Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help...computer Infected With Vundo Among Other Things...


  • This topic is locked This topic is locked
24 replies to this topic

#1 rswalker84

rswalker84

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 20 January 2008 - 04:41 PM

Hey, what's up guys? I've been readin the forum the past couple of days, and it looks like you can help me out. I've tried every internet security/spyware removal tool known to man and i cannot get this computer clean. I even followed the steps you have on this site...I'm stuck. I do know that the C:\WINDOWS\system32\inevrwoa.exe file is a variation of the geede.dll/virtumonde/vundo virus. Now, after some hard research i found out that a program i'd installed "PC Security Shield" from F-Secure was actually a rouge program. My bad. I had no idea at the time because my computer wasn't really acting like it is now. I did uninstall the PC Security Shield but it's still in the Programs folder, so I actually went into Computer Management and stopped those services related to it. I don't think it's working. Anyways, you know waaaayyyyy more about it than I do, so I know you guys can come thru for me. lol. here is the HijackThis log...thanks in advance!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:44 PM, on 1/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\inevrwoa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4\HLP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: (no name) - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - (no file)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SNM] H:\Misc Files\spynomore\SNM.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Pop-Up-Blocker] "C:\Program Files\Tweak-XP Pro 4\popup.exe"
O4 - HKCU\..\Run: [BlockAds] "C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe"
O4 - HKCU\..\Run: [RemoveIT Pro v4Ent] C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: www.select2perform.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\inevrwoa.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\PCSecurityShield\Anti-Virus\fsgk32st.exe (file missing)
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\PCSecurityShield\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\PCSecurityShield\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - Unknown owner - C:\Program Files\PCSecurityShield\Common\FSMA32.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7192 bytes

Edited by rswalker84, 20 January 2008 - 04:54 PM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:36 PM

Posted 22 January 2008 - 01:46 PM

Hello rswalker84,

Looks like you have a nasty Vundo infection. We will run ComboFix. :thumbsup:

You need to disable your F-Secure Antivirus before running ComboFix, as it will prevent it from running.

To disable F-Secure Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a blue Posted Image sign.
  • right click it-> select Unload.
  • The F-Secure sign should now be surrounded by a red striked through circle (looking like this: Posted Image )
You succesfully disabled the F-Secure Guard.


Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Be sure to install the Windows XP Recovery Console. <== Important


Post the ComboFix log.

Edited by SifuMike, 22 January 2008 - 01:48 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 rswalker84

rswalker84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 24 January 2008 - 12:52 PM

Thanks for your help....

Well, i ran combofix but after it completed its duty and restarted my system, my computer would begin to boot as normal but checkdisk would load up everytime. I allowed it to complete the checkdisk once, because i figured maybe combofix scheduled it (even though I didn't see that in the instructions for using combofix)..but I grew a little concerned when it happened a 2nd, 3rd and 4th time. Needless to say, something happened and the XP desktop finally loaded up and combofix finished generating it's log...ever heard of that?

Here's the log:

ComboFix 08-01-23.2 - Styles 2008-01-23 18:04:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.173 [GMT -5:00]
Running from: C:\Documents and Settings\Styles\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Styles\Application Data\AntiSpywareBot


***C:\Documents and Settings\Styles\My Documents\posDF3.tmp

***C:\pos1181.tmp

C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sygate\SPF\smc .exe
C:\Program Files\Sygate\SPF\smc.exe
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\agldidji.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cxbkdwhj.dll
C:\WINDOWS\system32\didrmlos.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dubdbydn.dll
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\ehmxxbxy.dll
C:\WINDOWS\system32\ekraibcg.dll
C:\WINDOWS\system32\fxkkbpqi.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\iasidnfu.dll
C:\WINDOWS\system32\inevrwoa.exe
C:\WINDOWS\system32\nlnylotx.dll
C:\WINDOWS\system32\nlnylotx.dllbox
C:\WINDOWS\system32\oonulwon.dll
C:\WINDOWS\system32\qhbbcgbj.dll
C:\WINDOWS\system32\solmrdid.ini
C:\WINDOWS\system32\tiqqqauv.ini
C:\WINDOWS\system32\uthfunsy.ini
C:\WINDOWS\system32\vuaqqqit.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wyveuqhi.dll
C:\WINDOWS\system32\ykqcuhbq.dll
C:\WINDOWS\system32\yncbnpvw.dll
C:\WINDOWS\system32\ysnufhtu.dll
C:\WINDOWS\system32\z1
C:\WINDOWS\system32\z9
C:\WINDOWS\Fonts\'

<pre>
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> QooBox
C:\Program Files\Sygate\SPF\smc .exe ---> QooBox
</pre>
.
----- BITS: Possible infected sites -----

hxxp://onlinesafepro.com
hxxp://www.thenmnetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService
-------\nm


