Scott Lamond
asked on
Trojan.Vundo: I just ran SDfix.exe and ComboFix.exe, now uploading logs
uploading logs
This is a Dell Inspiron 1300 notebook running WindowsXP.
Awaiting further instructions....
log.txt
report2.txt
This is a Dell Inspiron 1300 notebook running WindowsXP.
Awaiting further instructions....
log.txt
report2.txt
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Here's the log after the 2nd run of ComboFix.exe, executed by dropping the CFScript.txt file onto it..........
ComboFix 08-04-10.9 - susan 2008-04-14 13:24:43.2 -
NTFSx86
Running from: C:\ComboFix\ComboFix.exe
Command switches used :: C:\ComboFix\CFScript.txt
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
(((((((((((((((((((((((((( (((((((((( ((( Â Other
Deletions
)))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acwjgk ox.dll
C:\WINDOWS\system32\awtqr. dll
C:\WINDOWS\system32\dbncco mc.dll
C:\WINDOWS\system32\rqtwa. ini
C:\WINDOWS\system32\rqtwa. ini2
C:\WINDOWS\system32\sgnsfr gs.dll
C:\WINDOWS\system32\sgrfsn gs.ini
C:\WINDOWS\system32\tbxvbd pd.dll
C:\WINDOWS\system32\vsbnmm yh.dll
C:\WINDOWS\system32\wnfltb vw.dll
C:\WINDOWS\system32\xokgjw ca.ini
.
((((((((((((((((((((((((( Â Files Created from
2008-03-14 to 2008-04-14
)))))))))))))))))))))))))) )))))
.
2008-04-14 11:46 . 2008-04-14 11:46 Â Â Â Â Â 3,648 Â Â Â Â Â --a------
C:\WINDOWS\system32\uhifgr wd.dll
2008-04-11 13:33 . 2008-04-11 13:33 Â Â Â Â Â 3,648 Â Â Â Â Â --a------
C:\WINDOWS\system32\sbvmhm dv.dll
2008-04-11 13:32 . 2008-04-14 11:45 Â Â Â Â Â 101,091 Â Â Â Â Â --a------
C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d--------
C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d--------
C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d--------
C:\Documents and Settings\Administrator\App lication
Data\Symantec
.
(((((((((((((((((((((((((( (((((((((( (((( Â Find3M
Report
)))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-04-11 17:54      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program
Files\WindSolutions
2008-04-11 15:49      ---------      d-----w      C:\Program
Files\DellSupport
2008-04-06 00:49      ---------      d-----w      C:\Program
Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program
Files\FinePixViewer
2007-02-19 02:08 Â Â Â Â Â 88 Â Â Â Â Â --sh--r
C:\WINDOWS\system32\F48EA6 F3DE.sys
2007-12-28 02:53 Â Â Â Â Â 1,890 Â Â Â Â Â --sha-w
C:\WINDOWS\system32\KGyGaA vL.sys
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58
C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
(((((((((((((((((((((((((( (((
snapshot@2008-04-11_13.32. 25.40
)))))))))))))))))))))))))) )))))))))) )))))
.
+ 2004-08-04 10:00:00 Â Â Â Â Â 114,688 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\aclui.d ll
+ 2004-08-04 10:00:00 Â Â Â Â Â 98,304 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\ahui.ex e
+ 2004-08-04 10:00:00 Â Â Â Â Â 580,608 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\autofmt .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 71,680 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\blastcl n.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 11,776 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\chkdsk. exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 10,752 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\clb.dll
+ 2004-08-04 10:00:00 Â Â Â Â Â 102,912 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\clipbrd .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 17,408 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\compact .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 13,824 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\convert .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 15,360 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\ctfmon. exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 82,432 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\dfrgfat .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 85,504 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\diantz. exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 224,768 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\dmadmin .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 83,456 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\dpvsetu p.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 45,568 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\drwtsn3 2.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 1,298,432 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\dxdiag. exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 39,424 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\esentut l.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 193,024 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\eudcedi t.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 45,568 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\extrac3 2.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 9,216 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\finger. exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 55,296 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\freecel l.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 56,320 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\fsutil. exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 143,360 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\fxsclnt .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 229,376 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\fxscove r.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 39,424 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\grpconv .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 23,552 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\ipxrout e.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 75,264 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\locator .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 220,672 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\logon.s cr
+ 2004-08-04 10:00:00 Â Â Â Â Â 514,560 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\logonui .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 72,704 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\magnify .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 815,104 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\mmc.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 32,768 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\mnmsrvc .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 20,992 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\msg.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 29,184 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\mshta.e xe
+ 2004-08-04 10:00:00 Â Â Â Â Â 274,944 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\mstask. dll
+ 2004-08-04 10:00:00 Â Â Â Â Â 12,288 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\mstinit .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 407,552 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\mstsc.e xe
+ 2004-08-04 10:00:00 Â Â Â Â Â 111,104 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\netdde. exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 329,728 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\netsetu p.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 36,864 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\netstat .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 31,744 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\ntsd.ex e
+ 2004-08-04 10:00:00 Â Â Â Â Â 419,840 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\ntvdm.e xe
+ 2004-08-04 10:00:00 Â Â Â Â Â 215,552 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\osk.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 49,152 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\powercf g.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 109,568 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\progman .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 16,896 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\qappsrv .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 56,832 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\rasphon e.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 7,168 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\recover .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 11,776 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\regsvr3 2.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 132,608 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\rsvp.ex e
+ 2004-08-04 10:00:00 Â Â Â Â Â 13,312 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\savedum p.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 77,312 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\sdbinst .exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 9,728 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\sfc.exe
+ 2004-08-04 10:00:00 Â Â Â Â Â 114,688 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac he\wscript .exe
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((( (((((((((( ( Â Reg Loading
Points
)))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow ser Helper
Objects\{86B9E7E9-CE7F-4DA 7-B570-ADD 685938F7F} ]
2008-04-14 13:44 Â Â Â Â Â 273408 Â Â Â Â Â --a------
C:\WINDOWS\system32\ddaya. dll
[HKEY_LOCAL_MACHINE\~\Brow ser Helper
Objects\{CA4F0D8D-5F2B-4F1 6-838A-8D5 2249EAB21} ]
2007-12-30 13:37 Â Â Â Â Â 40448 Â Â Â Â Â --a------
C:\WINDOWS\system32\tuvsqn o.dll
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ModemOnHold"="C:\Program
Files\NetWaiting\netWaitin g.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe " [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ] "Sen"="C:\PROGRA~1\COMMON~ 1\STEM32~1 \explorer. exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"igfxtray"="C:\WINDOWS\sys tem32\igfx tray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\sy stem32\hkc md.exe" [ ] "igfxpers"="C:\WINDOWS\sys tem32\igfx pers.exe" [ ] "SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_01\bin \jusched.e xe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT PEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\W LTRAY.exe" [ ] "SigmatelSysTrayApp"="stsy stra.exe" [2005-09-10 00:19
393216 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program
Files\Dell\QuickSet\quicks et.exe" [ ]
"DVDLauncher"="C:\Program
Files\CyberLink\PowerDVD\D VDLauncher .exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\Real Play.exe" [ ] "dla"="C:\WINDOWS\system32 \dla\tfswc trl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\Update Service\is uspm.exe" [ ] "ISUSScheduler"="C:\Progra m Files\Common Files\InstallShield\Update Service\is sch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUS ICM~1\MUSI CM~3\mimbo ot.exe"
[ ]
"MMTray"="C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe " [ ] "NeroFilterCheck"="C:\WIND OWS\system 32\NeroChe ck.exe"
[ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ] "MSKDetectorExe"="C:\Progr am Files\McAfee\SpamKiller\MS KDetct.exe " [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.ex e" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe " [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [ ] "BM3b1cc58d"="C:\WINDOWS\s ystem32\oo vcwwrs.dll "
[2008-04-14 13:46 96320]
C:\Documents and Settings\susan\Shared\Star t Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55 159744]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD CF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
[2005-11-04 16:04:48 176128]
KODAK Software Updater.lnk - C:\Program
Files\Kodak\KODAK Software
Updater\7288971\Program\Ko dak Software Updater.exe
[2004-02-13 15:12:08 16423]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe
[2004-11-11 12:59:36 806912]
[hkey_local_machine\softwa re\microso ft\windows \currentve rsion\expl orer\shell executehoo ks]
"{CA4F0D8D-5F2B-4F16-838A- 8D52249EAB 21}"=
C:\WINDOWS\system32\tuvsqn o.dll [2007-12-30 13:37 40448]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows
nt\currentversion\winlogon \notify\tu vsqno]
tuvsqno.dll 2007-12-30 13:37 40448
C:\WINDOWS\system32\tuvsqn o.dll
[HKEY_LOCAL_MACHINE\system \currentco ntrolset\c ontrol\lsa ]
Authentication Packages      REG_MULTI_SZ        msv1_0
C:\WINDOWS\system32\ddaya
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"C:\\WINDOWS\\system32\\se ssmgr.exe" =
"C:\\Program Files\\Soulseek-Test\\slsk .exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\LimeWire\\LimeWire. exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\ \Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e xe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim. exe"= "C:\\Program Files\\iTunes\\iTunes.exe" =
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 14:10:05
C:\WINDOWS\Tasks\AppleSoft wareUpdate .job"
- C:\Program Files\Apple Software
Update\SoftwareUpdate.exe
"2008-04-11 23:02:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
************************** ********** ********** ********** ********** ********
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-14 13:40:09 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\ayadd. ini 264564 bytes
C:\WINDOWS\system32\ayadd. ini2 345 bytes
scan completed successfully
hidden files: 2
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog on.exe
-> C:\WINDOWS\system32\tuvsqn o.dll
-> C:\WINDOWS\system32\NavLog on.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\oovcww rs.dll
-> C:\WINDOWS\system32\ddaya. dll
.
