook entries as well, so I would also suggest SDFix.
the combination of vundofix-combofix-SDFix should be all you need, or if you're lucky just 2 of the tools I've mentioned.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
* Open the extracted folder and double click "RunThis.bat" to start the script.
* Type "Y" to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
the combination of vundofix-combofix-SDFix should be all you need, or if you're lucky just 2 of the tools I've mentioned.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
* Open the extracted folder and double click "RunThis.bat" to start the script.
* Type "Y" to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
Please run SDFix, then combofix, do the combofix last.
We need to see the logs as wel so upload those as well, thanks.
We need to see the logs as wel so upload those as well, thanks.
ASKER
Heres the log file. Combofix was not successful in removing the ddcyw.dll, jkkji.dll and mtrryzpw.dll
ComboFix 07-11-08.1 - John 2007-11-14 16:22:36.2 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\John\Desktop\Comb oFix.exe
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\John\Desktop\Live Safety Center.lnk
C:\Documents and Settings\John\Desktop\Onli ne Security Guide.lnk
C:\Documents and Settings\John\Favorites\On line Security Guide.lnk
C:\WINDOWS\system32\ddcyw. dll
C:\WINDOWS\system32\jkkji. dll
C:\WINDOWS\system32\mtrryz pw.dllbox
.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))) )))))
.
2007-11-14 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\App lication Data\Intel
2007-11-14 16:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-14 15:38 7,049 --a------ C:\WINDOWS\system32\vtutu. dll
2007-11-14 13:38 7,049 --a------ C:\WINDOWS\system32\awtqq. dll
2007-11-14 11:38 7,049 --a------ C:\WINDOWS\system32\sstqn. dll
2007-11-14 10:38 7,049 --a------ C:\WINDOWS\system32\vtsqn. dll
2007-11-14 10:34 37,376 --a------ C:\WINDOWS\system32\awtuus p.dll
2007-11-14 09:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 08:46 37,376 --a------ C:\WINDOWS\system32\khfcyv u.dll
2007-11-14 06:58 144,480 --a------ C:\WINDOWS\system32\mtrryz pw.dll
2007-11-14 06:57 144,480 --a------ C:\WINDOWS\system32\iohgsw tf.dll
2007-11-14 06:36 <DIR> d-------- C:\VundoFix Backups
2007-11-14 03:31 52,496 --a------ C:\WINDOWS\system32\driver s\tmactmon .sys
2007-11-14 03:31 52,368 --a------ C:\WINDOWS\system32\driver s\tmevtmgr .sys
2007-11-14 03:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-14 00:05 85,056 --a------ C:\WINDOWS\system32\gconoj la.dll
2007-11-14 00:04 80,448 --a------ C:\WINDOWS\system32\wuyatv tq.dll
2007-11-14 00:04 71,232 --a------ C:\WINDOWS\system32\svyeof oj.exe
2007-11-13 21:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 21:16 138,512 --a------ C:\WINDOWS\system32\driver s\tmcomm.s ys
2007-11-13 21:14 <DIR> d-------- C:\Documents and Settings\John\.housecall6. 6
2007-11-13 21:03 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-11-13 13:22 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-13 12:04 36,352 --a------ C:\WINDOWS\system32\opnolm m.dll
