Avatar of Scott Lamond
Scott Lamond
Flag for United States of America asked on

Trojan.Vundo: I just ran SDfix.exe and ComboFix.exe, now uploading logs

uploading logs

This is a Dell Inspiron 1300 notebook running WindowsXP.

Awaiting further instructions....
log.txt
report2.txt
Anti-Virus Apps

Avatar of undefined
Last Comment
Member_2_49692

8/22/2022 - Mon
Scott Lamond

ASKER
The system is still pathetically slow as I try to update the Norton AV list and reinstall Windows Defender. I'm still getting the continuously popping-up message that NAV found Trojan.Vundo at tuvsqno.dll and is unable to delete it.
ASKER CERTIFIED SOLUTION
rpggamergirl

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Scott Lamond

ASKER
Here's the log after the 2nd run of ComboFix.exe, executed by dropping the CFScript.txt file onto it..........


ComboFix 08-04-10.9 - susan 2008-04-14 13:24:43.2 -
NTFSx86
Running from: C:\ComboFix\ComboFix.exe
Command switches used :: C:\ComboFix\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

(((((((((((((((((((((((((((((((((((((((   Other
Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acwjgkox.dll
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\dbnccomc.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\sgnsfrgs.dll
C:\WINDOWS\system32\sgrfsngs.ini
C:\WINDOWS\system32\tbxvbdpd.dll
C:\WINDOWS\system32\vsbnmmyh.dll
C:\WINDOWS\system32\wnfltbvw.dll
C:\WINDOWS\system32\xokgjwca.ini

.
(((((((((((((((((((((((((   Files Created from
2008-03-14 to 2008-04-14
)))))))))))))))))))))))))))))))
.

2008-04-14 11:46 . 2008-04-14 11:46      3,648      --a------
C:\WINDOWS\system32\uhifgrwd.dll
2008-04-11 13:33 . 2008-04-11 13:33      3,648      --a------
C:\WINDOWS\system32\sbvmhmdv.dll
2008-04-11 13:32 . 2008-04-14 11:45      101,091      --a------
C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------
C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------
C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------
C:\Documents and Settings\Administrator\Application
Data\Symantec

.
((((((((((((((((((((((((((((((((((((((((   Find3M
Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 17:54      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program
Files\WindSolutions
2008-04-11 15:49      ---------      d-----w      C:\Program
Files\DellSupport
2008-04-06 00:49      ---------      d-----w      C:\Program
Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program
Files\FinePixViewer
2007-02-19 02:08      88      --sh--r
C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w
C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w         1,694,208 2008-01-01 19:00:58
C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]