------------------------ Other Running Processes
------------------------
.
C:\WINDOWS\system32\WLTRYS VC.EXE
C:\WINDOWS\system32\BCMWLT RY.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
C:\WINDOWS\system32\bgsvcg en.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\CBA\PD S.EXE
C:\Program Files\Dell\QuickSet\NicCon figSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\wdfmgr .exe
C:\WINDOWS\system32\CBA\XF R.EXE
C:\WINDOWS\system32\fxssvc .exe
C:\WINDOWS\system32\MSGSYS .EXE
C:\WINDOWS\system32\wscntf y.exe
C:\WINDOWS\system32\rundll 32.exe
C:\WINDOWS\system32\rundll 32.exe
C:\WINDOWS\system32\imapi. exe
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2008-04-14 13:51:00 - machine was rebooted ComboFix-quarantined-files .txt  2008-04-14 17:50:29 ComboFix2.txt  2008-04-11 17:34:40
Pre-Run: 6,909,997,056 bytes free
Post-Run: 6,969,774,080 bytes free
.
2008-04-08 20:46:42 Â Â Â Â Â --- E O F --- Â
ComboFix 08-04-10.9 - susan 2008-04-14 13:24:43.2 -
NTFSx86
Running from: C:\ComboFix\ComboFix.exe
Command switches used :: C:\ComboFix\CFScript.txt
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
((((((((((((((((((((((((((
Deletions
))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acwjgk
C:\WINDOWS\system32\awtqr.
C:\WINDOWS\system32\dbncco
C:\WINDOWS\system32\rqtwa.
C:\WINDOWS\system32\rqtwa.
C:\WINDOWS\system32\sgnsfr
C:\WINDOWS\system32\sgrfsn
C:\WINDOWS\system32\tbxvbd
C:\WINDOWS\system32\vsbnmm
C:\WINDOWS\system32\wnfltb
C:\WINDOWS\system32\xokgjw
.
((((((((((((((((((((((((( Â Files Created from
2008-03-14 to 2008-04-14
))))))))))))))))))))))))))
.
2008-04-14 11:46 . 2008-04-14 11:46 Â Â Â Â Â 3,648 Â Â Â Â Â --a------
C:\WINDOWS\system32\uhifgr
2008-04-11 13:33 . 2008-04-11 13:33 Â Â Â Â Â 3,648 Â Â Â Â Â --a------
C:\WINDOWS\system32\sbvmhm
2008-04-11 13:32 . 2008-04-14 11:45 Â Â Â Â Â 101,091 Â Â Â Â Â --a------
C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d--------
C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d--------
C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d--------
C:\Documents and Settings\Administrator\App
Data\Symantec
.
((((((((((((((((((((((((((
Report
))))))))))))))))))))))))))
.
2008-04-11 17:54      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and
Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program
Files\WindSolutions
2008-04-11 15:49      ---------      d-----w      C:\Program
Files\DellSupport
2008-04-06 00:49      ---------      d-----w      C:\Program
Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program
Files\FinePixViewer
2007-02-19 02:08 Â Â Â Â Â 88 Â Â Â Â Â --sh--r
C:\WINDOWS\system32\F48EA6
2007-12-28 02:53 Â Â Â Â Â 1,890 Â Â Â Â Â --sha-w
C:\WINDOWS\system32\KGyGaA
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58
C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
((((((((((((((((((((((((((
snapshot@2008-04-11_13.32.
))))))))))))))))))))))))))
.
+ 2004-08-04 10:00:00 Â Â Â Â Â 114,688 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 98,304 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 580,608 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 71,680 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 11,776 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 10,752 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 102,912 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 17,408 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 13,824 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 15,360 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 82,432 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 85,504 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 224,768 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 83,456 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 45,568 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 1,298,432 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 39,424 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 193,024 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 45,568 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 9,216 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 55,296 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 56,320 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 143,360 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 229,376 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 39,424 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 23,552 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 75,264 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 220,672 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 514,560 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 72,704 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 815,104 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 32,768 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 20,992 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 29,184 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 274,944 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 12,288 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 407,552 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 111,104 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 329,728 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 36,864 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 31,744 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 419,840 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 215,552 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 49,152 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 109,568 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 16,896 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 56,832 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 7,168 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 11,776 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 132,608 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 13,312 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 77,312 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 9,728 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
+ 2004-08-04 10:00:00 Â Â Â Â Â 114,688 Â Â Â Â Â ----a-w
C:\WINDOWS\system32\dllcac
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((
Points
))))))))))))))))))))))))))
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow
Objects\{86B9E7E9-CE7F-4DA
2008-04-14 13:44 Â Â Â Â Â 273408 Â Â Â Â Â --a------
C:\WINDOWS\system32\ddaya.
[HKEY_LOCAL_MACHINE\~\Brow
Objects\{CA4F0D8D-5F2B-4F1
2007-12-30 13:37 Â Â Â Â Â 40448 Â Â Â Â Â --a------
C:\WINDOWS\system32\tuvsqn
[HKEY_CURRENT_USER\SOFTWAR
"ModemOnHold"="C:\Program
Files\NetWaiting\netWaitin
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\SOFTWA
"igfxtray"="C:\WINDOWS\sys
393216 C:\WINDOWS\stsystra.exe]
"Dell QuickSet"="C:\Program
Files\Dell\QuickSet\quicks
"DVDLauncher"="C:\Program
Files\CyberLink\PowerDVD\D
[ ]
"MMTray"="C:\Program Files\Musicmatch\Musicmatc
[ ]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [ ] "MSKDetectorExe"="C:\Progr
[2008-04-14 13:46 96320]
C:\Documents and Settings\susan\Shared\Star
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD
[2005-11-04 16:04:48 176128]
KODAK Software Updater.lnk - C:\Program
Files\Kodak\KODAK Software
Updater\7288971\Program\Ko
[2004-02-13 15:12:08 16423]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB
[2004-11-11 12:59:36 806912]
[hkey_local_machine\softwa
"{CA4F0D8D-5F2B-4F16-838A-
C:\WINDOWS\system32\tuvsqn
[HKEY_LOCAL_MACHINE\softwa
nt\currentversion\winlogon
tuvsqno.dll 2007-12-30 13:37 40448
C:\WINDOWS\system32\tuvsqn
[HKEY_LOCAL_MACHINE\system
Authentication Packages      REG_MULTI_SZ        msv1_0
C:\WINDOWS\system32\ddaya
[HKLM\~\services\sharedacc
"C:\\WINDOWS\\system32\\se
"C:\\Program Files\\Soulseek-Test\\slsk
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - D:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-08 14:10:05
C:\WINDOWS\Tasks\AppleSoft
- C:\Program Files\Apple Software
Update\SoftwareUpdate.exe
"2008-04-11 23:02:11 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-14 13:40:09 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\ayadd.
C:\WINDOWS\system32\ayadd.
scan completed successfully
hidden files: 2
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog
-> C:\WINDOWS\system32\tuvsqn
-> C:\WINDOWS\system32\NavLog
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\oovcww
-> C:\WINDOWS\system32\ddaya.
.
------------------------ Other Running Processes
------------------------
.
C:\WINDOWS\system32\WLTRYS
C:\WINDOWS\system32\BCMWLT
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
C:\WINDOWS\system32\bgsvcg
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\CBA\PD
C:\Program Files\Dell\QuickSet\NicCon
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\wdfmgr
C:\WINDOWS\system32\CBA\XF
C:\WINDOWS\system32\fxssvc
C:\WINDOWS\system32\MSGSYS
C:\WINDOWS\system32\wscntf
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\rundll
C:\WINDOWS\system32\imapi.
.
**************************
.
Completion time: 2008-04-14 13:51:00 - machine was rebooted ComboFix-quarantined-files
Pre-Run: 6,909,997,056 bytes free
Post-Run: 6,969,774,080 bytes free
.
2008-04-08 20:46:42 Â Â Â Â Â --- E O F --- Â
ASKER
Also, let me know when to reactivate NAV, Windows Defender and System Restore.
Thanks.
S.
Thanks.
S.
>>>Also, let me know when to reactivate NAV, Windows Defender <<<
You only turn them off while combofix is running,
You should turn system restore back on....I never advise anyone to turn system restore off while cleaning a system.