2007-11-13 09:20 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-13 00:10 144,480 --a------ C:\WINDOWS\system32\untthe km.dll
2007-11-13 00:07 89,664 --a------ C:\WINDOWS\system32\xwcwsp cb.dll
2007-11-13 00:04 81,472 --a------ C:\WINDOWS\system32\teewvb nl.dll
2007-11-13 00:04 71,232 --a------ C:\WINDOWS\system32\vstlwp wu.exe
2007-11-12 13:13 36,352 --a------ C:\WINDOWS\system32\qomjij k.dll
2007-11-12 00:08 88,128 --a------ C:\WINDOWS\system32\ysbwbm ak.dll
2007-11-12 00:08 79,936 --a------ C:\WINDOWS\system32\cvklol js.dll
2007-11-11 12:01 147,456 --a------ C:\WINDOWS\system32\vbzip1 0.dll
2007-11-11 11:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 21:25 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-19 20:23 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-10-19 20:23 3,518,464 --a------ C:\WINDOWS\system32\cdintf 300.dll
2007-10-19 20:23 1,843,200 --a------ C:\WINDOWS\system32\acXMLP arser.dll
2007-10-19 20:21 <DIR> d-------- C:\Program Files\Intuit
2007-10-19 20:21 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-10-19 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2007-10-19 20:12 <DIR> d-------- C:\Program Files\Akamai
2007-10-19 20:12 <DIR> d-------- C:\Documents and Settings\John\Application Data\Download Manager
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2007-11-14 15:34 --------- d-----w C:\Documents and Settings\LocalService\Appl ication Data\VMware
2007-11-14 15:34 --------- d-----w C:\Documents and Settings\John\Application Data\VMware
2007-11-14 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-11-14 03:19 --------- d-----w C:\Program Files\CA
2007-11-05 12:02 --------- d-----w C:\Program Files\Google
2007-10-06 11:49 --------- d-----w C:\Program Files\VMware
2007-10-06 11:49 --------- d-----w C:\Program Files\Common Files\VMware
2007-10-01 07:07 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-01 07:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-25 00:55 --------- d-----w C:\Program Files\Citrix
2007-09-25 00:55 --------- d-----w C:\Documents and Settings\John\Application Data\ICAClient
2007-09-18 05:29 65,936 ----a-w C:\WINDOWS\system32\driver s\tmtdi.sy s
2007-09-18 05:29 36,112 ----a-w C:\WINDOWS\system32\driver s\tmpreflt .sys
2007-09-18 05:29 333,328 ----a-w C:\WINDOWS\system32\driver s\TM_CFW.s ys
2007-09-18 05:29 203,024 ----a-w C:\WINDOWS\system32\driver s\tmxpflt. sys
2007-09-18 05:29 1,126,328 ----a-w C:\WINDOWS\system32\driver s\vsapint. sys
2007-09-15 00:23 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-09-15 00:23 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-09-15 00:14 --------- d-----w C:\Program Files\MSBuild
2007-09-15 00:09 --------- d-----w C:\Program Files\Reference Assemblies
2007-08-22 00:02 436,784 ----a-w C:\WINDOWS\system32\vnetli b.dll
2007-08-22 00:02 150,064 ----a-w C:\WINDOWS\system32\vmnat. exe
2007-08-22 00:02 121,392 ----a-w C:\WINDOWS\system32\vmnetd hcp.exe
2007-08-22 00:01 50,992 ----a-r C:\WINDOWS\system32\vmnetb ridge.dll
2007-08-22 00:01 13,104 ----a-r C:\WINDOWS\system32\vnetin st.dll
2007-08-21 23:02 219,696 ----a-w C:\WINDOWS\system32\vmnc.d ll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco mm.dll
.