(((((((((((((((((((((((((((((
snapshot@2008-04-11_13.32.25.40
)))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 10:00:00      114,688      ----a-w
C:\WINDOWS\system32\dllcache\aclui.dll
+ 2004-08-04 10:00:00      98,304      ----a-w
C:\WINDOWS\system32\dllcache\ahui.exe
+ 2004-08-04 10:00:00      580,608      ----a-w
C:\WINDOWS\system32\dllcache\autofmt.exe
+ 2004-08-04 10:00:00      71,680      ----a-w
C:\WINDOWS\system32\dllcache\blastcln.exe
+ 2004-08-04 10:00:00      11,776      ----a-w
C:\WINDOWS\system32\dllcache\chkdsk.exe
+ 2004-08-04 10:00:00      10,752      ----a-w
C:\WINDOWS\system32\dllcache\clb.dll
+ 2004-08-04 10:00:00      102,912      ----a-w
C:\WINDOWS\system32\dllcache\clipbrd.exe
+ 2004-08-04 10:00:00      17,408      ----a-w
C:\WINDOWS\system32\dllcache\compact.exe
+ 2004-08-04 10:00:00      13,824      ----a-w
C:\WINDOWS\system32\dllcache\convert.exe
+ 2004-08-04 10:00:00      15,360      ----a-w
C:\WINDOWS\system32\dllcache\ctfmon.exe
+ 2004-08-04 10:00:00      82,432      ----a-w
C:\WINDOWS\system32\dllcache\dfrgfat.exe
+ 2004-08-04 10:00:00      85,504      ----a-w
C:\WINDOWS\system32\dllcache\diantz.exe
+ 2004-08-04 10:00:00      224,768      ----a-w
C:\WINDOWS\system32\dllcache\dmadmin.exe
+ 2004-08-04 10:00:00      83,456      ----a-w
C:\WINDOWS\system32\dllcache\dpvsetup.exe
+ 2004-08-04 10:00:00      45,568      ----a-w
C:\WINDOWS\system32\dllcache\drwtsn32.exe
+ 2004-08-04 10:00:00      1,298,432      ----a-w
C:\WINDOWS\system32\dllcache\dxdiag.exe
+ 2004-08-04 10:00:00      39,424      ----a-w
C:\WINDOWS\system32\dllcache\esentutl.exe
+ 2004-08-04 10:00:00      193,024      ----a-w
C:\WINDOWS\system32\dllcache\eudcedit.exe
+ 2004-08-04 10:00:00      45,568      ----a-w
C:\WINDOWS\system32\dllcache\extrac32.exe
+ 2004-08-04 10:00:00      9,216      ----a-w
C:\WINDOWS\system32\dllcache\finger.exe
+ 2004-08-04 10:00:00      55,296      ----a-w
C:\WINDOWS\system32\dllcache\freecell.exe
+ 2004-08-04 10:00:00      56,320      ----a-w
C:\WINDOWS\system32\dllcache\fsutil.exe
+ 2004-08-04 10:00:00      143,360      ----a-w
C:\WINDOWS\system32\dllcache\fxsclnt.exe
+ 2004-08-04 10:00:00      229,376      ----a-w
C:\WINDOWS\system32\dllcache\fxscover.exe
+ 2004-08-04 10:00:00      39,424      ----a-w
C:\WINDOWS\system32\dllcache\grpconv.exe
+ 2004-08-04 10:00:00      23,552      ----a-w
C:\WINDOWS\system32\dllcache\ipxroute.exe
+ 2004-08-04 10:00:00      75,264      ----a-w
C:\WINDOWS\system32\dllcache\locator.exe
+ 2004-08-04 10:00:00      220,672      ----a-w
C:\WINDOWS\system32\dllcache\logon.scr
+ 2004-08-04 10:00:00      514,560      ----a-w
C:\WINDOWS\system32\dllcache\logonui.exe
+ 2004-08-04 10:00:00      72,704      ----a-w
C:\WINDOWS\system32\dllcache\magnify.exe
+ 2004-08-04 10:00:00      815,104      ----a-w
C:\WINDOWS\system32\dllcache\mmc.exe
+ 2004-08-04 10:00:00      32,768      ----a-w
C:\WINDOWS\system32\dllcache\mnmsrvc.exe
+ 2004-08-04 10:00:00      20,992      ----a-w
C:\WINDOWS\system32\dllcache\msg.exe
+ 2004-08-04 10:00:00      29,184      ----a-w
C:\WINDOWS\system32\dllcache\mshta.exe
+ 2004-08-04 10:00:00      274,944      ----a-w
C:\WINDOWS\system32\dllcache\mstask.dll
+ 2004-08-04 10:00:00      12,288      ----a-w