There's a vundo file there that's is sticking, we'll use another tool if CF can't remove it.
Open notepad and copy/paste the text inside the lines below into it.
-------------------------- ---------- ---------- ---------- ------
File::
C:\WINDOWS\system32\uhifgr wd.dll
C:\WINDOWS\system32\sbvmhm dv.dll
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\ddaya. dll
C:\WINDOWS\system32\tuvsqn o.dll
C:\WINDOWS\system32\oovcww rs.dll
C:\WINDOWS\system32\ayadd. ini
C:\WINDOWS\system32\ayadd. ini2
Folder::
C:\WINDOWS\system32\ddaya
Registry::
[-HKEY_LOCAL_MACHINE\~\Bro wser Helper
Objects\{86B9E7E9-CE7F-4DA 7-B570-ADD 685938F7F} ]
[-HKEY_LOCAL_MACHINE\~\Bro wser Helper
Objects\{CA4F0D8D-5F2B-4F1 6-838A-8D5 2249EAB21} ]
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"Sen"=-
"BM3b1cc58d"=-
[hkey_local_machine\softwa re\microso ft\windows \currentve rsion\expl orer\shell executehoo ks]
"{CA4F0D8D-5F2B-4F16-838A- 8D52249EAB 21}"=-
[-HKEY_LOCAL_MACHINE\softw are\micros oft\window s
nt\currentversion\winlogon \notify\tu vsqno]
-------------------------- ---------- ---------- ---------- ------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together.
You only turn them off while combofix is running,
You should turn system restore back on....I never advise anyone to turn system restore off while cleaning a system.
There's a vundo file there that's is sticking, we'll use another tool if CF can't remove it.
Open notepad and copy/paste the text inside the lines below into it.
--------------------------
File::
C:\WINDOWS\system32\uhifgr
C:\WINDOWS\system32\sbvmhm
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\ddaya.
C:\WINDOWS\system32\tuvsqn
C:\WINDOWS\system32\oovcww
C:\WINDOWS\system32\ayadd.
C:\WINDOWS\system32\ayadd.
Folder::
C:\WINDOWS\system32\ddaya
Registry::
[-HKEY_LOCAL_MACHINE\~\Bro
Objects\{86B9E7E9-CE7F-4DA
[-HKEY_LOCAL_MACHINE\~\Bro
Objects\{CA4F0D8D-5F2B-4F1
[HKEY_CURRENT_USER\SOFTWAR
"Sen"=-
"BM3b1cc58d"=-
[hkey_local_machine\softwa
"{CA4F0D8D-5F2B-4F16-838A-
[-HKEY_LOCAL_MACHINE\softw
nt\currentversion\winlogon
--------------------------
Save this as CFScript in the same location as ComboFix.exe
then drag CFScript.txt into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
ASKER
I noticed that the 4-18-08 log states "WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !" but when I check MyComputer/Properties/Syst em Restore
there is no checkmark applied to the disable option.
there is no checkmark applied to the disable option.
Do the following
run the vundo removal tools I posted above Vundo is still present...
then
Open notepad and copy the following code between the lines then paste into notepad
as rpggamergirl said before
"Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe"
-------------------------- ---------- ---------- ---------- --begin copy---------------------
File::
C:\WINDOWS\system32\sbvmhm dv.dll
C:\WINDOWS\system32\uhifgr wd.dll
C:\WINDOWS\system32\ulkboy jc.dll
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\MRT.IN I
C:\WINDOWS\system32\F48EA6 F3DE.sys
C:\WINDOWS\system32\KGyGaA vL.sys
-------------------------- ---------- ---------- ---------- end copy---------------------- -------
also go to control panel add/remove programs and uninstall Viewpoint
go into the registry editor (start run regedit ) and under this key
HKEY_CURRENT_USER\SOFTWARE \Microsoft \Windows\C urrentVers ion\Run
remove this value
"Sen"="C:\PROGRA~1\COMMON~ 1\STEM32~1 \explorer. exe" [ ]
Also this here this file is still present
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\tu vsqno]
remove the entire tuvsqno key
you also have a spybot infection
http://www.sophos.com/security/analyses/viruses-and-spyware/w32spybotv.html
because of the presence of this file
"C:\\Program Files\\Soulseek-Test\\slsk .exe"=
use this program to remove it
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum
run the vundo removal tools I posted above Vundo is still present...
then
Open notepad and copy the following code between the lines then paste into notepad
as rpggamergirl said before
"Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe"
--------------------------
File::
C:\WINDOWS\system32\sbvmhm
C:\WINDOWS\system32\uhifgr
C:\WINDOWS\system32\ulkboy
C:\WINDOWS\BM3b1cc58d.xml
C:\WINDOWS\system32\MRT.IN
C:\WINDOWS\system32\F48EA6
C:\WINDOWS\system32\KGyGaA
--------------------------
also go to control panel add/remove programs and uninstall Viewpoint
go into the registry editor (start run regedit ) and under this key
HKEY_CURRENT_USER\SOFTWARE
remove this value
"Sen"="C:\PROGRA~1\COMMON~
Also this here this file is still present
[HKEY_LOCAL_MACHINE\softwa
remove the entire tuvsqno key
you also have a spybot infection
http://www.sophos.com/security/analyses/viruses-and-spyware/w32spybotv.html
because of the presence of this file
"C:\\Program Files\\Soulseek-Test\\slsk
use this program to remove it
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Finally copy and paste the contents of the results file Report.txt back onto the forum
Sorry scratch the SDFIX you already ran that ... don't run it
instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\ parameters \firewallp olicy\stan dardprofil e\Authoriz edApplicat ions\List]
also check control set 01
and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk .exe"=
also go to c:\program files and see if you see a folder named Soulseek if so Delete it make sure you are showing hidden and system files.
instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\
also check control set 01
and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk
also go to c:\program files and see if you see a folder named Soulseek if so Delete it make sure you are showing hidden and system files.
ASKER
After the ComboFix run (but before running the other VundoFix instructions and registry edits).....
ComboFix 08-04-10.9 - susan 2008-04-21 13:34:43.4 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18. 84 [GMT -4:00] Running from: C:\ComboFix\ComboFix.exe Command switches used :: C:\ComboFix\CFScript.txt
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
(((((((((((((((((((((((((( (((((((((( (((  Other Deletions  )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Â Files Created from 2008-03-21 to 2008-04-21 Â )))))))))))))))))))))))))) )))))
.
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN I
2008-04-11 13:32 . 2008-04-17 13:52 Â Â Â Â Â 101,091 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App lication Data\Symantec
.
(((((((((((((((((((((((((( (((((((((( ((((  Find3M Report  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k .sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac he\win32k. sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32. dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac he\gdi32.d ll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl vr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac he\dnsrslv r.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac he\dnsapi. dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac he\iedw.ex e
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6 F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA vL.sys
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
(((((((((((((((((((((((((( ((( Â snapshot_2008-04-18_13.17. 18.71 Â )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system 32\LegitCh eckControl .DLL
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.DLL
.
(((((((((((((((((((((((((( (((((((((( (  Reg Loading Points  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin g.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe " [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ] "Sen"="C:\PROGRA~1\COMMON~ 1\STEM32~1 \explorer. exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"igfxtray"="C:\WINDOWS\sys tem32\igfx tray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\sy stem32\hkc md.exe" [ ] "igfxpers"="C:\WINDOWS\sys tem32\igfx pers.exe" [ ] "SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_01\bin \jusched.e xe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT PEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\W LTRAY.exe" [ ] "SigmatelSysTrayApp"="stsy stra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quicks et.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\Real Play.exe" [ ] "dla"="C:\WINDOWS\system32 \dla\tfswc trl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\Update Service\is uspm.exe" [ ] "ISUSScheduler"="C:\Progra m Files\Common Files\InstallShield\Update Service\is sch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUS ICM~1\MUSI CM~3\mimbo ot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe " [ ] "NeroFilterCheck"="C:\WIND OWS\system 32\NeroChe ck.exe" [ ] "MSKDetectorExe"="C:\Progr am Files\McAfee\SpamKiller\MS KDetct.exe " [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.ex e" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe " [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
C:\Documents and Settings\susan\Shared\Star t Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55 159744]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD CF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko dak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe [2004-11-11 12:59:36 806912]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\tu vsqno]
tuvsqno.dll
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"C:\\WINDOWS\\system32\\se ssmgr.exe" =
"C:\\Program Files\\Soulseek-Test\\slsk .exe"= "C:\\StubInstaller.exe"= "C:\\Program Files\\LimeWire\\LimeWire. exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\ \Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e xe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim. exe"= "C:\\Program Files\\iTunes\\iTunes.exe" =
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe
*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoft wareUpdate .job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
************************** ********** ********** ********** ********** ********
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 13:38:57 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog on.exe
-> C:\WINDOWS\system32\NavLog on.dll
.
