Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/vundo Infection - Cannot Remove


  • This topic is locked This topic is locked
25 replies to this topic

#1 Joanna_Mellor

Joanna_Mellor

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 15 April 2008 - 01:51 PM

Hi,

I have a very tenacious version of Vundo/Virtumonde which is evading all attempts at removal. I have run Vundofix and VirtumundoBegone but it is still there and driving my Avira antivirus mad.

Please find below HijackThis logs and Kaspersky log. Thanks in advance for any help.

main.txt:

Deckard's System Scanner v20071014.68
Run by Me on 2008-04-15 19:33:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; unknown error code 0x00000001


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Me.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:35:48, on 15/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\WINDOWS\System32\SEMBLY~1\msdtc.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\W?nSxS\n?pdb.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Me\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Me.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://your.egg.com/customer/yourmoney.aspx
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bbmedic.ntlworld.com/medic/tour/bbdemo.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\System32\efcYppqp.dll (file missing)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\xxxqcoti.dll
O2 - BHO: (no name) - {749B7F7A-82B1-4A9C-A3E0-3683526D029E} - C:\WINDOWS\System32\yayyYPgg.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {9b08d67c-2330-ade8-4da4-04e87f0bb478} - {874bb0f7-8e40-4ad4-8eda-0332c76d80b9} - C:\WINDOWS\System32\ovypqdjg.dll
O2 - BHO: (no name) - {AC7D898B-B23F-4F73-B8DD-AD2804D547C4} - C:\WINDOWS\System32\wvusstrs.dll (file missing)
O2 - BHO: (no name) - {BFAD17A1-AE6E-F0B2-19E3-D38F710D2F9D} - C:\WINDOWS\System32\apqtm.dll
O2 - BHO: (no name) - {D810B78A-D010-44DF-8445-AC58086B600E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BMefd81a7d] Rundll32.exe "C:\WINDOWS\System32\qjyelcrf.dll",s
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Aror] "C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" -vt ndrv
O4 - HKLM\..\Policies\Explorer\Run: [none] C:\Program Files\Video ActiveX Object\pmsngr.exe
O4 - HKUS\S-1-5-21-861567501-1454471165-725345543-1003\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe (User '?')
O4 - HKUS\S-1-5-21-861567501-1454471165-725345543-1003\..\Run: [Aror] "C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" -vt ndrv (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140_01.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208264888906
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm8\command.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6532 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-15 19:34:53 0 d-------- C:\Program Files\Trend Micro
2008-04-15 15:34:14 45056 --a------ C:\w0t5os.exe
2008-04-15 15:24:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 15:24:53 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-04-15 15:24:51 0 d-------- C:\WINDOWS\LastGood
2008-04-15 15:11:00 0 d-------- C:\Program Files\Sunbelt Software
2008-04-15 14:57:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-15 14:47:29 0 d-------- C:\WINDOWS\Prefetch
2008-04-15 14:08:17 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-15 13:31:00 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-15 13:23:55 91712 --a------ C:\WINDOWS\System32\ovypqdjg.dll
2008-04-15 13:17:55 86080 --a------ C:\WINDOWS\System32\mhwfyqfy.dll
2008-04-15 13:17:54 3648 --a------ C:\WINDOWS\System32\pmmujhdk.dll
2008-04-15 13:15:50 53312 --a------ C:\WINDOWS\System32\xxxqcoti.dll
2008-04-15 13:15:43 96320 --a------ C:\WINDOWS\System32\vkmldxng.dll
2008-04-15 12:25:33 91712 --a------ C:\WINDOWS\System32\hahfxdgd.dll
2008-04-15 12:22:32 3648 --a------ C:\WINDOWS\System32\focavyum.dll
2008-04-15 12:20:09 53312 --a------ C:\WINDOWS\System32\wuociiag.dll
2008-04-15 12:20:02 96320 --a------ C:\WINDOWS\System32\qjyelcrf.dll