C:\WINDOWS\system32\dllcache\mstinit.exe
+ 2004-08-04 10:00:00      407,552      ----a-w
C:\WINDOWS\system32\dllcache\mstsc.exe
+ 2004-08-04 10:00:00      111,104      ----a-w
C:\WINDOWS\system32\dllcache\netdde.exe
+ 2004-08-04 10:00:00      329,728      ----a-w
C:\WINDOWS\system32\dllcache\netsetup.exe
+ 2004-08-04 10:00:00      36,864      ----a-w
C:\WINDOWS\system32\dllcache\netstat.exe
+ 2004-08-04 10:00:00      31,744      ----a-w
C:\WINDOWS\system32\dllcache\ntsd.exe
+ 2004-08-04 10:00:00      419,840      ----a-w
C:\WINDOWS\system32\dllcache\ntvdm.exe
+ 2004-08-04 10:00:00      215,552      ----a-w
C:\WINDOWS\system32\dllcache\osk.exe
+ 2004-08-04 10:00:00      49,152      ----a-w
C:\WINDOWS\system32\dllcache\powercfg.exe
+ 2004-08-04 10:00:00      109,568      ----a-w
C:\WINDOWS\system32\dllcache\progman.exe
+ 2004-08-04 10:00:00      16,896      ----a-w
C:\WINDOWS\system32\dllcache\qappsrv.exe
+ 2004-08-04 10:00:00      56,832      ----a-w
C:\WINDOWS\system32\dllcache\rasphone.exe
+ 2004-08-04 10:00:00      7,168      ----a-w
C:\WINDOWS\system32\dllcache\recover.exe
+ 2004-08-04 10:00:00      11,776      ----a-w
C:\WINDOWS\system32\dllcache\regsvr32.exe
+ 2004-08-04 10:00:00      132,608      ----a-w
C:\WINDOWS\system32\dllcache\rsvp.exe
+ 2004-08-04 10:00:00      13,312      ----a-w
C:\WINDOWS\system32\dllcache\savedump.exe
+ 2004-08-04 10:00:00      77,312      ----a-w
C:\WINDOWS\system32\dllcache\sdbinst.exe
+ 2004-08-04 10:00:00      9,728      ----a-w
C:\WINDOWS\system32\dllcache\sfc.exe
+ 2004-08-04 10:00:00      114,688      ----a-w
C:\WINDOWS\system32\dllcache\wscript.exe
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading
Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{86B9E7E9-CE7F-4DA7-B570-ADD685938F7F}]
2008-04-14 13:44      273408      --a------
C:\WINDOWS\system32\ddaya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
2007-12-30 13:37      40448      --a------
C:\WINDOWS\system32\tuvsqno.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program
Files\NetWaiting\netWaiting.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ] "Sen"="C:\PROGRA~1\COMMON~1\STEM32~1\explorer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19
393216 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program
Files\Dell\QuickSet\quickset.exe" [ ]
"DVDLauncher"="C:\Program
Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe"
[ ]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe"
[ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "BM3b1cc58d"="C:\WINDOWS\system32\oovcwwrs.dll"
[2008-04-14 13:46 96320]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
[2005-11-04 16:04:48 176128]
KODAK Software Updater.lnk - C:\Program
Files\Kodak\KODAK Software
Updater\7288971\Program\Kodak Software Updater.exe
[2004-02-13 15:12:08 16423]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
[2004-11-11 12:59:36 806912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"=
C:\WINDOWS\system32\tuvsqno.dll [2007-12-30 13:37 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\tuvsqno]
tuvsqno.dll 2007-12-30 13:37 40448
C:\WINDOWS\system32\tuvsqno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages      REG_MULTI_SZ         msv1_0
C:\WINDOWS\system32\ddaya