Completion time: 2008-04-21 13:40:33
ComboFix-quarantined-files .txt  2008-04-21 17:40:05 ComboFix2.txt  2008-04-18 17:18:27 ComboFix3.txt  2008-04-14 17:51:05 ComboFix4.txt  2008-04-11 17:34:40
Pre-Run: 6,778,507,264 bytes free
Post-Run: 6,758,416,384 bytes free
.
2008-04-18 20:01:24 Â Â Â Â Â --- E O F --- Â
ComboFix 08-04-10.9 - susan 2008-04-21 13:34:43.4 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
((((((((((((((((((((((((((
.
D:\Autorun.inf
.
((((((((((((((((((((((((( Â Files Created from 2008-03-21 to 2008-04-21 Â ))))))))))))))))))))))))))
.
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN
2008-04-11 13:32 . 2008-04-17 13:52 Â Â Â Â Â 101,091 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App
.
((((((((((((((((((((((((((
.
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
((((((((((((((((((((((((((
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC
.
((((((((((((((((((((((((((
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin
[HKEY_LOCAL_MACHINE\SOFTWA
"igfxtray"="C:\WINDOWS\sys
C:\Documents and Settings\susan\Shared\Star
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD
[HKEY_LOCAL_MACHINE\softwa
tuvsqno.dll
[HKLM\~\services\sharedacc
"C:\\WINDOWS\\system32\\se
"C:\\Program Files\\Soulseek-Test\\slsk
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - D:\setupSNK.exe
*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoft
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 13:38:57 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog
-> C:\WINDOWS\system32\NavLog
.
Completion time: 2008-04-21 13:40:33
ComboFix-quarantined-files
Pre-Run: 6,778,507,264 bytes free
Post-Run: 6,758,416,384 bytes free
.
2008-04-18 20:01:24 Â Â Â Â Â --- E O F --- Â
ASKER
The following key does not exist (I assume a typo)...........
You wrote:
instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\ parameters \firewallp olicy\stan dardprofil e\Authoriz edApplicat ions\List]
also check control set 01
and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk .exe"=
You wrote:
instead go into the registry editor to this key
[HKLM\current control set\services\sharedaccess\
also check control set 01
and delete this from the list
"C:\\Program Files\\Soulseek-Test\\slsk
I need a combofix after the regedits to see if those entries are still present also before doing this go to start run regedit and then go to edit, find and look for the following
slsk.exe
it should a line value that reads like this
"C:\\Program Files\\Soulseek-Test\\slsk .exe" delete this value
slsk.exe
it should a line value that reads like this
"C:\\Program Files\\Soulseek-Test\\slsk
ASKER
I ran VundoFix.exe but it found nothing.
I was unsure if I should run the other Vundo fixer???
Here's the most recent ComboFix log after the registry edits.........
ComboFix 08-04-10.9 - susan 2008-04-21 14:50:28.5 - NTFSx86 Running from: C:\Documents and Settings\susan\Desktop\Com boFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
((((((((((((((((((((((((( Â Files Created from 2008-03-21 to 2008-04-21 Â )))))))))))))))))))))))))) )))))
.
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN I
2008-04-11 13:32 . 2008-04-17 13:52 Â Â Â Â Â 101,091 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App lication Data\Symantec
.
(((((((((((((((((((((((((( (((((((((( ((((  Find3M Report  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k .sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac he\win32k. sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32. dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac he\gdi32.d ll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl vr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac he\dnsrslv r.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac he\dnsapi. dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac he\iedw.ex e
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6 F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA vL.sys
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
(((((((((((((((((((((((((( ((( Â snapshot_2008-04-18_13.17. 18.71 Â )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system 32\LegitCh eckControl .DLL
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.DLL
.
(((((((((((((((((((((((((( (((((((((( (  Reg Loading Points  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin g.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe " [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"igfxtray"="C:\WINDOWS\sys tem32\igfx tray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\sy stem32\hkc md.exe" [ ] "igfxpers"="C:\WINDOWS\sys tem32\igfx pers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT PEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\W LTRAY.exe" [ ] "SigmatelSysTrayApp"="stsy stra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quicks et.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\Real Play.exe" [ ] "dla"="C:\WINDOWS\system32 \dla\tfswc trl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\Update Service\is uspm.exe" [ ] "ISUSScheduler"="C:\Progra m Files\Common Files\InstallShield\Update Service\is sch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUS ICM~1\MUSI CM~3\mimbo ot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe " [ ] "NeroFilterCheck"="C:\WIND OWS\system 32\NeroChe ck.exe" [ ] "MSKDetectorExe"="C:\Progr am Files\McAfee\SpamKiller\MS KDetct.exe " [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.ex e" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe " [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_01\bin \jusched.e xe" [ ]
C:\Documents and Settings\susan\Shared\Star t Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55 159744]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD CF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko dak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe [2004-11-11 12:59:36 806912]
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"C:\\WINDOWS\\system32\\se ssmgr.exe" =
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire. exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\ \Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e xe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim. exe"= "C:\\Program Files\\iTunes\\iTunes.exe" =
[HKEY_CURRENT_USER\softwar e\microsof t\windows\ currentver sion\explo rer\mountp oints2\D]
\Shell\AutoRun\command - D:\setupSNK.exe
*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoft wareUpdate .job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
************************** ********** ********** ********** ********** ********
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 14:54:22 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog on.exe
-> C:\WINDOWS\system32\NavLog on.dll
.
Completion time: 2008-04-21 14:55:51
ComboFix-quarantined-files .txt  2008-04-21 18:55:22 ComboFix2.txt  2008-04-21 17:40:34 ComboFix3.txt  2008-04-18 17:18:27 ComboFix4.txt  2008-04-14 17:51:05 ComboFix5.txt  2008-04-11 17:34:40
Pre-Run: 6,817,079,296 bytes free
Post-Run: 6,797,447,168 bytes free
.
2008-04-18 20:01:24 Â Â Â Â Â --- E O F --- Â
I was unsure if I should run the other Vundo fixer???
Here's the most recent ComboFix log after the registry edits.........
ComboFix 08-04-10.9 - susan 2008-04-21 14:50:28.5 - NTFSx86 Running from: C:\Documents and Settings\susan\Desktop\Com
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
((((((((((((((((((((((((( Â Files Created from 2008-03-21 to 2008-04-21 Â ))))))))))))))))))))))))))
.
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-18 15:37 . 2008-04-18 15:37 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\LastGood
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN
2008-04-11 13:32 . 2008-04-17 13:52 Â Â Â Â Â 101,091 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App
.
((((((((((((((((((((((((((
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
((((((((((((((((((((((((((
.
+ 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\LastGood\system
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC
.
((((((((((((((((((((((((((
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin
[HKEY_LOCAL_MACHINE\SOFTWA
"igfxtray"="C:\WINDOWS\sys
C:\Documents and Settings\susan\Shared\Star
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD
[HKLM\~\services\sharedacc
"C:\\WINDOWS\\system32\\se
"C:\\StubInstaller.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.
[HKEY_CURRENT_USER\softwar
\Shell\AutoRun\command - D:\setupSNK.exe
*Newly Created Service* - NAVEX15
*Newly Created Service* - WINDEFEND
.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 20:24:10 C:\WINDOWS\Tasks\AppleSoft
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-21 05:37:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-21 14:54:22 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog
-> C:\WINDOWS\system32\NavLog
.
Completion time: 2008-04-21 14:55:51
ComboFix-quarantined-files
Pre-Run: 6,817,079,296 bytes free
Post-Run: 6,797,447,168 bytes free
.
2008-04-18 20:01:24 Â Â Â Â Â --- E O F --- Â
ASKER
While waiting for a response to my latest ComboFix log post, I decided to run VirtumundoBeGone.exe and it looks like nothing was found:
[04/23/2008, 14:47:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\susan\Desktop\Vir tumundoBeG one.exe" )
[04/23/2008, 14:47:55] - Detected System Information:
[04/23/2008, 14:47:55] - Â Windows Version: 5.1.2600, Service Pack 2
[04/23/2008, 14:47:55] - Â Current Username: susan (Admin)
[04/23/2008, 14:47:55] - Â Windows is in SAFE mode.
[04/23/2008, 14:47:55] - Searching for Browser Helper Objects:
[04/23/2008, 14:47:55] - Â BHO 1: {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} (AcroIEHlprObj Class)
[04/23/2008, 14:47:55] - Â BHO 2: {761497BB-D6F0-462C-B6EB-D 4DAF1D92D4 3} (SSVHelper Class)
[04/23/2008, 14:47:55] - Finished Searching Browser Helper Objects
[04/23/2008, 14:47:55] - Finishing up...
[04/23/2008, 14:47:55] - Nothing found! Exiting...
[04/23/2008, 14:47:52] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\susan\Desktop\Vir
[04/23/2008, 14:47:55] - Detected System Information:
[04/23/2008, 14:47:55] - Â Windows Version: 5.1.2600, Service Pack 2
[04/23/2008, 14:47:55] - Â Current Username: susan (Admin)
[04/23/2008, 14:47:55] - Â Windows is in SAFE mode.