2008-04-14 16:05:35 3648 --a------ C:\WINDOWS\System32\eojgtbeg.dll
2008-04-14 16:05:28 96320 --a------ C:\WINDOWS\System32\nhpmpmfk.dll
2008-04-14 16:05:22 53312 --a------ C:\WINDOWS\System32\hqippisp.dll
2008-04-14 16:04:22 3648 --a------ C:\WINDOWS\System32\afjsusar.dll
2008-04-14 16:03:17 0 d-------- C:\WINDOWS\System32\W?nSxS
2008-04-14 16:03:16 60928 --a------ C:\WINDOWS\System32\apqtm.dll
2008-04-14 16:02:08 96320 --a------ C:\WINDOWS\System32\qiobspbu.dll
2008-04-14 16:02:01 53312 --a------ C:\WINDOWS\System32\guqcelmp.dll
2008-04-11 14:55:37 3648 --a------ C:\WINDOWS\System32\eguimkjb.dll
2008-04-11 14:53:16 90176 --a------ C:\WINDOWS\System32\hmryqojs.dll
2008-04-11 14:51:08 53312 --a------ C:\WINDOWS\System32\rvlrtfop.dll
2008-04-11 14:50:25 273408 -----n--- C:\WINDOWS\System32\hgGaawWO.dll
2008-04-11 14:29:26 0 d-------- C:\Program Files\JavaCore
2008-04-11 14:29:25 0 d-------- C:\Program Files\InetGet2
2008-04-11 14:24:24 0 d-------- C:\Program Files\Temporary
2008-04-11 14:24:24 0 d-------- C:\Program Files\nvcoi
2008-04-11 14:24:07 0 d-------- C:\Program Files\Outerinfo
2008-04-11 14:24:06 687592 --a------ C:\WINDOWS\System32\atmtd.dll
2008-04-11 14:24:06 0 d-------- C:\Documents and Settings\Me\Application Data\?ppPatch
2008-04-11 14:23:54 0 d--hs---- C:\WINDOWS\Sm8
2008-04-11 14:23:54 0 d-------- C:\Program Files\Network Monitor
2008-04-11 14:23:45 0 d-------- C:\WINDOWS\System32\gui4
2008-04-11 14:23:45 0 d-------- C:\WINDOWS\System32\ace2
2008-04-11 14:23:44 0 d-------- C:\WINDOWS\System32\??sembly
2008-04-11 14:23:38 0 d-------- C:\WINDOWS\System32\bharebio01
2008-04-11 14:23:38 0 d-------- C:\Temp
2008-04-11 10:43:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-11 10:39:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-11 10:39:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-11 10:39:46 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-11 10:39:46 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-11 10:39:46 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-11 10:39:46 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-11 10:39:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-11 10:39:46 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-11 10:39:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-11 10:39:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-11 10:00:46 0 d--hs---- C:\WINDOWS\CSC
2008-04-11 09:39:19 0 d-------- C:\VundoFix Backups
2008-04-10 14:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-10 13:23:14 254849 --ahs---- C:\WINDOWS\System32\ggPYyyay.ini2
2008-04-10 13:23:11 270848 -----n--- C:\WINDOWS\System32\yayyYPgg.dll
2008-04-10 11:41:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 11:15:45 6508 --ahs---- C:\WINDOWS\System32\srtssuvw.ini2
2008-04-08 12:04:29 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-08 11:54:42 5936 --a------ C:\Documents and Settings\Me\mqdmwhnt.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-04-08 11:54:42 79328 --a------ C:\Documents and Settings\Me\mqdmserd.sys <Not Verified; MCCI; Motorola USB Diag>
2008-04-08 11:54:42 92064 --a------ C:\Documents and Settings\Me\mqdmmdm.sys <Not Verified; MCCI; Motorola USB Modem>
2008-04-08 11:54:42 9232 --a------ C:\Documents and Settings\Me\mqdmmdfl.sys <Not Verified; MCCI; Motorola USB Modem Filter>
2008-04-08 11:54:42 4048 --a------ C:\Documents and Settings\Me\mqdmcr.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-04-08 11:54:42 6208 --a------ C:\Documents and Settings\Me\mqdmcmnt.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-04-08 11:54:42 66656 --a------ C:\Documents and Settings\Me\mqdmbus.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-04-08 11:54:40 6947 --a------ C:\Documents and Settings\Me\1207652080-(null)
2008-04-04 18:10:57 0 d--hs---- C:\3974834510
2008-04-03 11:50:05 0 d-------- C:\WINDOWS\System32\Adobe
2008-03-29 20:30:32 162 --a------ C:\WINDOWS\System32\pinf.sys
2008-03-29 18:00:18 36864 --a------ C:\WINDOWS\System32\jRegistryKey.dll
2008-03-29 18:00:16 321 --ahs---- C:\WINDOWS\System32\3974834510.sys