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 14:10:05
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software
Update\SoftwareUpdate.exe
"2008-04-11 23:02:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-14 13:40:09 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ayadd.ini 264564 bytes
C:\WINDOWS\system32\ayadd.ini2 345 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tuvsqno.dll
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\oovcwwrs.dll
-> C:\WINDOWS\system32\ddaya.dll
.
------------------------ Other Running Processes
------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\CBA\PDS.EXE
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\CBA\XFR.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\MSGSYS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-04-14 13:51:00 - machine was rebooted ComboFix-quarantined-files.txt  2008-04-14 17:50:29 ComboFix2.txt  2008-04-11 17:34:40
Pre-Run: 6,909,997,056 bytes free
Post-Run: 6,969,774,080 bytes free
.
2008-04-08 20:46:42      --- E O F ---  

Scott Lamond

ASKER
Also, let me know when to reactivate NAV, Windows Defender and System Restore.

Thanks.
S.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
rpggamergirl

>>>Also, let me know when to reactivate NAV, Windows Defender <<<
You only turn them off while combofix is running,
You should turn system restore back on....I never advise anyone to turn system restore off while cleaning a system.


There's a vundo file there that's is sticking, we'll use another tool if CF can't remove it.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\uhifgrwd.dll
C:\WINDOWS\system32\sbvmhmdv.dll
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\ddaya.dll
C:\WINDOWS\system32\tuvsqno.dll
C:\WINDOWS\system32\oovcwwrs.dll
C:\WINDOWS\system32\ayadd.ini
C:\WINDOWS\system32\ayadd.ini2

Folder::
C:\WINDOWS\system32\ddaya

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{86B9E7E9-CE7F-4DA7-B570-ADD685938F7F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sen"=-
"BM3b1cc58d"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{CA4F0D8D-5F2B-4F16-838A-8D52249EAB21}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\tuvsqno]


--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together.

SOLUTION
Member_2_49692

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Scott Lamond

ASKER
New log after latest ComboFix.exe run..........


CFlog041808.txt
Scott Lamond

ASKER
I noticed that the 4-18-08 log states "WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !" but when I check MyComputer/Properties/System Restore
there is no checkmark applied to the disable option.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Member_2_49692

Do the following

run the vundo removal tools I posted above Vundo is still present...
then
Open notepad and copy the following code between the lines then paste into notepad
as rpggamergirl said before
"Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe"

----------------------------------------------------------begin copy---------------------

File::
C:\WINDOWS\system32\sbvmhmdv.dll
C:\WINDOWS\system32\uhifgrwd.dll
C:\WINDOWS\system32\ulkboyjc.dll
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\MRT.INI
C:\WINDOWS\system32\F48EA6F3DE.sys
C:\WINDOWS\system32\KGyGaAvL.sys

--------------------------------------------------------end copy-----------------------------


also go to control panel add/remove programs and uninstall Viewpoint

go into the registry editor (start run regedit ) and under this key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
remove this value
"Sen"="C:\PROGRA~1\COMMON~1\STEM32~1\explorer.exe" [ ]

Also this here this file is still present
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqno]

remove the entire tuvsqno key

you also have a spybot infection
http://www.sophos.com/security/analyses/viruses-and-spyware/w32spybotv.html
because of the presence of this file
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=

use this program to remove it

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum
Member_2_49692

Sorry scratch the SDFIX you already ran that ... don't run it

instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

also check control set 01

and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=


also go to c:\program files and see if you see a folder named Soulseek if so Delete it make sure you are showing hidden and system files.
Scott Lamond

ASKER
After the ComboFix run (but before running the other VundoFix instructions and registry edits).....

ComboFix 08-04-10.9 - susan 2008-04-21 13:34:43.4 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.84 [GMT -4:00] Running from: C:\ComboFix\ComboFix.exe Command switches used :: C:\ComboFix\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-03-21 to 2008-04-21  )))))))))))))))))))))))))))))))
.

2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37      <DIR>      d--------      C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 13:32 . 2008-04-17 13:52      101,091      --a------      C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w         1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]


(((((((((((((((((((((((((((((   snapshot_2008-04-18_13.17.18.71   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system32\LegitCheckControl.DLL
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ] "Sen"="C:\PROGRA~1\COMMON~1\STEM32~1\explorer.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvsqno]
tuvsqno.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Soulseek-Test\\slsk.exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 13:38:57 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-21 13:40:33
ComboFix-quarantined-files.txt  2008-04-21 17:40:05 ComboFix2.txt  2008-04-18 17:18:27 ComboFix3.txt  2008-04-14 17:51:05 ComboFix4.txt  2008-04-11 17:34:40
Pre-Run: 6,778,507,264 bytes free
Post-Run: 6,758,416,384 bytes free
.
2008-04-18 20:01:24      --- E O F ---  
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Scott Lamond

ASKER
The following key does not exist (I assume a typo)...........