[04/23/2008, 14:47:55] - Searching for Browser Helper Objects:
[04/23/2008, 14:47:55] - Â BHO 1: {06849E9F-C8D7-4D59-B87D-7
[04/23/2008, 14:47:55] - Â BHO 2: {761497BB-D6F0-462C-B6EB-D
[04/23/2008, 14:47:55] - Finished Searching Browser Helper Objects
[04/23/2008, 14:47:55] - Finishing up...
[04/23/2008, 14:47:55] - Nothing found! Exiting...
Look for this in the registry
StubInstaller.exe
once found remove it. that is the only thing I am seeing from your last log.. sorry I did not get back to you sooner for some reason I did not get notification on your post from 4-21
download and run this program
http://www.ccleaner.com anaylyze the system then run it to cleanup all your temporary file and so forth. If it removes quite a bit of things I would then go to start, programs, accessories, system tools, and run disk defragmenter.
How is the machine running now ?
StubInstaller.exe
once found remove it. that is the only thing I am seeing from your last log.. sorry I did not get back to you sooner for some reason I did not get notification on your post from 4-21
download and run this program
http://www.ccleaner.com anaylyze the system then run it to cleanup all your temporary file and so forth. If it removes quite a bit of things I would then go to start, programs, accessories, system tools, and run disk defragmenter.
How is the machine running now ?
ASKER
Thanks for the post, I will act on it soon.
Before I do, I thought I'd mention that the machine is running much better.
However, Norton AV just popped up with a virus found "W32.Trats!inf" with QuarantineFailed/Access Denied.
I will follow your instructions and then I assume I should run ComoFix.exe to get a log (unless the ccleaner generates one).
Before I do, I thought I'd mention that the machine is running much better.
However, Norton AV just popped up with a virus found "W32.Trats!inf" with QuarantineFailed/Access Denied.
I will follow your instructions and then I assume I should run ComoFix.exe to get a log (unless the ccleaner generates one).
ASKER
CCleaner removed 75 Mb very quickly.
Disk Defrag Analysis indicated that defrag is not necessary.
However, I noticed that there's only 16% free space on drive C, not sure how much of an issue that is.
I will advise the user to delete unnecessary programs.
At least one remaining issue is that "W32.Trats!inf" virus.
Disk Defrag Analysis indicated that defrag is not necessary.
However, I noticed that there's only 16% free space on drive C, not sure how much of an issue that is.
I will advise the user to delete unnecessary programs.
At least one remaining issue is that "W32.Trats!inf" virus.
ASKER
I am running ComboFix and will post a new log ASAP.
ASKER
The latest ComboFix log.........
ComboFix 08-04-22.5 - susan 2008-04-24  9:48:37.6 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18. 124 [GMT -4:00]Running from: C:\Documents and Settings\susan\Desktop\Com boFix.exe
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
(((((((((((((((((((((((((( (((((((((( (((  Other Deletions  )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\WINDOWS\Downloaded Program Files\setup.inf
.
((((((((((((((((((((((((( Â Files Created from 2008-03-24 to 2008-04-24 Â )))))))))))))))))))))))))) )))))
.
2008-04-24 09:17 . 2008-04-24 09:17 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN I
2008-04-11 13:32 . 2008-04-17 13:52 Â Â Â Â Â 101,091 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App lication Data\Symantec
2008-04-07 14:45 . 2008-04-07 14:45 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-24 09:48 Â Â Â Â Â 1,024 Â Â Â Â Â --ah----- Â Â Â Â Â C:\Documents and Settings\Administrator\ntu ser.dat.LO G
.
(((((((((((((((((((((((((( (((((((((( ((((  Find3M Report  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k .sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac he\win32k. sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32. dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac he\gdi32.d ll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl vr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac he\dnsrslv r.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac he\dnsapi. dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac he\iedw.ex e
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6 F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA vL.sys
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
(((((((((((((((((((((((((( ((( Â snapshot_2008-04-18_13.17. 18.71 Â )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2008-04-23 19:26:28      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD .DRV
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DR V
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DR V
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache .bin
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tf sndres.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcac he\drmkaud .sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\driver s\drmkaud. sys
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\driver s\null.sys
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboa rd.drv
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.DLL
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.d ll
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse. drv
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound. drv
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.dr v
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsoc k.dll
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspo ol.exe
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb .exe
.
(((((((((((((((((((((((((( (((((((((( (  Reg Loading Points  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin g.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe " [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"igfxtray"="C:\WINDOWS\sys tem32\igfx tray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\sy stem32\hkc md.exe" [ ] "igfxpers"="C:\WINDOWS\sys tem32\igfx pers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT PEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\W LTRAY.exe" [ ] "SigmatelSysTrayApp"="stsy stra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quicks et.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\Real Play.exe" [ ] "dla"="C:\WINDOWS\system32 \dla\tfswc trl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\Update Service\is uspm.exe" [ ] "ISUSScheduler"="C:\Progra m Files\Common Files\InstallShield\Update Service\is sch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUS ICM~1\MUSI CM~3\mimbo ot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe " [ ] "NeroFilterCheck"="C:\WIND OWS\system 32\NeroChe ck.exe" [ ] "MSKDetectorExe"="C:\Progr am Files\McAfee\SpamKiller\MS KDetct.exe " [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.ex e" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe " [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_01\bin \jusched.e xe" [ ]
C:\Documents and Settings\susan\Shared\Star t Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55 159744]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD CF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko dak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe [2004-11-11 12:59:36 806912]
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"C:\\WINDOWS\\system32\\se ssmgr.exe" =
"C:\\Program Files\\LimeWire\\LimeWire. exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\ \Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e xe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim. exe"= "C:\\Program Files\\iTunes\\iTunes.exe" =
*Newly Created Service* - NAVAP
*Newly Created Service* - NAVEX15
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 20:24:02 C:\WINDOWS\Tasks\AppleSoft wareUpdate .job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-24 05:55:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
************************** ********** ********** ********** ********** ********
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 09:52:02 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog on.exe
-> C:\WINDOWS\system32\NavLog on.dll
.
Completion time: 2008-04-24 Â 9:54:55
ComboFix-quarantined-files .txt  2008-04-24 13:53:51 ComboFix2.txt  2008-04-21 18:55:52 ComboFix3.txt  2008-04-21 17:40:34 ComboFix4.txt  2008-04-18 17:18:27 ComboFix5.txt  2008-04-14 17:51:05
Pre-Run: 6,767,300,608 bytes free
Post-Run: 6,750,720,000 bytes free
148 Â Â Â Â Â --- E O F --- Â Â Â Â Â 2008-04-22 23:47:25
  Â
ComboFix 08-04-22.5 - susan 2008-04-24  9:48:37.6 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] .
((((((((((((((((((((((((((
.
C:\WINDOWS\Downloaded Program Files\setup.inf
.
((((((((((((((((((((((((( Â Files Created from 2008-03-24 to 2008-04-24 Â ))))))))))))))))))))))))))
.
2008-04-24 09:17 . 2008-04-24 09:17 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN
2008-04-11 13:32 . 2008-04-17 13:52 Â Â Â Â Â 101,091 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\BM3b1cc58d.xml
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-11 12:40 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App
2008-04-07 14:45 . 2008-04-07 14:45 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-24 09:48 Â Â Â Â Â 1,024 Â Â Â Â Â --ah----- Â Â Â Â Â C:\Documents and Settings\Administrator\ntu
.
((((((((((((((((((((((((((
.
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
((((((((((((((((((((((((((
.
+ 2008-04-23 19:26:28      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DR
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DR
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tf
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcac
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\driver
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\driver
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboa
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.d
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse.
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound.
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.dr
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsoc
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspo
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb
.
((((((((((((((((((((((((((
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin
[HKEY_LOCAL_MACHINE\SOFTWA
"igfxtray"="C:\WINDOWS\sys
C:\Documents and Settings\susan\Shared\Star
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD
[HKLM\~\services\sharedacc
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedacc
"C:\\WINDOWS\\system32\\se
"C:\\Program Files\\LimeWire\\LimeWire.
*Newly Created Service* - NAVAP
*Newly Created Service* - NAVEX15
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 20:24:02 C:\WINDOWS\Tasks\AppleSoft
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-24 05:55:28 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-24 09:52:02 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog
-> C:\WINDOWS\system32\NavLog
.
Completion time: 2008-04-24 Â 9:54:55
ComboFix-quarantined-files
Pre-Run: 6,767,300,608 bytes free
Post-Run: 6,750,720,000 bytes free
148 Â Â Â Â Â --- E O F --- Â Â Â Â Â 2008-04-22 23:47:25
  Â
ASKER
Just posting a message to confirm that I have posted a new ComboFix log, in case my previous message got blocked my someone's spam filter.
Remove these files
C:\WINDOWS\system32\F48EA6 F3DE.sys
C:\WINDOWS\BM3b1cc58d.xml
download and run this tool
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
post the logfile up here
C:\WINDOWS\system32\F48EA6
C:\WINDOWS\BM3b1cc58d.xml
download and run this tool
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
post the logfile up here
ASKER
The file C:\WINDOWS\system32\F48EA6 F3DE.sys did not exists, ut I did delete the otherfile.