-- Find3M Report ---------------------------------------------------------------

2008-04-15 18:20:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 14:10:08 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-15 13:08:22 0 d-------- C:\Documents and Settings\Me\Application Data\SlimBrowser
2008-04-15 12:46:54 0 d-------- C:\Program Files\SlimBrowser
2008-04-14 16:03:17 0 d-------- C:\Documents and Settings\Me\Application Data\?ppPatch
2008-04-11 14:56:49 0 d-------- C:\Program Files\Common Files
2008-04-10 11:41:05 0 d-------- C:\Program Files\CleanUp
2008-04-03 11:50:59 0 d-------- C:\Documents and Settings\Me\Application Data\Adobe
2008-03-15 12:48:37 0 d-------- C:\Program Files\Last.fm
2008-03-04 20:32:27 105984 --a------ C:\WINDOWS\b152.exe
2008-03-02 15:26:43 73728 --a------ C:\WINDOWS\b153.exe
2008-02-28 18:48:07 0 d-------- C:\Program Files\DesignPro
2008-02-09 18:05:34 24992 --a------ C:\Documents and Settings\Me\Application Data\GDIPFONTCACHEV1.DAT
2008-01-27 12:35:54 11457 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
C:\WINDOWS\System32\efcYppqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
15/04/2008 13:15 53312 --a------ C:\WINDOWS\System32\xxxqcoti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{749B7F7A-82B1-4A9C-A3E0-3683526D029E}]
10/04/2008 13:23 270848 --------- C:\WINDOWS\System32\yayyYPgg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{874bb0f7-8e40-4ad4-8eda-0332c76d80b9}]
15/04/2008 13:23 91712 --a------ C:\WINDOWS\System32\ovypqdjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC7D898B-B23F-4F73-B8DD-AD2804D547C4}]
C:\WINDOWS\System32\wvusstrs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFAD17A1-AE6E-F0B2-19E3-D38F710D2F9D}]
11/04/2008 18:51 60928 --a------ C:\WINDOWS\System32\apqtm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D810B78A-D010-44DF-8445-AC58086B600E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [10/04/2008 14:13]
"BMefd81a7d"="C:\WINDOWS\System32\qjyelcrf.dll" [15/04/2008 12:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JavaCore"="C:\Program Files\\JavaCore\\JavaCore.exe" [11/04/2008 14:29]
"Aror"="C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" [14/04/2008 16:03]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [08/12/2007 15:49:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"none"=C:\Program Files\Video ActiveX Object\pmsngr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\System32\efcYppqp.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\wmfhotfix.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aror]
"C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefd81a7d]
Rundll32.exe "C:\WINDOWS\System32\qjyelcrf.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eceb29e1]
rundll32.exe "C:\WINDOWS\System32\mhwfyqfy.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qsb]
"C:\Documents and Settings\Me\Application Data\?ppPatch\r?gsvr32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxf]
C:\WINDOWS\system32\W?nSxS\n?pdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B2-29-94-4E-DW}]
C:\WINDOWS\System32\gui4\cegmgr76.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=3 (0x3)
"SSDPSRV"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)

*Newly Created Service* - FWDRV
*Newly Created Service* - KHIPS
*Newly Created Service* - SPF4



-- End of Deckard's System Scanner: finished at 2008-04-15 19:37:25 ------------

extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Architecture: X86; Language: English

Percentage of Memory in Use: 53%
Physical Memory (total/avail): 511.01 MiB / 240.02 MiB
Pagefile Memory (total/avail): 1250.02 MiB / 847.25 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.48 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 10.2 GiB free.
D: is CDROM (No Media)



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Me\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JO
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Me
LOGONSERVER=\\JO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Netscape\Navigator 9
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0102
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Me\LOCALS~1\Temp
TMP=C:\DOCUME~1\Me\LOCALS~1\Temp
USERDOMAIN=JO
USERNAME=Me
USERPROFILE=C:\Documents and Settings\Me
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Me (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> Dummy
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88E5FCB8-5F25-11D5-B16F-0800460222F0}\setup.exe" -l0x9 UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D76298C2-E532-4A11-BCFF-76F3F19DA84D}\setup.exe" UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player Plugin --> C:\WINDOWS\System32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Avery DesignPro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CC982C0-7EAE-11D4-ACC3-0050568AD318}\setup.exe" -uninst
Avira AntiVir PersonalEdition Classic --> C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Command --> wscript "C:\WINDOWS\Sm8\mAf.vbs"
EPSON Printer Software --> C:\Program Files\EPSON\PrinterDriverTemp\SP900\EPUPDATE.EXE /R
Java 2 Runtime Environment, SE v1.4.0_01 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7CF31609-270B-11D6-9445-000102308676}\Setup.exe" Anytext
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Last.fm 1.4.2.58376 --> "C:\Program Files\Last.fm\unins000.exe"
Macromedia Flash Player 8 --> MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Netscape Navigator (9.0.0.6) --> C:\Program Files\Netscape\Navigator 9\uninstall\helper.exe
Network Monitor --> wscript "C:\WINDOWS\uninstall_nmon.vbs"
OpenMG Limited Patch 4.1-05-13-31-01 --> C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.1-05-13-31-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.1.00 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{2F151B50-B434-4838-B51D-70442EBA093E} UNINSTALL
QuickTime --> MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SlimBrowser (remove only) --> "C:\Program Files\SlimBrowser\uninst.exe"
SonicStage 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Sunbelt Personal Firewall --> MsiExec.exe /X{BFD080F6-3BF0-40E1-9507-9CA969C35870}
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
WG111v2 Configuration Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E0F252A6-DE85-4E93-A93B-DFC3537B3965}\setup.exe" -l0x9 REMOVE -removeonly
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows XP Service Pack 1a --> C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4246 / Error
Event Submitted/Written: 04/15/2008 03:15:04 PM
Event ID/Source: 1015 / Perflib
Event Description:
The timeout waiting for the performance data collection function "Spooler"
in the "C:\WINDOWS\System32\winspool.drv" Library to finish has expired. There may be a problem with
this extensible counter or the service it is collecting data from or the
system may have been very busy when this call was attempted.