((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 11:23 . 2008-01-24 11:23 335,360 --a------ C:\WINDOWS\system32\geede.dll
2008-01-23 18:02 . 2005-02-09 01:03 211 --a------ C:\Boot.bak
2008-01-23 18:01 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 17:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 06:08 . 2008-01-23 10:45 654 --ahs---- C:\WINDOWS\system32\hjxhkxly.ini
2008-01-20 01:44 . 2008-01-20 01:44 <DIR> d-------- C:\Deckard
2008-01-20 00:36 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-20 00:36 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-20 00:36 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-20 00:35 . 2008-01-20 00:35 <DIR> d-------- C:\Program Files\Sygate
2008-01-19 00:53 . 2008-01-20 02:13 <DIR> d-------- C:\VundoFix Backups
2008-01-16 05:26 . 2008-01-17 15:56 1,067,333 --ahs---- C:\WINDOWS\system32\hogrbupb.ini
2008-01-15 21:29 . 2008-01-15 21:29 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-01-15 21:29 . 2008-01-15 21:29 2 --a------ C:\WINDOWS\Twain001.Mtx
2008-01-15 21:29 . 2008-01-15 21:29 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-01-14 22:08 . 2008-01-14 22:08 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-14 21:59 . 2008-01-14 21:59 0 --a------ C:\WINDOWS\system32\giF0.tmp
2008-01-14 21:58 . 2008-01-14 21:58 0 --a------ C:\WINDOWS\system32\giD5.tmp
2008-01-14 21:55 . 2008-01-14 21:55 0 --a------ C:\WINDOWS\system32\giBB.tmp
2008-01-14 21:46 . 2008-01-17 19:37 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-14 19:23 . 2008-01-14 19:23 <DIR> d-------- C:\Program Files\Remove IT
2008-01-14 16:32 . 2008-01-14 22:23 1,057,113 --ahs---- C:\WINDOWS\system32\xswjmlya.ini
2008-01-13 23:57 . 2007-04-26 06:42 51,104 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-13 23:57 . 2007-04-26 06:42 29,984 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-13 22:33 . 2008-01-18 00:32 <DIR> d-------- C:\Program Files\Tweak-XP Pro 4
2008-01-13 22:33 . 2008-01-13 22:32 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-01-13 21:20 . 2008-01-13 21:20 7,168 --a------ C:\WINDOWS\system32\windows.0
2008-01-13 02:10 . 2008-01-20 00:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 09:10 . 2008-01-14 00:06 1,061,148 --ahs---- C:\WINDOWS\system32\xetflnmg.ini
2008-01-09 16:36 . 2008-01-09 16:36 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-06 07:03 . 2008-01-09 16:30 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-01-06 06:44 . 2008-01-14 18:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-06 06:44 . 2008-01-06 06:45 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-06 06:30 . 2008-01-16 21:50 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-04 12:26 . 2008-01-23 16:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-04 12:26 . 2008-01-04 12:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 10:55 . 2008-01-04 10:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 02:35 . 2008-01-14 23:03 <DIR> d-------- C:\Program Files\PCSecurityShield
2008-01-03 22:03 . 2008-01-03 22:04 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-01-03 21:42 . 2008-01-13 12:38 <DIR> d-------- C:\WINDOWS\cache
2008-01-03 15:38 . 2008-01-03 15:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-03 15:35 . 2008-01-03 15:35 <DIR> d-------- C:\WINDOWS\system32\mr9
2008-01-03 15:35 . 2008-01-06 23:04 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2008-01-03 15:35 . 2008-01-14 17:48 <DIR> d-------- C:\WINDOWS\system32\aj2
2008-01-03 15:35 . 2008-01-03 15:35 39,936 --------- C:\WINDOWS\mrofinu1188.0xe
2008-01-03 15:12 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-03 15:12 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-03 15:12 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-03 10:52 . 2008-01-04 02:28 <DIR> d-------- C:\Program Files\Norton 360
2008-01-01 14:12 . 2008-01-01 14:12 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-28 18:53 . 2008-01-06 19:05 <DIR> d-------- C:\Program Files\IrfanView
2007-12-27 11:25 . 2007-12-27 11:25 <DIR> d-------- C:\Program Files\Freeze.com
2007-12-24 22:43 . 2008-01-13 23:33 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-12-24 10:37 . 2006-12-20 14:31 49,904 -ra------ C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 16:23 338,944 ----a-w C:\WINDOWS\system32\geede.exe
2008-01-24 01:09 --------- d-----w C:\Program Files\iTunes
2008-01-14 04:33 --------- d-----w C:\Program Files\Yahoo!
2008-01-06 12:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-06 12:02 --------- d-----w C:\Program Files\Freeze.com Toolbar
2008-01-06 11:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 10:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 20:22 --------- d-----w C:\Program Files\QuickTime
2008-01-05 20:22 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-04 07:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-04 07:27 --------- d-----w C:\Program Files\Symantec
2008-01-04 04:58 401,270 ----a-w C:\WINDOWS\Fonts\ascent2stardom.zip
2008-01-04 04:57 72,555 ----a-w C:\WINDOWS\Fonts\steadmanesque.zip
2008-01-04 04:57 38,717 ----a-w C:\WINDOWS\Fonts\beast.zip
2008-01-04 04:57 120,864 ----a-w C:\WINDOWS\Fonts\base02.zip
2008-01-04 04:56 428,433 ----a-w C:\WINDOWS\Fonts\barbershop.zip
2008-01-04 04:56 142,221 ----a-w C:\WINDOWS\Fonts\anthology.zip
2008-01-04 04:55 39,689 ----a-w C:\WINDOWS\Fonts\americandream.zip
2008-01-04 04:53 9,231 ----a-w C:\WINDOWS\Fonts\habbo.zip
2008-01-04 04:53 71,694 ----a-w C:\WINDOWS\Fonts\funkmaster.zip
2008-01-04 03:07 --------- d-----w C:\Program Files\Apoint2K
2008-01-04 03:06 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-03 19:06 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2008-01-01 19:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-23 05:55 --------- d-----w C:\Program Files\Java
2007-12-23 05:53 --------- d-----w C:\Program Files\Common Files\Java
2007-12-23 05:46 --------- d-----w C:\Program Files\iPod
2007-12-23 05:41 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-23 05:41 --------- d-----w C:\Program Files\Apple Software Update
2007-12-22 04:38 --------- d-----w C:\Program Files\Clearwire
2007-12-20 15:41 29,440 ----a-w C:\WINDOWS\system32\uxtuneup.dll
2007-12-18 15:36 --------- d-----w C:\Program Files\Google
2007-12-06 23:18 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-27 01:36 --------- d-----w C:\Program Files\MSXML 6.0
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2004-09-28 03:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.
<pre>
----a-w		   991,232 2008-01-24 16:23:29  C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
----a-w		   176,177 2008-01-14 05:05:48  C:\Program Files\PCSecurityShield\Common\FSM32 .EXE
----a-w		   733,184 2008-01-14 05:05:52  C:\Program Files\PCSecurityShield\FSGUI\TNBUtil .exe
----a-w		   196,864 2008-01-06 21:31:12  C:\Program Files\TuneUp Utilities 2008\MemOptimizer .exe
----a-w			15,360 2008-01-17 02:50:36  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{008DF564-92C4-46AD-9C63-2E31FE4BD27E}]
2008-01-24 11:23 335360 --a------ C:\WINDOWS\system32\geede.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pop-Up-Blocker"="C:\Program Files\Tweak-XP Pro 4\popup.exe" [ ]
"BlockAds"="C:\Program Files\Tweak-XP Pro 4\AdBlocker.exe" [ ]
"RemoveIT Pro v4Ent"="C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe" [2008-01-24 11:23 991232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2004-04-02 03:16 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"SNM"="H:\Misc Files\spynomore\SNM.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [ ]
"a8cdf54d"="C:\WINDOWS\system32\ylxkhxjh.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkkk]
opnnkkk.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\geede.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\geede