It seems incomplete, but here is the RenV.exe log.............
[code]
Ran on Fri 04/25/2008 - 16:14:03.29
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
 Entries:         1  (1)
 Directories:       0  Files:       1
 Bytes:      1,694,208  Blocks:     3,309
[/code]
It seems incomplete, but here is the RenV.exe log.............
[code]
Ran on Fri 04/25/2008 - 16:14:03.29
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
 Entries:         1  (1)
 Directories:       0  Files:       1
 Bytes:      1,694,208  Blocks:     3,309
[/code]
It didn't find anything then... Try doing the following
go to the command prompt and go to the following directory
c:\windows\system32
then type the following
attrib -h
then see what comes up saying not resetting file
Copy and paste those up to here. I want to see if you have files hiding on you
go to the command prompt and go to the following directory
c:\windows\system32
then type the following
attrib -h
then see what comes up saying not resetting file
Copy and paste those up to here. I want to see if you have files hiding on you
ASKER
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>attrib -h
Not resetting system file - C:\WINDOWS\system32\camois te.ini
Not resetting system file - C:\WINDOWS\system32\dofxjo mg.ini
Not resetting system file - C:\WINDOWS\system32\dofxjo mg.tmp
Not resetting system file - C:\WINDOWS\system32\F48EA6 F3DE.sys
Not resetting system file - C:\WINDOWS\system32\KGyGaA vL.sys
Not resetting system file - C:\WINDOWS\system32\lwevde ix.ini
Not resetting system file - C:\WINDOWS\system32\wxjqjl co.ini
Not resetting system file - C:\WINDOWS\system32\ylflog ff.ini
C:\WINDOWS\system32>
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>attrib
Not resetting system file - C:\WINDOWS\system32\camois
Not resetting system file - C:\WINDOWS\system32\dofxjo
Not resetting system file - C:\WINDOWS\system32\dofxjo
Not resetting system file - C:\WINDOWS\system32\F48EA6
Not resetting system file - C:\WINDOWS\system32\KGyGaA
Not resetting system file - C:\WINDOWS\system32\lwevde
Not resetting system file - C:\WINDOWS\system32\wxjqjl
Not resetting system file - C:\WINDOWS\system32\ylflog
C:\WINDOWS\system32>
bingo those are the infectors!
Here is what I want you to do since automatically removing through combox fix thus far has not worked.
Download knoppix live cd here and burn it as a bootable CD
http://www.knoppix.org/
Boot the PC with knoppix in the drive and then go to the C:\ drive and delete the following files
C:\WINDOWS\system32\camois te.ini
C:\WINDOWS\system32\dofxjo mg.ini
C:\WINDOWS\system32\dofxjo mg.tmp
C:\WINDOWS\system32\F48EA6 F3DE.sys
C:\WINDOWS\system32\lwevde ix.ini
C:\WINDOWS\system32\wxjqjl co.ini
C:\WINDOWS\system32\ylflog ff.ini
another option would be recovery console put yor windows CD in bootup at the first screen hit R and follow the onscreen prompts when it asks for a password if you never assigned one to the administrator account just press enter. You will then be able to delete the files by going to the directory those files are in
%systemroot%system32 Â then type del filename.extension Â
example del ylflogff.ini then press enter
Here is what I want you to do since automatically removing through combox fix thus far has not worked.
Download knoppix live cd here and burn it as a bootable CD
http://www.knoppix.org/
Boot the PC with knoppix in the drive and then go to the C:\ drive and delete the following files
C:\WINDOWS\system32\camois
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\F48EA6
C:\WINDOWS\system32\lwevde
C:\WINDOWS\system32\wxjqjl
C:\WINDOWS\system32\ylflog
another option would be recovery console put yor windows CD in bootup at the first screen hit R and follow the onscreen prompts when it asks for a password if you never assigned one to the administrator account just press enter. You will then be able to delete the files by going to the directory those files are in
%systemroot%system32 Â then type del filename.extension Â
example del ylflogff.ini then press enter
I'm very sorry, I was away with no internet access.
Glad to see briancassin is here.
You could also try deleting those files using Combofix CFScript,
A lot of legit files are showing in combofix log as an empty file..... usually happens with file infectors as antivirus scanners etc ends up deleting them. You might just have to reinstal any programs, .exes that no longer work.
Glad to see briancassin is here.
You could also try deleting those files using Combofix CFScript,
A lot of legit files are showing in combofix log as an empty file..... usually happens with file infectors as antivirus scanners etc ends up deleting them. You might just have to reinstal any programs, .exes that no longer work.
wb rpggamergirl :)
We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6 F3DE.sys
We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6
ASKER
I downloaded the file KNOPPIX_V5.1.0CD-2006-12-3 0-EN, about 650 Mb, and burned it to a CD.
I changed the laptop setup to boot from CD first, but after a long delay it boots right into WindowsXP.
Is there something special that has to be done during the burn process to make it a bootbale CD?
Or, did I download the wrong file?
I changed the laptop setup to boot from CD first, but after a long delay it boots right into WindowsXP.
Is there something special that has to be done during the burn process to make it a bootbale CD?
Or, did I download the wrong file?
You have to burn it as a bootable image.
You probably burned the iso file direct to the cd. I do not know what you are using to burn the CD but you would need either nero or roxio.
Another way and probably much easier is downloading this program here
http://www.imgburn.com/
install it then put a blank cd in your drive close any prompts that come up then  just right click on the knoppix iso and select burn using imgburn. Leave the CD in the drive and reboot you should now be able to boot off the CD.
You probably burned the iso file direct to the cd. I do not know what you are using to burn the CD but you would need either nero or roxio.
Another way and probably much easier is downloading this program here
http://www.imgburn.com/
install it then put a blank cd in your drive close any prompts that come up then  just right click on the knoppix iso and select burn using imgburn. Leave the CD in the drive and reboot you should now be able to boot off the CD.
briancassin,
Thanks, :)
>>>We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6 F3DE.sys<< <
Maybe we can leave that file for now, let's first delete those hidden files (below) using CFScript, we haven't tried deleting those yet, that might be all that's needed we'll see. The F48EA6F3DE.sys is dated over a year ago so I'm not sure that's the culprit I could be wrong of course.
Can we please try deleting these files below first using CFScript?
File::
C:\WINDOWS\system32\camois te.ini
C:\WINDOWS\system32\dofxjo mg.ini
C:\WINDOWS\system32\dofxjo mg.tmp
C:\WINDOWS\system32\lwevde ix.ini
C:\WINDOWS\system32\wxjqjl co.ini
C:\WINDOWS\system32\ylflog ff.ini
Thanks, :)
>>>We tried CfScript but this particular one does not want to delete I figured maybe using a knoppix disk or the like would give the ability to kill it.
C:\WINDOWS\system32\F48EA6
Maybe we can leave that file for now, let's first delete those hidden files (below) using CFScript, we haven't tried deleting those yet, that might be all that's needed we'll see. The F48EA6F3DE.sys is dated over a year ago so I'm not sure that's the culprit I could be wrong of course.
Can we please try deleting these files below first using CFScript?
File::
C:\WINDOWS\system32\camois
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\lwevde
C:\WINDOWS\system32\wxjqjl
C:\WINDOWS\system32\ylflog
ASKER
Since my motto is "Simplify", I will first try rpggamergirl's suggestion.
Â
She gives me too much credit regarding my knowledge, but from my recent interaction with briancassin I'll assume I place the list of files in CFScript.txt and drop it onto ComboFix.exe.
Â
She gives me too much credit regarding my knowledge, but from my recent interaction with briancassin I'll assume I place the list of files in CFScript.txt and drop it onto ComboFix.exe.
Sorry... yes, same thing as you did before, create a CFScript.txt and after you've done that, just drag it over to Combofix.exe.
Open notepad and copy/paste the text inside the lines below into it.
-------------------------- ---------- ---------- ---------- ------
File::
C:\WINDOWS\system32\camois te.ini
C:\WINDOWS\system32\dofxjo mg.ini
C:\WINDOWS\system32\dofxjo mg.tmp
C:\WINDOWS\system32\lwevde ix.ini
C:\WINDOWS\system32\wxjqjl co.ini
C:\WINDOWS\system32\ylflog ff.ini
-------------------------- ---------- ---------- ---------- ------
Save this as CFScript in the same location as ComboFix.exe
and then drag CFScript.txt into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply.
Open notepad and copy/paste the text inside the lines below into it.
--------------------------
File::
C:\WINDOWS\system32\camois
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\lwevde
C:\WINDOWS\system32\wxjqjl
C:\WINDOWS\system32\ylflog
--------------------------
Save this as CFScript in the same location as ComboFix.exe
and then drag CFScript.txt into ComboFix.exe
This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply.
ASKER
The latest ComboFix.txt log...........