Event Record #/Type4244 / Error
Event Submitted/Written: 04/15/2008 03:15:00 PM
Event ID/Source: 2004 / PerfNet
Event Description:
Unable to open the Server service. Server performance data
will not be returned. Error code returned is in data DWORD 0.

Event Record #/Type4240 / Warning
Event Submitted/Written: 04/15/2008 02:48:18 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\System32\qjyelcrf.dll

Event Record #/Type4239 / Warning
Event Submitted/Written: 04/15/2008 02:48:18 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\System32\qjyelcrf.dll

Event Record #/Type4238 / Warning
Event Submitted/Written: 04/15/2008 02:48:18 PM
Event ID/Source: 4113 / H+BEDV AntiVir
Event Description:
AntiVir has detected 'TR/Vundo.Gen'
in the file
C:\WINDOWS\System32\qjyelcrf.dll



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21557 / Error
Event Submitted/Written: 04/15/2008 03:16:10 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Remote Access Connection Manager service terminated with the following error:
%%1

Event Record #/Type21556 / Error
Event Submitted/Written: 04/15/2008 03:16:10 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Remote Access Auto Connection Manager service depends on the Remote Access Connection Manager service which failed to start because of the following error:
%%1

Event Record #/Type21555 / Error
Event Submitted/Written: 04/15/2008 03:16:10 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Remote Registry service failed to start due to the following error:
%%1069

Event Record #/Type21554 / Error
Event Submitted/Written: 04/15/2008 03:16:10 PM
Event ID/Source: 7038 / Service Control Manager
Event Description:
The RemoteRegistry service was unable to log on as NT AUTHORITY\LocalService with the currently configured
password due to the following error:
%%1364

To ensure that the service is
configured properly, use the Services snap-in in Microsoft Management
Console (MMC).

Event Record #/Type21553 / Error
Event Submitted/Written: 04/15/2008 03:16:10 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Icatch(IV) Video Camera Device service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-04-15 19:37:25 ------------

Kaspersky log:

KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 7:32:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/04/2008
Kaspersky Anti-Virus database records: 707202
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 40115
Number of viruses found 22
Number of infected objects 42
Number of suspicious objects 0
Duration of the scan process 01:05:20