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-04-26 06:42]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\PCSecurityShield\Anti-Virus\minifilter\fsgk.sys [2007-04-26 06:42]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-06 06:45]
S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2004-07-30 11:49]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2004-07-30 12:02]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2004-07-30 11:49]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\PCSecurityShield\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 06:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\PCSecurityShield\Anti-Virus\Win2K\FSrec.sys [2007-04-26 06:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 22:17:30 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-01-11 17:05:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 00:05:37 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\PCSECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\PCSECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 11:23:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\geede.dll
.



***There were over 10,000 of these temp files listed on the original log. For space purposes I just included 2 from the 2 different locations they were found.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:36 PM

Posted 24 January 2008 - 02:06 PM

Well, i ran combofix but after it completed its duty and restarted my system, my computer would begin to boot as normal but checkdisk would load up everytime. I allowed it to complete the checkdisk once, because i figured maybe combofix scheduled it (even though I didn't see that in the instructions for using combofix)..but I grew a little concerned when it happened a 2nd, 3rd and 4th time. Needless to say, something happened and the XP desktop finally loaded up and combofix finished generating it's log...ever heard of that?


Nope, never heard of ComboFix doing that. But since is a very heavily infected computer, you can expect strange things to go on.

Are you a computer repair shop?



The Combofix log is missing the bottom portion. It should look something like this:

Completion time: 2007-12-30 1:19:38- machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-29 17:19:18
C:\qoobox\ComboFix2.txt 2007-12-29 17:07:26

--- E O F --- 2007-11-13 22:49:56



To save space, just post the bottom portion down to the EOF line.

Edited by SifuMike, 24 January 2008 - 02:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 rswalker84

rswalker84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 24 January 2008 - 03:12 PM

nah, not a computer shop...just a guy that knows a little bit about computers. this is my personal computer...i've tried everything i know possible to do..that's why I'm seeking help here. I figured it's pretty bad...anyways..I double checked the log. I don't see anything like what you posted. the last thing on the log is>>>

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\geede.dll
.


should I run it again?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:36 PM

Posted 24 January 2008 - 03:14 PM

No need to. :thumbsup: We will be running it again shortly and hopefully it will show the entire log and I will be able to see the missing bottom portion.

Edited by SifuMike, 24 January 2008 - 03:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 rswalker84

rswalker84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 24 January 2008 - 03:21 PM

okay...well, i'm ready whenever you are my friend :thumbsup:

Edited by rswalker84, 24 January 2008 - 03:23 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:36 PM

Posted 24 January 2008 - 03:32 PM

Hi,

Well, after reviewing the amount of malware found, I am going to change my mind. :thumbsup:
That bottom part tells me if the deleted files are backed up, and I need to know that.