ComboFix 08-04-22.5 - susan 2008-04-29  9:34:10.7 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18. 170 [GMT -4:00] Running from: C:\Documents and Settings\susan\Desktop\Com boFix.exe
Command switches used :: C:\Documents and Settings\susan\Desktop\CFS cript.txt
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\system32\camois te.ini
C:\WINDOWS\system32\dofxjo mg.ini
C:\WINDOWS\system32\dofxjo mg.tmp
C:\WINDOWS\system32\lwevde ix.ini
C:\WINDOWS\system32\wxjqjl co.ini
C:\WINDOWS\system32\ylflog ff.ini
.
(((((((((((((((((((((((((( (((((((((( (((  Other Deletions  )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
C:\WINDOWS\system32\camois te.ini
C:\WINDOWS\system32\dofxjo mg.ini
C:\WINDOWS\system32\dofxjo mg.tmp
C:\WINDOWS\system32\lwevde ix.ini
C:\WINDOWS\system32\wxjqjl co.ini
C:\WINDOWS\system32\ylflog ff.ini
.
((((((((((((((((((((((((( Â Files Created from 2008-03-28 to 2008-04-29 Â )))))))))))))))))))))))))) )))))
.
2008-04-24 09:17 . 2008-04-24 09:17 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN I
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-25 13:02 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App lication Data\Symantec
2008-04-07 14:45 . 2008-04-07 14:45 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-29 06:07 Â Â Â Â Â 1,024 Â Â Â Â Â --ah----- Â Â Â Â Â C:\Documents and Settings\Administrator\ntu ser.dat.LO G
.
(((((((((((((((((((((((((( (((((((((( ((((  Find3M Report  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2008-04-25 17:35      ---------      d-----w      C:\Program Files\Soulseek-Test
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k .sys
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac he\win32k. sys
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32. dll
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac he\gdi32.d ll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl vr.dll
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac he\dnsrslv r.dll
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac he\dnsapi. dll
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac he\iedw.ex e
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6 F3DE.sys
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA vL.sys
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
(((((((((((((((((((((((((( ((( Â snapshot_2008-04-18_13.17. 18.71 Â )))))))))))))))))))))))))) )))))))))) )))))
.
+ 2008-04-28 19:02:43      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
- 2008-04-11 15:51:48      806,912      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use rs\[u]0[/u ]0000001\N TUSER.DAT
+ 2008-04-25 15:54:25      3,743,744      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use rs\[u]0[/u ]0000001\N TUSER.DAT
- 2008-04-11 15:51:48      8,192      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use rs\[u]0[/u ]0000002\U srClass.da t
+ 2008-04-25 15:54:25      151,552      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use rs\[u]0[/u ]0000002\U srClass.da t
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD .DRV
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DR V
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DR V
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache .bin
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tf sndres.sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcac he\drmkaud .sys
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\driver s\drmkaud. sys
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\driver s\null.sys
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboa rd.drv
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.dll
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC heckContro l.DLL
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.d ll
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse. drv
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound. drv
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.dr v
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsoc k.dll
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspo ol.exe
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb .exe
.
(((((((((((((((((((((((((( (((((((((( (  Reg Loading Points  )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR E\Microsof t\Windows\ CurrentVer sion\Run]
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin g.exe" [ ] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe " [ ] "AIM"="C:\Program Files\AIM\aim.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"igfxtray"="C:\WINDOWS\sys tem32\igfx tray.exe" [ ] "igfxhkcmd"="C:\WINDOWS\sy stem32\hkc md.exe" [ ] "igfxpers"="C:\WINDOWS\sys tem32\igfx pers.exe" [ ] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynT PEnh.exe" [ ] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\W LTRAY.exe" [ ] "SigmatelSysTrayApp"="stsy stra.exe" [2005-09-10 00:19 393216 C:\WINDOWS\stsystra.exe] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quicks et.exe" [ ] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\D VDLauncher .exe" [ ] "RealTray"="C:\Program Files\Real\RealPlayer\Real Play.exe" [ ] "dla"="C:\WINDOWS\system32 \dla\tfswc trl.exe" [ ] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\Update Service\is uspm.exe" [ ] "ISUSScheduler"="C:\Progra m Files\Common Files\InstallShield\Update Service\is sch.exe" [ ] "MimBoot"="C:\PROGRA~1\MUS ICM~1\MUSI CM~3\mimbo ot.exe" [ ] "MMTray"="C:\Program Files\Musicmatch\Musicmatc h Jukebox\mm_tray.exe" [ ] "Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [ ] "dvd43"="C:\Program Files\dvd43\dvd43_tray.exe " [ ] "NeroFilterCheck"="C:\WIND OWS\system 32\NeroChe ck.exe" [ ] "MSKDetectorExe"="C:\Progr am Files\McAfee\SpamKiller\MS KDetct.exe " [ ] "vptray"="C:\Program Files\NavNT\vptray.exe" [ ] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.ex e" [ ] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe " [ ] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper. exe" [ ] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584] "SunJavaUpdateSched"="C:\P rogram Files\Java\jre1.6.0_01\bin \jusched.e xe" [ ]
C:\Documents and Settings\susan\Shared\Star t Menu\Programs\Startup\ LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.ex e [2006-08-22 11:45:55 159744]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD CF2.exe [2007-02-21 17:51:31 294912] Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 16:04:48 176128] KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Ko dak Software Updater.exe [2004-02-13 15:12:08 16423] QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QB Update\qbu pdate.exe [2004-11-11 12:59:36 806912]
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"C:\\WINDOWS\\system32\\se ssmgr.exe" =
"C:\\Program Files\\LimeWire\\LimeWire. exe"= "C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\ \Kodak Software Updater.exe"= "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.e xe"= "C:\\Program Files\\AIM\\AIM95_c0\\aim. exe"= "C:\\Program Files\\iTunes\\iTunes.exe" =
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 20:24:02 C:\WINDOWS\Tasks\AppleSoft wareUpdate .job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 05:44:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
************************** ********** ********** ********** ********** ********
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-29 09:37:24 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
************************** ********** ********** ********** ********** ********
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog on.exe
-> C:\WINDOWS\system32\NavLog on.dll
.
Completion time: 2008-04-29 Â 9:39:50
ComboFix-quarantined-files .txt  2008-04-29 13:38:46 ComboFix2.txt  2008-04-24 13:54:56 ComboFix3.txt  2008-04-21 18:55:52 ComboFix4.txt  2008-04-21 17:40:34 ComboFix5.txt  2008-04-18 17:18:27
Pre-Run: 6,666,014,720 bytes free
Post-Run: 6,647,566,336 bytes free
162 Â Â Â Â Â --- E O F --- Â Â Â Â Â 2008-04-24 14:09:32
ComboFix 08-04-22.5 - susan 2008-04-29  9:34:10.7 - NTFSx86 Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.
Command switches used :: C:\Documents and Settings\susan\Desktop\CFS
 * Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\system32\camois
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\lwevde
C:\WINDOWS\system32\wxjqjl
C:\WINDOWS\system32\ylflog
.
((((((((((((((((((((((((((
.
C:\WINDOWS\system32\camois
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\dofxjo
C:\WINDOWS\system32\lwevde
C:\WINDOWS\system32\wxjqjl
C:\WINDOWS\system32\ylflog
.
((((((((((((((((((((((((( Â Files Created from 2008-03-28 to 2008-04-29 Â ))))))))))))))))))))))))))
.
2008-04-24 09:17 . 2008-04-24 09:17 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\CCleaner
2008-04-18 15:39 . 2008-04-18 15:39 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Program Files\Windows Defender
2008-04-15 03:06 . 2008-04-15 03:06 Â Â Â Â Â 127 Â Â Â Â Â --a------ Â Â Â Â Â C:\WINDOWS\system32\MRT.IN
2008-04-11 11:51 . 2008-04-11 11:51 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\WINDOWS\ERUNT
2008-04-11 11:32 . 2008-04-25 13:02 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\SDFix
2008-04-07 14:45 . 2006-06-01 15:12 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator\App
2008-04-07 14:45 . 2008-04-07 14:45 Â Â Â Â Â <DIR> Â Â Â Â Â d-------- Â Â Â Â Â C:\Documents and Settings\Administrator
2008-04-07 14:45 . 2008-04-29 06:07 Â Â Â Â Â 1,024 Â Â Â Â Â --ah----- Â Â Â Â Â C:\Documents and Settings\Administrator\ntu
.
((((((((((((((((((((((((((
.
2008-04-25 17:35      ---------      d-----w      C:\Program Files\Soulseek-Test
2008-04-21 17:55      ---------      d-----w      C:\Program Files\Java
2008-04-15 07:06      ---------      d-----w      C:\Program Files\DellSupport
2008-04-11 17:54      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-11 17:53      ---------      d-----w      C:\Documents and Settings\All Users\Application Data\Smilebox
2008-04-11 17:49      ---------      d-----w      C:\Program Files\WindSolutions
2008-04-06 00:49      ---------      d-----w      C:\Program Files\LimeWire
2008-04-05 19:59      ---------      d-----w      C:\Program Files\FinePixViewer
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\win32k
2008-03-19 09:47      1,845,248      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\gdi32.