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Me\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\cert8.db Object is locked skipped
C:\Documents and Settings\Me\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Me\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\history.dat Object is locked skipped
C:\Documents and Settings\Me\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\key3.db Object is locked skipped
C:\Documents and Settings\Me\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\linkpad.sqlite Object is locked skipped
C:\Documents and Settings\Me\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\parent.lock Object is locked skipped
C:\Documents and Settings\Me\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Me\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Application Data\Netscape\Navigator\Profiles\2363ozuw.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Me\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\History\History.IE5\MSHist012008041520080416\index.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\Me\Local Settings\Temp\Acr92A0.tmp Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Temp\file982.exe Infected: Trojan-Spy.Win32.Zbot.axu skipped
C:\Documents and Settings\Me\Local Settings\Temp\lcldbcml.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\Documents and Settings\Me\Local Settings\Temp\lmtmyblo.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\Documents and Settings\Me\Local Settings\Temp\NDR17.tmp Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\Me\Local Settings\Temp\Perflib_Perfdata_658.dat Object is locked skipped
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\03XRA2NL\KB908531[1].exe Infected: Trojan-Spy.Win32.Zbot.axu skipped
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Me\ntuser.dat Object is locked skipped
C:\Documents and Settings\Me\ntuser.dat.LOG Object is locked skipped
C:\Program Files\JavaCore\JavaCore.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\Program Files\Network Monitor\netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
C:\Program Files\Temporary\InsiDERInst.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP239\A0046988.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048185.exe Infected: Trojan-Downloader.Win32.Homles.bc skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048186.exe Infected: Trojan-Downloader.Win32.Homles.bc skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048192.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048196.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048197.exe Infected: Trojan-Downloader.Win32.VB.dsf skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048198.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048208.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP241\A0048212.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP242\A0048227.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP242\A0048229.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nvf skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP242\A0048252.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.nvf skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP242\A0048256.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{83B6EA0F-3903-41F8-AD62-2FB469E53F6A}\RP248\change.log Object is locked skipped
C:\VundoFix Backups\efcYppqp.dll.bad Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\b152.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\WINDOWS\b153.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sm8\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\afjsusar.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\apqtm.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\eguimkjb.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\eojgtbeg.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\focavyum.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\gui4\cegmgr76.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\guqcelmp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\system32\hqippisp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\system32\pmmujhdk.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\rvlrtfop.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wuociiag.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\system32\WіnSxS\nоpdb.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\WINDOWS\system32\xxxqcoti.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\system32\аѕsembly\msdtc.exe Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Thank you :-)

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 15 April 2008 - 03:28 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Please download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 16 April 2008 - 04:20 AM

Here's the ComboFix log, HijackThis log to follow.

ComboFix 08-04-15.4 - Me 2008-04-16 9:48:23.1 - NTFSx86

Running from: C:\Documents and Settings\Me\My Documents\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Me\Application Data\PPPATC~1
C:\Documents and Settings\Me\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Me\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Me\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\inetget2
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\Sm8\
C:\WINDOWS\Sm8\\asappsrv.dll
C:\WINDOWS\Sm8\\mAf.vbs
C:\WINDOWS\system32\afjsusar.dll
C:\WINDOWS\system32\apqtm.dll
C:\WINDOWS\system32\eguimkjb.dll
C:\WINDOWS\system32\eojgtbeg.dll
C:\WINDOWS\system32\focavyum.dll
C:\WINDOWS\system32\ggPYyyay.ini
C:\WINDOWS\system32\ggPYyyay.ini2
C:\WINDOWS\system32\hahfxdgd.dll
C:\WINDOWS\system32\hgGaawWO.dll
C:\WINDOWS\system32\hmryqojs.dll
C:\WINDOWS\system32\mhwfyqfy.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nhpmpmfk.dll
C:\WINDOWS\system32\oqwooyko.ini
C:\WINDOWS\system32\ousbgqaf.ini
C:\WINDOWS\system32\ovypqdjg.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmmujhdk.dll
C:\WINDOWS\system32\qiobspbu.dll
C:\WINDOWS\system32\qjyelcrf.dll
C:\WINDOWS\system32\rjcrgvlg.ini
C:\WINDOWS\system32\sembly~1
C:\WINDOWS\system32\sembly~1\??sembly\
C:\WINDOWS\system32\sembly~1\msdtc.exe
C:\WINDOWS\system32\srtssuvw.ini
C:\WINDOWS\system32\srtssuvw.ini2
C:\WINDOWS\system32\vkmldxng.dll
C:\WINDOWS\system32\wckvewvo.ini
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\n?pdb.exe
C:\WINDOWS\system32\yayyYPgg.dll
C:\WINDOWS\system32\yfqyfwhm.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.