You wrote:

instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

also check control set 01

and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk.exe"=
Member_2_49692

I need a combofix after the regedits to see if those entries are still present also before doing this go to start run regedit and then go to edit, find and look for the following
slsk.exe

it should a line value that reads like this

"C:\\Program Files\\Soulseek-Test\\slsk.exe" delete this value
Scott Lamond

ASKER
I ran VundoFix.exe but it found nothing.
I was unsure if I should run the other Vundo fixer???

Here's the most recent ComboFix log after the registry edits.........

ComboFix 08-04-10.9 - susan 2008-04-21 14:50:28.5 - NTFSx86 Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

(((((((((((((((((((((((((   Files Created from 2008-03-21 to 2008-04-21  )))))))))))))))))))))))))))))))
.

2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37      <DIR>      d--------      C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 13:32 . 2008-04-17 13:52      101,091      --a------      C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w         1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]


(((((((((((((((((((((((((((((   snapshot_2008-04-18_13.17.18.71   )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system32\LegitCheckControl.DLL
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe

*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 14:54:22 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-21 14:55:51
ComboFix-quarantined-files.txt  2008-04-21 18:55:22 ComboFix2.txt  2008-04-21 17:40:34 ComboFix3.txt  2008-04-18 17:18:27 ComboFix4.txt  2008-04-14 17:51:05 ComboFix5.txt  2008-04-11 17:34:40
Pre-Run: 6,817,079,296 bytes free
Post-Run: 6,797,447,168 bytes free
.
2008-04-18 20:01:24      --- E O F ---  

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Scott Lamond

ASKER
While waiting for a response to my latest ComboFix log post, I decided to run VirtumundoBeGone.exe and it looks like nothing was found:


[04/23/2008, 14:47:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\susan\Desktop\VirtumundoBeGone.exe" )
[04/23/2008, 14:47:55] - Detected System Information:
[04/23/2008, 14:47:55] -  Windows Version: 5.1.2600, Service Pack 2
[04/23/2008, 14:47:55] -  Current Username: susan (Admin)
[04/23/2008, 14:47:55] -  Windows is in SAFE mode.
[04/23/2008, 14:47:55] - Searching for Browser Helper Objects:
[04/23/2008, 14:47:55] -  BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[04/23/2008, 14:47:55] -  BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[04/23/2008, 14:47:55] - Finished Searching Browser Helper Objects
[04/23/2008, 14:47:55] - Finishing up...
[04/23/2008, 14:47:55] - Nothing found! Exiting...
Member_2_49692

Look for this in the registry
StubInstaller.exe

once found remove it. that is the only thing I am seeing from your last log.. sorry I did not get back to you sooner for some reason I did not get notification on your post from 4-21

download and run this program
http://www.ccleaner.com  anaylyze the system then run it to cleanup all your temporary file and so forth. If it removes quite a bit of things I would then go to start, programs, accessories, system tools, and run disk defragmenter.

How is the machine running now ?
Scott Lamond

ASKER
Thanks for the post, I will act on it soon.
Before I do, I thought I'd mention that the machine is running much better.
However, Norton AV just popped up with a virus found "W32.Trats!inf" with QuarantineFailed/Access Denied.

I will follow your instructions and then I assume I should run ComoFix.exe to get a log (unless the ccleaner generates one).
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Scott Lamond

ASKER
CCleaner removed 75 Mb very quickly.
Disk Defrag Analysis indicated that defrag is not necessary.
However, I noticed that there's only 16% free space on drive C, not sure how much of an issue that is.
I will advise the user to delete unnecessary programs.

At least one remaining issue is that "W32.Trats!inf" virus.
Scott Lamond

ASKER
I am running ComboFix and will post a new log ASAP.
Scott Lamond

ASKER
The latest ComboFix log.........