Run ComboFix again (after you disable the F-Secure antivirur program and any registry protectors, like Teatimer) and post the log.
You may have to attach the log if it is too big.

Edited by SifuMike, 24 January 2008 - 03:34 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 rswalker84

rswalker84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 24 January 2008 - 03:34 PM

:thumbsup: ...i will run again and post the log. hopefully it doesn't take all day again. lol

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:36 PM

Posted 24 January 2008 - 04:49 PM

Hopefully, this time it should go faster. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 rswalker84

rswalker84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 January 2008 - 09:24 AM

Sorry I didn't get to reply yesterday...i got a little caught up. Anyways..I ran it again...no EOF line or anything similar to what you posted. Here's the bottom portion of the new log:

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 16:09:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

I followed all of the instructions as written..i don't know what's going on. One thing I do know is that once combofix finishes it says "this window will close and the log will pop up after a few seconds"....and the combofix window closes, but no log pops up. In addition, the log isn't in C:\ComboFix.txt like the programs says it will be, its in C:\ComboFix\ComboFix.txt..... :thumbsup:

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:36 PM

Posted 25 January 2008 - 01:12 PM

Here's the bottom portion of the new log:


Please post the entire log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 rswalker84

rswalker84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 January 2008 - 05:10 PM

ComboFix 08-01-23.2 - Styles 2008-01-24 16:08:58.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.229 [GMT -5:00]
Running from: C:\Documents and Settings\Styles\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Styles\Application Data\AntiSpywareBot
C:\Documents and Settings\Styles\My Documents\pos1000.tmp
C:\Documents and Settings\Styles\My Documents\pos1001.tmp
C:\Documents and Settings\Styles\My Documents\pos1002.tmp
C:\Documents and Settings\Styles\My Documents\pos1003.tmp
C:\Documents and Settings\Styles\My Documents\pos1004.tmp
C:\Documents and Settings\Styles\My Documents\pos1005.tmp
C:\Documents and Settings\Styles\My Documents\pos1006.tmp
C:\Documents and Settings\Styles\My Documents\pos1007.tmp
C:\Documents and Settings\Styles\My Documents\pos1008.tmp
C:\Documents and Settings\Styles\My Documents\pos1009.tmp
C:\Documents and Settings\Styles\My Documents\pos100A.tmp
C:\Documents and Settings\Styles\My Documents\pos100B.tmp
C:\Documents and Settings\Styles\My Documents\pos100C.tmp

***.TMP FILE LIST ABBREVIATED FOR SPACE**

C:\posFF.tmp
C:\posFF0.tmp
C:\posFF1.tmp
C:\posFF2.tmp
C:\posFF3.tmp
C:\posFF4.tmp
C:\posFF5.tmp
C:\posFF6.tmp
C:\posFF7.tmp
C:\posFF8.tmp
C:\posFF9.tmp
C:\posFFA.tmp
C:\posFFB.tmp
C:\posFFC.tmp
C:\posFFD.tmp
C:\posFFE.tmp
C:\posFFF.tmp
C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sygate\SPF\smc .exe
C:\Program Files\Sygate\SPF\smc.exe
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\agldidji.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cxbkdwhj.dll
C:\WINDOWS\system32\didrmlos.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dubdbydn.dll
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\ehmxxbxy.dll
C:\WINDOWS\system32\ekraibcg.dll
C:\WINDOWS\system32\fxkkbpqi.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\hogrbupb.ini
C:\WINDOWS\system32\iasidnfu.dll
C:\WINDOWS\system32\inevrwoa.exe
C:\WINDOWS\system32\nlnylotx.dll
C:\WINDOWS\system32\nlnylotx.dllbox
C:\WINDOWS\system32\oonulwon.dll
C:\WINDOWS\system32\qhbbcgbj.dll
C:\WINDOWS\system32\solmrdid.ini
C:\WINDOWS\system32\tiqqqauv.ini
C:\WINDOWS\system32\uthfunsy.ini
C:\WINDOWS\system32\vuaqqqit.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wyveuqhi.dll
C:\WINDOWS\system32\xetflnmg.ini
C:\WINDOWS\system32\xswjmlya.ini
C:\WINDOWS\system32\ykqcuhbq.dll
C:\WINDOWS\system32\yncbnpvw.dll
C:\WINDOWS\system32\ysnufhtu.dll
C:\WINDOWS\system32\z1
C:\WINDOWS\system32\z9
C:\WINDOWS\Fonts\'

<pre>
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> QooBox
C:\Program Files\Sygate\SPF\smc .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService
-------\nm