2008-04-15 19:34 . 2008-04-15 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 19:33 . 2008-04-15 19:33 <DIR> d-------- C:\Deckard
2008-04-15 15:34 . 2008-04-15 15:34 45,056 --a------ C:\w0t5os.exe
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 15:11 . 2008-04-15 15:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-15 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-04-15 14:10 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-15 14:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-15 14:10 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-15 14:10 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 14:10 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-15 14:10 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 14:10 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-15 14:09 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-15 14:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 13:31 . 2008-04-15 13:31 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-15 13:15 . 2008-04-15 13:15 53,312 --a------ C:\WINDOWS\system32\xxxqcoti.dll
2008-04-15 12:20 . 2008-04-15 12:20 53,312 --a------ C:\WINDOWS\system32\wuociiag.dll
2008-04-14 16:05 . 2008-04-14 16:05 53,312 --a------ C:\WINDOWS\system32\hqippisp.dll
2008-04-14 16:02 . 2008-04-14 16:02 53,312 --a------ C:\WINDOWS\system32\guqcelmp.dll
2008-04-11 14:53 . 2008-04-15 19:37 101,127 --a------ C:\WINDOWS\BMefd81a7d.xml
2008-04-11 14:51 . 2008-04-11 14:51 53,312 --a------ C:\WINDOWS\system32\rvlrtfop.dll
2008-04-11 14:34 . 2008-04-11 14:34 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\gui4
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\NetMon
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\ace2
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\Temp\wdlw14
2008-04-11 14:23 . 2008-04-16 09:49 <DIR> d-------- C:\Temp
2008-04-11 10:39 . 2008-04-11 10:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-11 09:39 . 2008-04-15 13:30 <DIR> d-------- C:\VundoFix Backups
2008-04-10 14:08 . 2008-04-10 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-10 12:39 . 2008-04-10 12:40 147 --a------ C:\WINDOWS\wininit.ini
2008-04-10 11:41 . 2008-04-10 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 12:04 . 2008-04-15 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-08 11:54 . 2008-04-08 11:54 92,064 --a------ C:\Documents and Settings\Me\mqdmmdm.sys
2008-04-08 11:54 . 2008-04-08 11:54 79,328 --a------ C:\Documents and Settings\Me\mqdmserd.sys
2008-04-08 11:54 . 2008-04-08 11:54 66,656 --a------ C:\Documents and Settings\Me\mqdmbus.sys
2008-04-08 11:54 . 2008-04-08 11:54 9,232 --a------ C:\Documents and Settings\Me\mqdmmdfl.sys
2008-04-08 11:54 . 2008-04-08 11:54 6,208 --a------ C:\Documents and Settings\Me\mqdmcmnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 5,936 --a------ C:\Documents and Settings\Me\mqdmwhnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 4,048 --a------ C:\Documents and Settings\Me\mqdmcr.sys
2008-04-03 11:50 . 2008-04-03 11:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-29 20:30 . 2008-04-10 13:16 162 --a------ C:\WINDOWS\system32\pinf.sys
2008-03-29 18:00 . 2008-03-29 18:00 161,862 --a------ C:\WINDOWS\system32\Get Films Now.ico
2008-03-29 18:00 . 2008-03-29 18:00 36,864 --a------ C:\WINDOWS\system32\jRegistryKey.dll
2008-03-29 18:00 . 2008-04-10 10:47 321 --ahs---- C:\WINDOWS\system32\3974834510.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 08:02 --------- d-----w C:\Documents and Settings\Me\Application Data\SlimBrowser
2008-04-15 17:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 11:46 --------- d-----w C:\Program Files\SlimBrowser
2008-04-10 10:41 --------- d-----w C:\Program Files\CleanUp
2008-04-08 10:54 25,600 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-08 10:54 25,600 ----a-w C:\Documents and Settings\Me\usbsermptxp.sys
2008-04-08 10:54 22,768 ----a-w C:\Documents and Settings\Me\usbsermpt.sys
2008-03-15 11:48 --------- d-----w C:\Program Files\Last.fm
2008-03-04 19:32 105,984 ----a-w C:\WINDOWS\b152.exe
2008-03-02 14:26 73,728 ----a-w C:\WINDOWS\b153.exe
2008-02-28 17:48 --------- d-----w C:\Program Files\DesignPro
2008-02-09 17:05 24,992 ----a-w C:\Documents and Settings\Me\Application Data\GDIPFONTCACHEV1.DAT
2006-02-25 19:36 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-15 13:15 53312 --a------ C:\WINDOWS\System32\xxxqcoti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC7D898B-B23F-4F73-B8DD-AD2804D547C4}]
C:\WINDOWS\System32\wvusstrs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aror"="C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-10 14:13 249896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-12-08 15:49:19 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\wmfhotfix.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aror]
C:\WINDOWS\System32\SEMBLY~1\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefd81a7d]
C:\WINDOWS\System32\qjyelcrf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eceb29e1]
C:\WINDOWS\System32\mhwfyqfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qsb]
C:\Documents and Settings\Me\Application Data\?ppPatch\r?gsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxf]
C:\WINDOWS\system32\W?nSxS\n?pdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B2-29-94-4E-DW}]
--a------ 2008-02-14 15:42 49152 C:\WINDOWS\System32\gui4\cegmgr76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=3 (0x3)
"SSDPSRV"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 09:56:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
.
**************************************************************************
.
Completion time: 2008-04-16 10:02:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-16 09:02:23