(((((((((((((((((((((((((( ((( snapshot@2007-11-14_10.16. 29.71 )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2007-11-14 04:40:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERD NT.EXE
+ 2007-11-14 21:07:35 3,751,936 ----a-w C:\WINDOWS\ERUNT\SDFIX\Use rs\[u]0[/u ]0000001\N TUSER.DAT
+ 2007-11-14 21:07:35 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Use rs\[u]0[/u ]0000002\U srClass.da t
+ 2007-11-14 04:40:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_Fir st_Run\ERD NT.EXE
+ 2007-11-14 21:07:16 3,751,936 ----a-w C:\WINDOWS\ERUNT\SDFIX_Fir st_Run\Use rs\[u]0[/u ]0000001\N TUSER.DAT
+ 2007-11-14 21:07:16 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX_Fir st_Run\Use rs\[u]0[/u ]0000002\U srClass.da t
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{A95B2816-1D7E-456 1-A202-68C 0DE02353A} ]
2007-11-14 06:58 144480 --a------ C:\WINDOWS\system32\mtrryz pw.dll
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{E0B54BEC-9209-4B5 D-94E5-A89 06DE18FFB} ]
2007-11-14 08:46 37376 --a------ C:\WINDOWS\system32\khfcyv u.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Interne t Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF- 45AF828255 83}"= C:\WINDOWS\system32\mtrryz pw.dll [2007-11-14 06:58 144480]
[HKEY_CLASSES_ROOT\CLSID\{ 11A69AE4-F BED-4832-A 2BF-45AF82 825583}]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ehTray"="C:\WINDOWS\ehome \ehtray.ex e" [2004-08-10 03:04]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [2007-07-10 08:18]
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.ex e" [2007-08-21 19:02]
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-08-21 19:01]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2007-09-18 00:29]
"SDFix"="C:\SDFix\RunThis. bat /second" []
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ctfmon.exe"="C:\WINDOWS\s ystem32\ct fmon.exe" [2006-03-15 07:00]
"GoToMeeting"="C:\Program Files\Citrix\GoToMeeting\1 98\g2mstar t.exe" [2007-10-27 17:13]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\runo nce]
"SDFix"=C:\SDFix\RunThis.b at /second
C:\Documents and Settings\John\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe [2007-04-30 06:55:34]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.E XE [2006-10-26 20:24:54]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Ad obe Gamma Loader.exe [2007-04-30 06:55:34]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync .exe [2006-10-23 00:01:50]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe [2007-09-11 07:38:44]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \currentve rsion\poli cies\syste m]
"InstallVisualStyle"=C:\WI NDOWS\Reso urces\Them es\Royale\ Royale.mss tyles
"InstallTheme"=C:\WINDOWS\ Resources\ Themes\Roy ale.theme
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\Shell ExecuteHoo ks]
"{E0B54BEC-9209-4B5D-94E5- A8906DE18F FB}"= C:\WINDOWS\system32\khfcyv u.dll [2007-11-14 08:46 37376]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\In telWireles s]
C:\Program Files\Intel\Wireless\Bin\L gNotify.dl l 2005-07-22 22:46 110592 C:\Program Files\Intel\Wireless\Bin\L gNotify.dl l
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\kh fcyvu]
khfcyvu.dll 2007-11-14 08:46 37376 C:\WINDOWS\system32\khfcyv u.dll
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\mt rryzpw]
mtrryzpw.dll 2007-11-14 06:58 144480 C:\WINDOWS\system32\mtrryz pw.dll
R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system3 2\drivers\ VMkbd.sys
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sy s
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.ex e" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml
.
************************** ********** ********** ********** ********** ********
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 16:29:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
Completion time: 2007-11-14 16:31:18 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 10:17
.
--- E O F ---
ComboFix 07-11-08.1 - John 2007-11-14 16:22:36.2 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\John\Desktop\Comb
.
((((((((((((((((((((((((((
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\John\Desktop\Live
C:\Documents and Settings\John\Desktop\Onli
C:\Documents and Settings\John\Favorites\On
C:\WINDOWS\system32\ddcyw.
C:\WINDOWS\system32\jkkji.
C:\WINDOWS\system32\mtrryz
.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 ))))))))))))))))))))))))))
.
2007-11-14 16:20 <DIR> d-------- C:\Documents and Settings\Administrator\App
2007-11-14 16:06 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-14 15:38 7,049 --a------ C:\WINDOWS\system32\vtutu.
2007-11-14 13:38 7,049 --a------ C:\WINDOWS\system32\awtqq.
2007-11-14 11:38 7,049 --a------ C:\WINDOWS\system32\sstqn.
2007-11-14 10:38 7,049 --a------ C:\WINDOWS\system32\vtsqn.