ComboFix 08-04-22.5 - susan 2008-04-24  9:48:37.6 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.124 [GMT -4:00]Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf

.
(((((((((((((((((((((((((   Files Created from 2008-03-24 to 2008-04-24  )))))))))))))))))))))))))))))))
.

2008-04-24 09:17 . 2008-04-24 09:17      <DIR>      d--------      C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 13:32 . 2008-04-17 13:52      101,091      --a------      C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 14:45 . 2008-04-07 14:45      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-24 09:48      1,024      --ah-----      C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w         1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]


(((((((((((((((((((((((((((((   snapshot_2008-04-18_13.17.18.71   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-23 19:26:28      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DRV
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DRV
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache.bin
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tfsndres.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\drivers\null.sys
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboard.drv
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.dll
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse.drv
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound.drv
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.drv
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspool.exe
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=


*Newly Created Service* - NAVAP
*Newly Created Service* - NAVEX15
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 20:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-24 05:55:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 09:52:02 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-24  9:54:55
ComboFix-quarantined-files.txt  2008-04-24 13:53:51 ComboFix2.txt  2008-04-21 18:55:52 ComboFix3.txt  2008-04-21 17:40:34 ComboFix4.txt  2008-04-18 17:18:27 ComboFix5.txt  2008-04-14 17:51:05

Pre-Run: 6,767,300,608 bytes free
Post-Run: 6,750,720,000 bytes free

148      --- E O F ---      2008-04-22 23:47:25



     
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Scott Lamond

ASKER
Just posting a message to confirm that I have posted a new ComboFix log, in case my previous message got blocked my someone's spam filter.
Member_2_49692

Remove these files

C:\WINDOWS\system32\F48EA6F3DE.sys
C:\WINDOWS\BM3b1cc58d.xml

download and run this tool
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

post the logfile up here


Scott Lamond

ASKER
The file C:\WINDOWS\system32\F48EA6F3DE.sys did not exists, ut I did delete the otherfile.


It seems incomplete, but here is the RenV.exe log.............

[code]
Ran on Fri 04/25/2008 - 16:14:03.29

----a-w         1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe

 Entries:                1  (1)
 Directories:            0  Files:             1
 Bytes:          1,694,208  Blocks:        3,309
[/code]


This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Member_2_49692

It didn't find anything then... Try doing the following



go to the command prompt and go to the following directory

c:\windows\system32

then type the following

attrib -h

then see what comes up saying not resetting file
Copy and paste those up to here. I want to see if you have files hiding on you
Scott Lamond

ASKER
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>attrib -h
Not resetting system file - C:\WINDOWS\system32\camoiste.ini
Not resetting system file - C:\WINDOWS\system32\dofxjomg.ini
Not resetting system file - C:\WINDOWS\system32\dofxjomg.tmp
Not resetting system file - C:\WINDOWS\system32\F48EA6F3DE.sys
Not resetting system file - C:\WINDOWS\system32\KGyGaAvL.sys
Not resetting system file - C:\WINDOWS\system32\lwevdeix.ini
Not resetting system file - C:\WINDOWS\system32\wxjqjlco.ini
Not resetting system file - C:\WINDOWS\system32\ylflogff.ini

C:\WINDOWS\system32>


Member_2_49692

bingo those are the infectors!

Here is what I want you to do since automatically removing through combox fix thus far has not worked.

Download knoppix live cd here and burn it as a bootable CD
http://www.knoppix.org/

Boot the PC with knoppix in the drive and then go to the C:\ drive and delete the following files

C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\F48EA6F3DE.sys
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini


another option would be recovery console put yor windows CD in bootup at the first screen hit R and follow the onscreen prompts when it asks for a password if you never assigned one to the administrator account just press enter. You will then be able to delete the files by going to the directory those files are in
%systemroot%system32  then type del filename.extension  
example del ylflogff.ini then press enter
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
rpggamergirl

I'm very sorry, I was away with no internet access.