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE






((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-23 18:02 . 2005-02-09 01:03 211 --a------ C:\Boot.bak
2008-01-23 18:01 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 17:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 06:08 . 2008-01-23 10:45 654 --ahs---- C:\WINDOWS\system32\hjxhkxly.ini
2008-01-20 01:44 . 2008-01-20 01:44 <DIR> d-------- C:\Deckard
2008-01-20 00:36 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-20 00:36 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-20 00:36 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-20 00:35 . 2008-01-20 00:35 <DIR> d-------- C:\Program Files\Sygate
2008-01-19 00:53 . 2008-01-20 02:13 <DIR> d-------- C:\VundoFix Backups
2008-01-15 21:29 . 2008-01-15 21:29 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-01-15 21:29 . 2008-01-15 21:29 2 --a------ C:\WINDOWS\Twain001.Mtx
2008-01-15 21:29 . 2008-01-15 21:29 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-01-14 22:08 . 2008-01-14 22:08 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-14 21:59 . 2008-01-14 21:59 0 --a------ C:\WINDOWS\system32\giF0.tmp
2008-01-14 21:58 . 2008-01-14 21:58 0 --a------ C:\WINDOWS\system32\giD5.tmp
2008-01-14 21:55 . 2008-01-14 21:55 0 --a------ C:\WINDOWS\system32\giBB.tmp
2008-01-14 21:46 . 2008-01-17 19:37 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-14 19:23 . 2008-01-14 19:23 <DIR> d-------- C:\Program Files\Remove IT
2008-01-13 23:57 . 2007-04-26 06:42 51,104 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-13 23:57 . 2007-04-26 06:42 29,984 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-13 22:33 . 2008-01-24 11:35 <DIR> d-------- C:\Program Files\Tweak-XP Pro 4
2008-01-13 22:33 . 2008-01-13 22:32 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-01-13 21:20 . 2008-01-13 21:20 7,168 --a------ C:\WINDOWS\system32\windows.0
2008-01-13 02:10 . 2008-01-20 00:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 16:36 . 2008-01-09 16:36 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-06 07:03 . 2008-01-09 16:30 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-01-06 06:44 . 2008-01-14 18:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-06 06:44 . 2008-01-06 06:45 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-06 06:30 . 2008-01-16 21:50 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-04 12:26 . 2008-01-23 16:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-04 12:26 . 2008-01-04 12:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 10:55 . 2008-01-04 10:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 02:35 . 2008-01-14 23:03 <DIR> d-------- C:\Program Files\PCSecurityShield
2008-01-03 22:03 . 2008-01-03 22:04 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-01-03 21:42 . 2008-01-13 12:38 <DIR> d-------- C:\WINDOWS\cache
2008-01-03 15:38 . 2008-01-03 15:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-03 15:35 . 2008-01-03 15:35 <DIR> d-------- C:\WINDOWS\system32\mr9
2008-01-03 15:35 . 2008-01-06 23:04 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2008-01-03 15:35 . 2008-01-14 17:48 <DIR> d-------- C:\WINDOWS\system32\aj2
2008-01-03 15:35 . 2008-01-03 15:35 39,936 --------- C:\WINDOWS\mrofinu1188.0xe
2008-01-03 15:12 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-03 15:12 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-03 15:12 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-03 10:52 . 2008-01-04 02:28 <DIR> d-------- C:\Program Files\Norton 360
2008-01-01 14:12 . 2008-01-01 14:12 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-28 18:53 . 2008-01-06 19:05 <DIR> d-------- C:\Program Files\IrfanView
2007-12-27 11:25 . 2007-12-27 11:25 <DIR> d-------- C:\Program Files\Freeze.com
2007-12-24 22:43 . 2008-01-13 23:33 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-12-24 10:37 . 2006-12-20 14:31 49,904 -ra------ C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 01:09 --------- d-----w C:\Program Files\iTunes
2008-01-14 04:33 --------- d-----w C:\Program Files\Yahoo!
2008-01-06 12:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-06 12:02 --------- d-----w C:\Program Files\Freeze.com Toolbar
2008-01-06 11:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 10:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 20:22 --------- d-----w C:\Program Files\QuickTime
2008-01-05 20:22 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-04 07:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-04 07:27 --------- d-----w C:\Program Files\Symantec
2008-01-04 04:58 401,270 ----a-w C:\WINDOWS\Fonts\ascent2stardom.zip
2008-01-04 04:57 72,555 ----a-w C:\WINDOWS\Fonts\steadmanesque.zip
2008-01-04 04:57 38,717 ----a-w C:\WINDOWS\Fonts\beast.zip
2008-01-04 04:57 120,864 ----a-w C:\WINDOWS\Fonts\base02.zip
2008-01-04 04:56 428,433 ----a-w C:\WINDOWS\Fonts\barbershop.zip
2008-01-04 04:56 142,221 ----a-w C:\WINDOWS\Fonts\anthology.zip
2008-01-04 04:55 39,689 ----a-w C:\WINDOWS\Fonts\americandream.zip
2008-01-04 04:53 9,231 ----a-w C:\WINDOWS\Fonts\habbo.zip
2008-01-04 04:53 71,694 ----a-w C:\WINDOWS\Fonts\funkmaster.zip
2008-01-04 03:07 --------- d-----w C:\Program Files\Apoint2K
2008-01-04 03:06 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-03 19:06 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2008-01-01 19:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-23 05:55 --------- d-----w C:\Program Files\Java
2007-12-23 05:53 --------- d-----w C:\Program Files\Common Files\Java
2007-12-23 05:46 --------- d-----w C:\Program Files\iPod
2007-12-23 05:41 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-23 05:41 --------- d-----w C:\Program Files\Apple Software Update
2007-12-22 04:38 --------- d-----w C:\Program Files\Clearwire
2007-12-20 15:41 29,440 ----a-w C:\WINDOWS\system32\uxtuneup.dll
2007-12-18 15:36 --------- d-----w C:\Program Files\Google
2007-12-06 23:18 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-27 01:36 --------- d-----w C:\Program Files\MSXML 6.0
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 15:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2004-09-28 03:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
.
<pre>
----a-w		   639,488 2008-01-24 19:02:29  C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
----a-w		   176,177 2008-01-14 05:05:48  C:\Program Files\PCSecurityShield\Common\FSM32 .EXE
----a-w		   733,184 2008-01-14 05:05:52  C:\Program Files\PCSecurityShield\FSGUI\TNBUtil .exe
----a-w		   196,864 2008-01-06 21:31:12  C:\Program Files\TuneUp Utilities 2008\MemOptimizer .exe
----a-w			15,360 2008-01-17 02:50:36  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkkk]
opnnkkk.dll