2007-11-14 10:34 37,376 --a------ C:\WINDOWS\system32\awtuus
2007-11-14 09:34 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 08:46 37,376 --a------ C:\WINDOWS\system32\khfcyv
2007-11-14 06:58 144,480 --a------ C:\WINDOWS\system32\mtrryz
2007-11-14 06:57 144,480 --a------ C:\WINDOWS\system32\iohgsw
2007-11-14 06:36 <DIR> d-------- C:\VundoFix Backups
2007-11-14 03:31 52,496 --a------ C:\WINDOWS\system32\driver
2007-11-14 03:31 52,368 --a------ C:\WINDOWS\system32\driver
2007-11-14 03:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-11-14 00:05 85,056 --a------ C:\WINDOWS\system32\gconoj
2007-11-14 00:04 80,448 --a------ C:\WINDOWS\system32\wuyatv
2007-11-14 00:04 71,232 --a------ C:\WINDOWS\system32\svyeof
2007-11-13 21:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 21:16 138,512 --a------ C:\WINDOWS\system32\driver
2007-11-13 21:14 <DIR> d-------- C:\Documents and Settings\John\.housecall6.
2007-11-13 21:03 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-11-13 13:22 1,156 --a------ C:\WINDOWS\mozver.dat
2007-11-13 12:04 36,352 --a------ C:\WINDOWS\system32\opnolm
2007-11-13 09:20 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-13 00:10 144,480 --a------ C:\WINDOWS\system32\untthe
2007-11-13 00:07 89,664 --a------ C:\WINDOWS\system32\xwcwsp
2007-11-13 00:04 81,472 --a------ C:\WINDOWS\system32\teewvb
2007-11-13 00:04 71,232 --a------ C:\WINDOWS\system32\vstlwp
2007-11-12 13:13 36,352 --a------ C:\WINDOWS\system32\qomjij
2007-11-12 00:08 88,128 --a------ C:\WINDOWS\system32\ysbwbm
2007-11-12 00:08 79,936 --a------ C:\WINDOWS\system32\cvklol
2007-11-11 12:01 147,456 --a------ C:\WINDOWS\system32\vbzip1
2007-11-11 11:56 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-19 21:25 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-19 20:23 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-10-19 20:23 3,518,464 --a------ C:\WINDOWS\system32\cdintf
2007-10-19 20:23 1,843,200 --a------ C:\WINDOWS\system32\acXMLP
2007-10-19 20:21 <DIR> d-------- C:\Program Files\Intuit
2007-10-19 20:21 <DIR> d-------- C:\Program Files\Common Files\Intuit
2007-10-19 20:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Intuit
2007-10-19 20:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\COMMON FILES
2007-10-19 20:12 <DIR> d-------- C:\Program Files\Akamai
2007-10-19 20:12 <DIR> d-------- C:\Documents and Settings\John\Application Data\Download Manager
.
((((((((((((((((((((((((((
.
2007-11-14 15:34 --------- d-----w C:\Documents and Settings\LocalService\Appl
2007-11-14 15:34 --------- d-----w C:\Documents and Settings\John\Application Data\VMware
2007-11-14 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-11-14 03:19 --------- d-----w C:\Program Files\CA
2007-11-05 12:02 --------- d-----w C:\Program Files\Google
2007-10-06 11:49 --------- d-----w C:\Program Files\VMware
2007-10-06 11:49 --------- d-----w C:\Program Files\Common Files\VMware
2007-10-01 07:07 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-01 07:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-09-25 00:55 --------- d-----w C:\Program Files\Citrix
2007-09-25 00:55 --------- d-----w C:\Documents and Settings\John\Application Data\ICAClient
2007-09-18 05:29 65,936 ----a-w C:\WINDOWS\system32\driver
2007-09-18 05:29 36,112 ----a-w C:\WINDOWS\system32\driver
2007-09-18 05:29 333,328 ----a-w C:\WINDOWS\system32\driver
2007-09-18 05:29 203,024 ----a-w C:\WINDOWS\system32\driver
2007-09-18 05:29 1,126,328 ----a-w C:\WINDOWS\system32\driver
2007-09-15 00:23 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-09-15 00:23 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-09-15 00:14 --------- d-----w C:\Program Files\MSBuild
2007-09-15 00:09 --------- d-----w C:\Program Files\Reference Assemblies
2007-08-22 00:02 436,784 ----a-w C:\WINDOWS\system32\vnetli
2007-08-22 00:02 150,064 ----a-w C:\WINDOWS\system32\vmnat.