Glad to see briancassin is here.
You could also try deleting those files using Combofix CFScript,
A lot of legit files are showing in combofix log as an empty file..... usually happens with file infectors as antivirus scanners etc ends up deleting them. You might just have to reinstal any programs, .exes that no longer work.
Member_2_49692

wb rpggamergirl :)


We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6F3DE.sys

Scott Lamond

ASKER
I downloaded the file KNOPPIX_V5.1.0CD-2006-12-30-EN, about 650 Mb, and burned it to a CD.
I changed the laptop setup to boot from CD first, but after a long delay it boots right into WindowsXP.

Is there something special that has to be done during the burn process to make it a bootbale CD?

Or, did I download the wrong file?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Member_2_49692

You have to burn it as a bootable image.

You probably burned the iso file direct to the cd. I do not know what you are using to burn the CD but you would need either nero or roxio.

Another way and probably much easier is downloading this program here
http://www.imgburn.com/
install it then put a blank cd in your drive close any prompts that come up then  just right click on the knoppix iso and select burn using imgburn. Leave the CD in the drive and reboot you should now be able to boot off the CD.
rpggamergirl

briancassin,
Thanks, :)



>>>We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6F3DE.sys<<<

Maybe we can leave that file for now, let's first delete those hidden files (below) using CFScript, we haven't tried deleting those yet, that might be all that's needed we'll see. The F48EA6F3DE.sys is dated over a year ago so I'm not sure that's the culprit I could be wrong of course.
Can we please try deleting these files below first using CFScript?



File::
C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini
Scott Lamond

ASKER
Since my motto is "Simplify", I will first try rpggamergirl's suggestion.
 
She gives me too much credit regarding my knowledge, but from my recent interaction with briancassin I'll assume I place the list of files in CFScript.txt and drop it onto ComboFix.exe.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
rpggamergirl

Sorry... yes, same thing as you did before, create a CFScript.txt and after you've done that, just drag it over to Combofix.exe.


Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
and then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply.
Scott Lamond

ASKER
The latest ComboFix.txt log...........

ComboFix 08-04-22.5 - susan 2008-04-29  9:34:10.7 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.170 [GMT -4:00] Running from: C:\Documents and Settings\susan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\susan\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE ::
C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\camoiste.ini
C:\WINDOWS\system32\dofxjomg.ini
C:\WINDOWS\system32\dofxjomg.tmp
C:\WINDOWS\system32\lwevdeix.ini
C:\WINDOWS\system32\wxjqjlco.ini
C:\WINDOWS\system32\ylflogff.ini

.
(((((((((((((((((((((((((   Files Created from 2008-03-28 to 2008-04-29  )))))))))))))))))))))))))))))))
.

2008-04-24 09:17 . 2008-04-24 09:17      <DIR>      d--------      C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39      <DIR>      d--------      C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06      127      --a------      C:\WINDOWS\system32\MRT.INI
2008-04-11 11:51 . 2008-04-11 11:51      <DIR>      d--------      C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-25 13:02      <DIR>      d--------      C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12      <DIR>      d--------      C:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-07 14:45 . 2008-04-07 14:45      <DIR>      d--------      C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-29 06:07      1,024      --ah-----      C:\Documents and Settings\Administrator\ntuser.dat.LOG

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 17:35      ---------      d-----w      C:\Program Files\Soulseek-Test
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcache\iedw.exe
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaAvL.sys
.
[code]<pre>
----a-w         1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]


(((((((((((((((((((((((((((((   snapshot_2008-04-18_13.17.18.71   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-28 19:02:43      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
- 2008-04-11 15:51:48      806,912      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-04-25 15:54:25      3,743,744      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-04-11 15:51:48      8,192      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-04-25 15:54:25      151,552      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DRV
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DRV
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache.bin
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tfsndres.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\drivers\null.sys
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboard.drv
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitCheckControl.DLL
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.dll
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse.drv
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound.drv
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.drv
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsock.dll
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspool.exe
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ] "SigmatelSysTrayApp"="stsystra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [ ] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [ ] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [ ] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [ ]