2008-02-20 06:51      282,624      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dnsrsl
2008-02-20 05:32      45,568      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-20 05:32      148,992      ----a-w      C:\WINDOWS\system32\dllcac
2008-02-15 09:07      18,432      ------w      C:\WINDOWS\system32\dllcac
2007-02-19 02:08      88      --sh--r      C:\WINDOWS\system32\F48EA6
2007-12-28 02:53      1,890      --sha-w      C:\WINDOWS\system32\KGyGaA
.
[code]<pre>
----a-w     1,694,208 2008-01-01 19:00:58  C:\Program Files\Messenger\msmsgs .exe
</pre>[/code]
((((((((((((((((((((((((((
.
+ 2008-04-28 19:02:43      2,048      --s-a-w      C:\WINDOWS\bootstat.dat
- 2008-04-11 15:51:48      806,912      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use
+ 2008-04-25 15:54:25      3,743,744      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use
- 2008-04-11 15:51:48      8,192      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use
+ 2008-04-25 15:54:25      151,552      ----a-w      C:\WINDOWS\ERUNT\SDFIX\Use
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system\KEYBOARD
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system\MOUSE.DR
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system\SOUND.DR
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system\VGA.DRV
+ 2004-08-04 10:00:00      1,788      ----a-w      C:\WINDOWS\system32\Dcache
+ 2004-12-06 06:05:00      2,239      ----a-w      C:\WINDOWS\system32\dla\tf
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\dllcac
+ 2004-08-04 04:07:58      2,944      ----a-w      C:\WINDOWS\system32\driver
+ 2004-08-04 10:00:00      2,944      ----a-w      C:\WINDOWS\system32\driver
+ 2004-08-04 10:00:00      2,000      ----a-w      C:\WINDOWS\system32\keyboa
- 2007-03-15 22:19:28      1,476,992      ----a-w      C:\WINDOWS\system32\LegitC
+ 2008-03-20 22:06:36      1,480,232      ----a-w      C:\WINDOWS\system32\LegitC
+ 2004-08-04 10:00:00      2,560      ----a-w      C:\WINDOWS\system32\lz32.d
+ 2004-08-04 10:00:00      2,032      ----a-w      C:\WINDOWS\system32\mouse.
+ 2004-08-04 10:00:00      1,744      ----a-w      C:\WINDOWS\system32\sound.
+ 2004-08-04 10:00:00      2,176      ----a-w      C:\WINDOWS\system32\vga.dr
+ 2004-08-04 10:00:00      2,864      ----a-w      C:\WINDOWS\system32\winsoc
+ 2004-08-04 10:00:00      2,112      ----a-w      C:\WINDOWS\system32\winspo
+ 2004-08-04 10:00:00      2,736      ----a-w      C:\WINDOWS\system32\wowdeb
.
((((((((((((((((((((((((((
.
.
*Note* empty entries &Â legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWAR
"ModemOnHold"="C:\Program Files\NetWaiting\netWaitin
[HKEY_LOCAL_MACHINE\SOFTWA
"igfxtray"="C:\WINDOWS\sys
C:\Documents and Settings\susan\Shared\Star
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-01 15:02:35 24576] Exif Launcher 2.lnk - C:\Program Files\FinePixViewer\QuickD
[HKLM\~\services\sharedacc
"C:\\WINDOWS\\system32\\se
"C:\\Program Files\\LimeWire\\LimeWire.
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 20:24:02 C:\WINDOWS\Tasks\AppleSoft
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-29 05:44:55 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe .
**************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-29 09:37:24 Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlog
-> C:\WINDOWS\system32\NavLog
.
Completion time: 2008-04-29 Â 9:39:50
ComboFix-quarantined-files
Pre-Run: 6,666,014,720 bytes free
Post-Run: 6,647,566,336 bytes free
162 Â Â Â Â Â --- E O F --- Â Â Â Â Â 2008-04-24 14:09:32
ASKER
Should I wait for feedback on the latest ComboFix.txt log (posted above) or
should I run that German boot CD ?
I have Nero CD burning software, if you can give me instructions for creating a boot CD using that software.
should I run that German boot CD ?
I have Nero CD burning software, if you can give me instructions for creating a boot CD using that software.
Combofix had deleted those files.
How is the pc going? Are you still having the "W32.Trats!inf" virus issue?
About the Knoppix bootable iso file.
According to knoppix FAQ(below), just burn the ISO as an image and all the files that makes it bootable should be in their proper place.
http://www.knoppix.net/wiki/Downloading_FAQ#Q:_How_do_I_burn_an_ISO_to_a_CD_using_NERO.3F
>>>"Q: What option do I use to make the CD (or DVD) bootable?
A: None! Do not use any option in your burning software to make the CD bootable. Just burn the ISO as an image, this will put all of the proper files on the CD in the proper locations and the resulting CD will be a perfect copy of the original Knoppix CD and will be bootable. If you take any option that makes a bootable CD, you will end up with a CD that does not boot into Linux/Knoppix."<<<
This NERO tutorial for burning ISO image might help.
http://wizardskeep.org/mainhall/tutor/neroiso.html
How is the pc going? Are you still having the "W32.Trats!inf" virus issue?
About the Knoppix bootable iso file.
According to knoppix FAQ(below), just burn the ISO as an image and all the files that makes it bootable should be in their proper place.
http://www.knoppix.net/wiki/Downloading_FAQ#Q:_How_do_I_burn_an_ISO_to_a_CD_using_NERO.3F
>>>"Q: What option do I use to make the CD (or DVD) bootable?
A: None! Do not use any option in your burning software to make the CD bootable. Just burn the ISO as an image, this will put all of the proper files on the CD in the proper locations and the resulting CD will be a perfect copy of the original Knoppix CD and will be bootable. If you take any option that makes a bootable CD, you will end up with a CD that does not boot into Linux/Knoppix."<<<
This NERO tutorial for burning ISO image might help.
http://wizardskeep.org/mainhall/tutor/neroiso.html
ASKER
The laptop is running fine and getting no virus messages.
I will do a full scan to be sure.
I will also follow the Nero instructions and retry booting to Knoppix.
I will do a full scan to be sure.
I will also follow the Nero instructions and retry booting to Knoppix.
ASKER
OK, I got Knoppix running on the laptop but my new problem is that it's not a Windows-based interface.
I can't even figure out how to get to the C drive to see if any of the files in the list need to be deleted.
I can't even figure out how to get to the C drive to see if any of the files in the list need to be deleted.
ASKER
Disregard my last message.
I figured out how to get to the Windows/System32 folder.
The only target file that I found was C:\WINDOWS\system32\F48EA6 F3DE.sys and I deleted it.
This laptop is being returned to a teenager, so I have exhausted my patience with this project and expect that it will boomerang back to me in 6-12 months anyway.
All I need now is some guidance (since EE Customer Service never answered me) on how to split the points on this project.
Thanks to both of you.
I figured out how to get to the Windows/System32 folder.
The only target file that I found was C:\WINDOWS\system32\F48EA6
This laptop is being returned to a teenager, so I have exhausted my patience with this project and expect that it will boomerang back to me in 6-12 months anyway.
All I need now is some guidance (since EE Customer Service never answered me) on how to split the points on this project.
Thanks to both of you.
to split the points you should have a button that says accept multiple solutions you click on that then assign the points next the comments for the experts that helped and then select one of them as the accepted solution the rest will be assissted solutions
If you want to prevent reinfection I would load the following software
http://www.siteadvisor.comÂ
http://www.javacoolsoftware.comÂ
http://www.mozilla.org - firefox
also ensure you have anti virus on the system and it is up to date and anti spyware
http://www.siteadvisor.comÂ
http://www.javacoolsoftware.comÂ
http://www.mozilla.org - firefox
also ensure you have anti virus on the system and it is up to date and anti spyware
Glad to know all's well.
You might also like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html
As briancassin already posted, just click on the "Accept Multiple Solutions" button to split points.
below link, if it helps:
https://www.experts-exchange.com/help.jsp#hi331
You split the points. Each comment box has a button that says Accept Multiple Solutions. Click that, and you will see a page that allows you to assign points to any of the comments in the thread. There is a grade box at the bottom of the page.
Note: The total of the point splits must equal the original amount you assigned to the question, and no comment can receive fewer than 20 points. The Comment that was posted first is the Accepted Solution, and the rest of the comments are Accepted Solutions.
You might also like to check out TonyKlein's article, "How Did I Get Infected in the First Place?"
http://www.castlecops.com/postlite7736-.html
As briancassin already posted, just click on the "Accept Multiple Solutions" button to split points.
below link, if it helps:
https://www.experts-exchange.com/help.jsp#hi331
You split the points. Each comment box has a button that says Accept Multiple Solutions. Click that, and you will see a page that allows you to assign points to any of the comments in the thread. There is a grade box at the bottom of the page.
Note: The total of the point splits must equal the original amount you assigned to the question, and no comment can receive fewer than 20 points. The Comment that was posted first is the Accepted Solution, and the rest of the comments are Accepted Solutions.
Thank You, glad I could help :)
ASKER