2007-08-22 00:02 121,392 ----a-w C:\WINDOWS\system32\vmnetd
2007-08-22 00:01 50,992 ----a-r C:\WINDOWS\system32\vmnetb
2007-08-22 00:01 13,104 ----a-r C:\WINDOWS\system32\vnetin
2007-08-21 23:02 219,696 ----a-w C:\WINDOWS\system32\vmnc.d
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetco
.
((((((((((((((((((((((((((
.
+ 2007-11-14 04:40:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERD
+ 2007-11-14 21:07:35 3,751,936 ----a-w C:\WINDOWS\ERUNT\SDFIX\Use
+ 2007-11-14 21:07:35 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX\Use
+ 2007-11-14 04:40:48 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_Fir
+ 2007-11-14 21:07:16 3,751,936 ----a-w C:\WINDOWS\ERUNT\SDFIX_Fir
+ 2007-11-14 21:07:16 217,088 ----a-w C:\WINDOWS\ERUNT\SDFIX_Fir
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Brow
2007-11-14 06:58 144480 --a------ C:\WINDOWS\system32\mtrryz
[HKEY_LOCAL_MACHINE\~\Brow
2007-11-14 08:46 37376 --a------ C:\WINDOWS\system32\khfcyv
[HKEY_LOCAL_MACHINE\SOFTWA
"{11A69AE4-FBED-4832-A2BF-
[HKEY_CLASSES_ROOT\CLSID\{
[HKEY_LOCAL_MACHINE\SOFTWA
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 21:05]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"ehTray"="C:\WINDOWS\ehome
"iTunesHelper"="C:\Program
"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.ex
"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-08-21 19:01]
"UfSeAgnt.exe"="C:\Program
"SDFix"="C:\SDFix\RunThis.
[HKEY_CURRENT_USER\SOFTWAR
"ctfmon.exe"="C:\WINDOWS\s
"GoToMeeting"="C:\Program Files\Citrix\GoToMeeting\1
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\softwa
"SDFix"=C:\SDFix\RunThis.b
C:\Documents and Settings\John\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Ad
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.E
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Ad
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB
[HKEY_LOCAL_MACHINE\softwa
"InstallVisualStyle"=C:\WI
"InstallTheme"=C:\WINDOWS\
[HKEY_LOCAL_MACHINE\SOFTWA
"{E0B54BEC-9209-4B5D-94E5-
[HKEY_LOCAL_MACHINE\softwa
C:\Program Files\Intel\Wireless\Bin\L
[HKEY_LOCAL_MACHINE\softwa
khfcyvu.dll 2007-11-14 08:46 37376 C:\WINDOWS\system32\khfcyv
[HKEY_LOCAL_MACHINE\softwa
mtrryzpw.dll 2007-11-14 06:58 144480 C:\WINDOWS\system32\mtrryz
R3 vmkbd;VMware kbd;\??\C:\WINDOWS\system3
S2 vstor2-ws60;Vstor2 WS60 Virtual Storage Driver;\??\C:\Program Files\VMware\VMware Workstation\vstor2-ws60.sy
S3 ufad-ws60;VMware Agent Service;"C:\Program Files\VMware\VMware Workstation\vmware-ufad.ex
.
**************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 16:29:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
Completion time: 2007-11-14 16:31:18 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 10:17
.
--- E O F ---
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks.. all set
This is not Over i still want to look at the new Combofix and Hijackthis log
BoggyBayouBoy,
You closed the question, have you solved the problem?
There are still bad files and registry entries listed in the combofix that needed to be remove.
You closed the question, have you solved the problem?
There are still bad files and registry entries listed in the combofix that needed to be remove.