C:\Documents and Settings\susan\Shared\Start Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2006-08-22 11:45:55 159744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 20:24:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 05:44:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-29 09:37:24 Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll
.
Completion time: 2008-04-29  9:39:50
ComboFix-quarantined-files.txt  2008-04-29 13:38:46 ComboFix2.txt  2008-04-24 13:54:56 ComboFix3.txt  2008-04-21 18:55:52 ComboFix4.txt  2008-04-21 17:40:34 ComboFix5.txt  2008-04-18 17:18:27

Pre-Run: 6,666,014,720 bytes free
Post-Run: 6,647,566,336 bytes free

162      --- E O F ---      2008-04-24 14:09:32


Scott Lamond

ASKER
Should I wait for feedback on the latest ComboFix.txt log (posted above) or
should I run that German boot CD ?

I have Nero CD burning software, if you can give me instructions for creating a boot CD using that software.
Your help has saved me hundreds of hours of internet surfing.
fblack61
rpggamergirl

Combofix had deleted those files.
How is the pc going? Are you still having the "W32.Trats!inf" virus issue?


About the Knoppix bootable iso file.
According to knoppix FAQ(below), just burn the ISO as an image and all the files that makes it bootable should be in their proper place.


http://www.knoppix.net/wiki/Downloading_FAQ#Q:_How_do_I_burn_an_ISO_to_a_CD_using_NERO.3F
>>>"Q: What option do I use to make the CD (or DVD) bootable?
A: None! Do not use any option in your burning software to make the CD bootable. Just burn the ISO as an image, this will put all of the proper files on the CD in the proper locations and the resulting CD will be a perfect copy of the original Knoppix CD and will be bootable. If you take any option that makes a bootable CD, you will end up with a CD that does not boot into Linux/Knoppix."<<<



This NERO tutorial for burning ISO image might help.
http://wizardskeep.org/mainhall/tutor/neroiso.html
Scott Lamond

ASKER
The laptop is running fine and getting no virus messages.
I will do a full scan to be sure.

I will also follow the Nero instructions and retry booting to Knoppix.
Scott Lamond

ASKER
OK, I got Knoppix running on the laptop but my new problem is that it's not a Windows-based interface.
I can't even figure out how to get to the C drive to see if any of the files in the list need to be deleted.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Scott Lamond

ASKER
Disregard my last message.
I figured out how to get to the Windows/System32 folder.
The only target file that I found was C:\WINDOWS\system32\F48EA6F3DE.sys and I deleted it.

This laptop is being returned to a teenager, so I have exhausted my patience with this project and expect that it will boomerang back to me in 6-12 months anyway.

All I need now is some guidance (since EE Customer Service never answered me) on how to split the points on this project.

Thanks to both of you.

Member_2_49692

to split the points you should have a button that says accept multiple solutions you click on that then assign the points next the comments for the experts that helped and then select one of them as the accepted solution the rest will be assissted solutions
Member_2_49692

If you want to prevent reinfection I would load the following software

http://www.siteadvisor.com 
http://www.javacoolsoftware.com 
http://www.mozilla.org  - firefox

also ensure you have anti virus on the system and it is up to date and anti spyware
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
rpggamergirl

Glad to know all's well.

You might also like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html


As briancassin already posted, just click on the "Accept Multiple Solutions" button to split points.
below link, if it helps:
https://www.experts-exchange.com/help.jsp#hi331

You split the points. Each comment box has a button that says Accept Multiple Solutions. Click that, and you will see a page that allows you to assign points to any of the comments in the thread. There is a grade box at the bottom of the page.

Note: The total of the point splits must equal the original amount you assigned to the question, and no comment can receive fewer than 20 points. The Comment that was posted first is the Accepted Solution, and the rest of the comments are Accepted Solutions.
Member_2_49692

Thank You, glad I could help :)