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-04-26 06:42]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\PCSecurityShield\Anti-Virus\minifilter\fsgk.sys [2007-04-26 06:42]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-06 06:45]
S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2004-07-30 11:49]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2004-07-30 12:02]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2004-07-30 11:49]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\PCSecurityShield\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 06:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\PCSecurityShield\Anti-Virus\Win2K\FSrec.sys [2007-04-26 06:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-18 22:17:30 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-01-11 17:05:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 00:05:37 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\PCSECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\PCSECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 16:09:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:36 PM

Posted 25 January 2008 - 05:19 PM

Hi rswalker84,

ComboFix had a bug and it has just been updated, so delete the version you have on your desktop, and download and run a new version, then post the log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

We should get the complete report this time. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 rswalker84

rswalker84
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 25 January 2008 - 11:34 PM

Alrighty...I got what you were looking for:

ComboFix 08-01-23.1C - Styles 2008-01-25 23:17:31.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT -5:00]
Running from: C:\Documents and Settings\Styles\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.exe
H:\Autorun.inf
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Styles\Application Data\AntiSpywareBot
C:\Documents and Settings\Styles\My Documents\pos1000.tmp
C:\Documents and Settings\Styles\My Documents\pos1001.tmp
C:\Documents and Settings\Styles\My Documents\pos1002.tmp
C:\Documents and Settings\Styles\My Documents\pos1003.tmp
C:\Documents and Settings\Styles\My Documents\pos1004.tmp
C:\Documents and Settings\Styles\My Documents\pos1005.tmp
C:\Documents and Settings\Styles\My Documents\pos1006.tmp
C:\Documents and Settings\Styles\My Documents\pos1007.tmp
C:\Documents and Settings\Styles\My Documents\pos1008.tmp
C:\Documents and Settings\Styles\My Documents\pos1009.tmp
C:\Documents and Settings\Styles\My Documents\pos100A.tmp
C:\Documents and Settings\Styles\My Documents\pos100B.tmp
C:\Documents and Settings\Styles\My Documents\pos100C.tmp
C:\Documents and Settings\Styles\My Documents\pos100D.tmp
C:\Documents and Settings\Styles\My Documents\pos100E.tmp
C:\Documents and Settings\Styles\My Documents\pos100F.tmp
C:\Documents and Settings\Styles\My Documents\pos1010.tmp
C:\Documents and Settings\Styles\My Documents\pos1011.tmp

***LIST ABBREVIATED FOR SPACE***

C:\posFE2.tmp
C:\posFE3.tmp
C:\posFE4.tmp
C:\posFE5.tmp
C:\posFE6.tmp
C:\posFE7.tmp
C:\posFE8.tmp
C:\posFE9.tmp
C:\posFEA.tmp
C:\posFEB.tmp
C:\posFEC.tmp
C:\posFED.tmp
C:\posFEE.tmp
C:\posFEF.tmp
C:\posFF.tmp
C:\posFF0.tmp
C:\posFF1.tmp
C:\posFF2.tmp
C:\posFF3.tmp
C:\posFF4.tmp
C:\posFF5.tmp
C:\posFF6.tmp
C:\posFF7.tmp
C:\posFF8.tmp
C:\posFF9.tmp
C:\posFFA.tmp
C:\posFFB.tmp
C:\posFFC.tmp
C:\posFFD.tmp
C:\posFFE.tmp
C:\posFFF.tmp
C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\InCode Solutions\RemoveIT Pro v4\removeit .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
C:\Program Files\Microsoft ActiveSync\Wcescomm .exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sygate\SPF\smc .exe
C:\Program Files\Sygate\SPF\smc.exe
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\agldidji.dll
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\cxbkdwhj.dll
C:\WINDOWS\system32\didrmlos.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dubdbydn.dll
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\ehmxxbxy.dll
C:\WINDOWS\system32\ekraibcg.dll
C:\WINDOWS\system32\fxkkbpqi.dll
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\hogrbupb.ini
C:\WINDOWS\system32\iasidnfu.dll
C:\WINDOWS\system32\inevrwoa.exe
C:\WINDOWS\system32\nlnylotx.dll
C:\WINDOWS\system32\nlnylotx.dllbox
C:\WINDOWS\system32\oonulwon.dll
C:\WINDOWS\system32\qhbbcgbj.dll
C:\WINDOWS\system32\solmrdid.ini
C:\WINDOWS\system32\tiqqqauv.ini
C:\WINDOWS\system32\uthfunsy.ini
C:\WINDOWS\system32\vuaqqqit.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wyveuqhi.dll
C:\WINDOWS\system32\xetflnmg.ini
C:\WINDOWS\system32\xswjmlya.ini
C:\WINDOWS\system32\ykqcuhbq.dll
C:\WINDOWS\system32\yncbnpvw.dll
C:\WINDOWS\system32\ysnufhtu.dll
C:\WINDOWS\system32\z1
C:\WINDOWS\system32\z9
H:\Autorun.inf
C:\WINDOWS\Fonts\'