Pre-Run: 10,915,397,632 bytes free
Post-Run: 10,870,366,208 bytes free

#4 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 16 April 2008 - 04:23 AM

New HijackThis log: (this time, I only got main.txt and no extra.txt, even when I re-ran DSS)

Deckard's System Scanner v20071014.68
Run by Me on 2008-04-16 10:20:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Me.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:41, on 16/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtWLan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Navigator 9\navigator.exe
C:\Documents and Settings\Me\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Me.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://your.egg.com/customer/yourmoney.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bbmedic.ntlworld.com/medic/tour/bbdemo.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\xxxqcoti.dll
O2 - BHO: (no name) - {AC7D898B-B23F-4F73-B8DD-AD2804D547C4} - C:\WINDOWS\System32\wvusstrs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Aror] "C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" -vt ndrv
O4 - HKUS\S-1-5-21-861567501-1454471165-725345543-1003\..\Run: [Aror] "C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" -vt ndrv (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.0\bin\npjpi140_01.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O16 - DPF: {05CDEE1D-D109-4992-B72B-6D4F5E2AB731} (PhotoBox uploader) - http://static.photobox.co.uk/sg/common/ImageUploader4.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208264888906
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 5297 bytes

-- Files created between 2008-03-16 and 2008-04-16 -----------------------------

2008-04-16 09:47:00 68096 --a------ C:\WINDOWS\zip.exe
2008-04-16 09:47:00 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-16 09:47:00 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-16 09:47:00 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-16 09:47:00 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-16 09:47:00 98816 --a------ C:\WINDOWS\sed.exe
2008-04-16 09:47:00 80412 --a------ C:\WINDOWS\grep.exe
2008-04-16 09:47:00 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-15 19:34:53 0 d-------- C:\Program Files\Trend Micro
2008-04-15 15:34:14 45056 --a------ C:\w0t5os.exe
2008-04-15 15:24:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 15:24:53 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2008-04-15 15:11:00 0 d-------- C:\Program Files\Sunbelt Software
2008-04-15 14:57:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-15 14:47:29 0 d-------- C:\WINDOWS\Prefetch
2008-04-15 14:08:17 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-15 13:31:00 24576 --a------ C:\WINDOWS\System32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-04-15 13:15:50 53312 --a------ C:\WINDOWS\System32\xxxqcoti.dll
2008-04-15 12:20:09 53312 --a------ C:\WINDOWS\System32\wuociiag.dll
2008-04-14 16:05:22 53312 --a------ C:\WINDOWS\System32\hqippisp.dll
2008-04-14 16:02:01 53312 --a------ C:\WINDOWS\System32\guqcelmp.dll
2008-04-11 14:51:08 53312 --a------ C:\WINDOWS\System32\rvlrtfop.dll
2008-04-11 14:24:06 687592 --a------ C:\WINDOWS\System32\atmtd.dll
2008-04-11 14:23:45 0 d-------- C:\WINDOWS\System32\gui4
2008-04-11 14:23:45 0 d-------- C:\WINDOWS\System32\ace2
2008-04-11 14:23:38 0 d-------- C:\WINDOWS\System32\bharebio01
2008-04-11 14:23:38 0 d-------- C:\Temp
2008-04-11 10:43:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-04-11 10:39:46 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-04-11 10:39:46 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-04-11 10:39:46 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-04-11 10:39:46 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-04-11 10:39:46 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-04-11 10:39:46 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-04-11 10:39:46 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-04-11 10:39:46 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-04-11 10:39:46 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-04-11 10:39:46 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-04-11 10:39:46 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-04-11 10:00:46 0 d--hs---- C:\WINDOWS\CSC
2008-04-11 09:39:19 0 d-------- C:\VundoFix Backups
2008-04-10 14:08:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-10 11:41:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 12:04:29 0 d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-08 11:54:42 5936 --a------ C:\Documents and Settings\Me\mqdmwhnt.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-04-08 11:54:42 79328 --a------ C:\Documents and Settings\Me\mqdmserd.sys <Not Verified; MCCI; Motorola USB Diag>
2008-04-08 11:54:42 92064 --a------ C:\Documents and Settings\Me\mqdmmdm.sys <Not Verified; MCCI; Motorola USB Modem>
2008-04-08 11:54:42 9232 --a------ C:\Documents and Settings\Me\mqdmmdfl.sys <Not Verified; MCCI; Motorola USB Modem Filter>
2008-04-08 11:54:42 4048 --a------ C:\Documents and Settings\Me\mqdmcr.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-04-08 11:54:42 6208 --a------ C:\Documents and Settings\Me\mqdmcmnt.sys <Not Verified; MCCI; Motorola USB DIAG>
2008-04-08 11:54:42 66656 --a------ C:\Documents and Settings\Me\mqdmbus.sys <Not Verified; MCCI; Motorola DM Composite Driver>
2008-04-08 11:54:40 6947 --a------ C:\Documents and Settings\Me\1207652080-(null)
2008-04-04 18:10:57 0 d--hs---- C:\3974834510
2008-04-03 11:50:05 0 d-------- C:\WINDOWS\System32\Adobe
2008-03-29 20:30:32 162 --a------ C:\WINDOWS\System32\pinf.sys
2008-03-29 18:00:18 36864 --a------ C:\WINDOWS\System32\jRegistryKey.dll
2008-03-29 18:00:16 321 --ahs---- C:\WINDOWS\System32\3974834510.sys