<pre>
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe ---> QooBox
C:\Program Files\Sygate\SPF\smc .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService
-------\nm


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE










((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-23 18:02 . 2005-02-09 01:03 211 --a------ C:\Boot.bak
2008-01-23 18:01 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 17:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 06:08 . 2008-01-23 10:45 654 --ahs---- C:\WINDOWS\system32\hjxhkxly.ini
2008-01-20 01:44 . 2008-01-20 01:44 <DIR> d-------- C:\Deckard
2008-01-20 00:36 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2008-01-20 00:36 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2008-01-20 00:36 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2008-01-20 00:36 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2008-01-20 00:35 . 2008-01-20 00:35 <DIR> d-------- C:\Program Files\Sygate
2008-01-19 00:53 . 2008-01-20 02:13 <DIR> d-------- C:\VundoFix Backups
2008-01-15 21:29 . 2008-01-15 21:29 156 --a------ C:\WINDOWS\Twunk001.MTX
2008-01-15 21:29 . 2008-01-15 21:29 2 --a------ C:\WINDOWS\Twain001.Mtx
2008-01-15 21:29 . 2008-01-15 21:29 0 --a------ C:\WINDOWS\Twunk002.MTX
2008-01-14 22:08 . 2008-01-14 22:08 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2008-01-14 21:59 . 2008-01-14 21:59 0 --a------ C:\WINDOWS\system32\giF0.tmp
2008-01-14 21:58 . 2008-01-14 21:58 0 --a------ C:\WINDOWS\system32\giD5.tmp
2008-01-14 21:55 . 2008-01-14 21:55 0 --a------ C:\WINDOWS\system32\giBB.tmp
2008-01-14 21:46 . 2008-01-17 19:37 <DIR> d-------- C:\Program Files\InCode Solutions
2008-01-14 19:23 . 2008-01-14 19:23 <DIR> d-------- C:\Program Files\Remove IT
2008-01-13 23:57 . 2007-04-26 06:42 51,104 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-13 23:57 . 2007-04-26 06:42 29,984 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-13 22:33 . 2008-01-24 11:35 <DIR> d-------- C:\Program Files\Tweak-XP Pro 4
2008-01-13 22:33 . 2008-01-13 22:32 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-01-13 21:20 . 2008-01-13 21:20 7,168 --a------ C:\WINDOWS\system32\windows.0
2008-01-13 02:10 . 2008-01-20 00:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 16:36 . 2008-01-09 16:36 197 --a------ C:\WINDOWS\system32\MRT.INI
2008-01-06 07:03 . 2008-01-09 16:30 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-01-06 06:44 . 2008-01-14 18:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-06 06:44 . 2008-01-06 06:45 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-06 06:30 . 2008-01-16 21:50 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-04 12:26 . 2008-01-25 18:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-04 12:26 . 2008-01-24 17:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 10:55 . 2008-01-04 10:55 <DIR> d--h----- C:\WINDOWS\PIF
2008-01-04 02:35 . 2008-01-14 23:03 <DIR> d-------- C:\Program Files\PCSecurityShield
2008-01-03 22:03 . 2008-01-03 22:04 <DIR> d-------- C:\Program Files\Common Files\Jasc Software Inc
2008-01-03 21:42 . 2008-01-13 12:38 <DIR> d-------- C:\WINDOWS\cache
2008-01-03 15:38 . 2008-01-03 15:38 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-03 15:35 . 2008-01-03 15:35 <DIR> d-------- C:\WINDOWS\system32\mr9
2008-01-03 15:35 . 2008-01-06 23:04 <DIR> d-------- C:\WINDOWS\system32\ardCo18
2008-01-03 15:35 . 2008-01-14 17:48 <DIR> d-------- C:\WINDOWS\system32\aj2
2008-01-03 15:35 . 2008-01-03 15:35 39,936 --------- C:\WINDOWS\mrofinu1188.0xe
2008-01-03 15:12 . 2007-05-29 13:55 22,112 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-01-03 15:12 . 2007-05-29 13:55 10,592 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-01-03 15:12 . 2007-05-29 13:55 705 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-01-03 10:52 . 2008-01-04 02:28 <DIR> d-------- C:\Program Files\Norton 360
2008-01-01 14:12 . 2008-01-01 14:12 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-12-28 18:53 . 2008-01-06 19:05 <DIR> d-------- C:\Program Files\IrfanView
2007-12-27 11:25 . 2007-12-27 11:25 <DIR> d-------- C:\Program Files\Freeze.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 23:20 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-25 23:20 --------- d-----w C:\Program Files\iTunes
2008-01-14 04:33 --------- d-----w C:\Program Files\Yahoo!
2008-01-14 04:33 --------- d-----w C:\Program Files\Common Files\Scanner
2008-01-06 12:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-06 12:02 --------- d-----w C:\Program Files\Freeze.com Toolbar
2008-01-06 11:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 10:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 20:22 --------- d-----w C:\Program Files\QuickTime
2008-01-04 07:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-04 07:27 --------- d-----w C:\Program Files\Symantec
2008-01-04 04:58 401,270 ----a-w C:\WINDOWS\Fonts\ascent2stardom.zip
2008-01-04 04:57 72,555 ----a-w C:\WINDOWS\Fonts\steadmanesque.zip
2008-01-04 04:57 38,717 ----a-w C:\WINDOWS\Fonts\beast.zip
2008-01-04 04:57 120,864 ----a-w C:\WINDOWS\Fonts\base02.zip
2008-01-04 04:56 428,433 ----a-w C:\WINDOWS\Fonts\barbershop.zip
2008-01-04 04:56 142,221 ----a-w C:\WINDOWS\Fonts\anthology.zip
2008-01-04 04:55 39,689 ----a-w C:\WINDOWS\Fonts\americandream.zip
2008-01-04 04:53 9,231 ----a-w C:\WINDOWS\Fonts\habbo.zip
2008-01-04 04:53 71,694 ----a-w C:\WINDOWS\Fonts\funkmaster.zip
2008-01-04 03:07 --------- d-----w C:\Program Files\Apoint2K
2008-01-04 03:06 --------- d-----w C:\Program Files\Jasc Software Inc
2008-01-03 19:06 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2008-01-01 19:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-23 05:55 --------- d-----w C:\Program Files\Java
2007-12-23 05:53 --------- d-----w C:\Program Files\Common Files\Java
2007-12-23 05:46 --------- d-----w C:\Program Files\iPod
2007-12-23 05:41 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-23 05:41 --------- d-----w C:\Program Files\Apple Software Update
2007-12-22 04:38 --------- d-----w C:\Program Files\Clearwire
2007-12-18 15:36 --------- d-----w C:\Program Files\Google
2007-12-06 23:18 --------- d-----w C:\Program Files\The Weather Channel FW
2007-11-27 01:36 --------- d-----w C:\Program Files\MSXML 6.0
.
<pre>
----a-w		   176,177 2008-01-14 05:05:48  C:\Program Files\PCSecurityShield\Common\FSM32 .EXE
----a-w		   733,184 2008-01-14 05:05:52  C:\Program Files\PCSecurityShield\FSGUI\TNBUtil .exe
----a-w		   196,864 2008-01-06 21:31:12  C:\Program Files\TuneUp Utilities 2008\MemOptimizer .exe
----a-w			15,360 2008-01-17 02:50:36  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-24_11.28.25.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-04 17:37:17 102,400 ----a-r C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe
+ 2008-01-24 22:14:15 102,400 ----a-r C:\WINDOWS\Installer\{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}\iTunesIco.exe
- 2006-06-21 03:34:38 20,264 ----a-w C:\WINDOWS\system32\ceutil.dll
+ 2006-11-13 18:38:40 22,824 ----a-w C:\WINDOWS\system32\ceutil.dll
+ 2004-08-04 07:56:48 388,608 -c--a-w C:\WINDOWS\system32\dllcache\cmd.exe
- 2006-06-21 03:35:54 129,832 ----a-w C:\WINDOWS\system32\rapi.dll
+ 2006-11-13 18:39:28 138,024 ----a-w C:\WINDOWS\system32\rapi.dll
+ 2008-01-26 04:25:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_23c.dat
+ 2008-01-26 04:25:28 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnkkk]
opnnkkk.dll

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-04-26 06:42]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 02:56]
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\CBTNDIS5.SYS [2003-07-16 21:28]
S3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\PCSecurityShield\Anti-Virus\minifilter\fsgk.sys [2007-04-26 06:42]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-06 06:45]
S3 US122;US122 Driver;C:\WINDOWS\system32\Drivers\US122.sys [2004-07-30 11:49]
S3 US122DL;US122 Firmware Downloader;C:\WINDOWS\system32\Drivers\US122DL.sys [2004-07-30 12:02]
S3 Us122WdmService;US122 Wdm Audio;C:\WINDOWS\system32\Drivers\US122Wdm.sys [2004-07-30 11:49]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\PCSecurityShield\Anti-Virus\Win2K\FSfilter.sys [2007-04-26 06:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\PCSecurityShield\Anti-Virus\Win2K\FSrec.sys [2007-04-26 06:42]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 22:17:54 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-01-25 17:04:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 13:09:39 C:\WINDOWS\Tasks\Scheduled scanning task.job"
- C:\PROGRA~1\PCSECU~1\ANTI-V~1\fsav.exeQ /HARD /POLICY /SCHED /NOBREAK /REPORT=C:\PROGRA~1\PCSECU~1\ANTI-V~1\report.txt
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 23:26:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 23:30:27 - machine was rebooted [Styles]
ComboFix-quarantined-files.txt 2008-01-26 04:30:23
.
2008-01-09 22:39:25 --- E O F ---




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users