-- Find3M Report ---------------------------------------------------------------

2008-04-16 09:02:10 0 d-------- C:\Documents and Settings\Me\Application Data\SlimBrowser
2008-04-15 18:20:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-15 14:10:08 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-15 12:46:54 0 d-------- C:\Program Files\SlimBrowser
2008-04-11 14:56:49 0 d-------- C:\Program Files\Common Files
2008-04-10 11:41:05 0 d-------- C:\Program Files\CleanUp
2008-04-03 11:50:59 0 d-------- C:\Documents and Settings\Me\Application Data\Adobe
2008-03-15 12:48:37 0 d-------- C:\Program Files\Last.fm
2008-03-04 20:32:27 105984 --a------ C:\WINDOWS\b152.exe
2008-03-02 15:26:43 73728 --a------ C:\WINDOWS\b153.exe
2008-02-28 18:48:07 0 d-------- C:\Program Files\DesignPro
2008-02-09 18:05:34 24992 --a------ C:\Documents and Settings\Me\Application Data\GDIPFONTCACHEV1.DAT
2008-01-27 12:35:54 11457 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
15/04/2008 13:15 53312 --a------ C:\WINDOWS\System32\xxxqcoti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC7D898B-B23F-4F73-B8DD-AD2804D547C4}]
C:\WINDOWS\System32\wvusstrs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [10/04/2008 14:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aror"="C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [08/12/2007 15:49:19]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\WINDOWS\System32\wmfhotfix.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aror]
"C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" -vt ndrv

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefd81a7d]
Rundll32.exe "C:\WINDOWS\System32\qjyelcrf.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eceb29e1]
rundll32.exe "C:\WINDOWS\System32\mhwfyqfy.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qsb]
"C:\Documents and Settings\Me\Application Data\?ppPatch\r?gsvr32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxf]
C:\WINDOWS\system32\W?nSxS\n?pdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B2-29-94-4E-DW}]
C:\WINDOWS\System32\gui4\cegmgr76.exe DWram

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=3 (0x3)
"SSDPSRV"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)




-- End of Deckard's System Scanner: finished at 2008-04-16 10:21:55 ------------

#5 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 16 April 2008 - 04:21 PM

Before we continue, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with it and post back the new log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#6 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 17 April 2008 - 05:39 AM

Hi Charles, and thank you for helping me - I forgot to say that before.

I followed those instructions - when I dropped the recovery module .exe file onto the ComboFix icon, a little window popped up saying ComboFix, and a green progress bar filled up, but that was the only thing that happened. I then ran ComboFix again (disabling my firewall and antivirus software) and at the top of the log it produced, it says that the recovery module is not installed: see below. This doesn't seem right to me. I didn't shut down and restart between installing the recovery module and running ComboFix, since the instructions didn't say to do that - should I try this and then run ComboFix again?

Jo

ComboFix 08-04-15.4 - Me 2008-04-17 11:19:07.2 - NTFSx86

Running from: C:\Documents and Settings\Me\My Documents\Ill Computer\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-15 19:34 . 2008-04-15 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 19:33 . 2008-04-15 19:33 <DIR> d-------- C:\Deckard
2008-04-15 15:34 . 2008-04-15 15:34 45,056 --a------ C:\w0t5os.exe
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 15:11 . 2008-04-15 15:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-15 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-04-15 14:10 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-15 14:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-15 14:10 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-15 14:10 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 14:10 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-15 14:10 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 14:10 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-15 14:09 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-15 14:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 13:31 . 2008-04-15 13:31 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-15 13:15 . 2008-04-15 13:15 53,312 --a------ C:\WINDOWS\system32\xxxqcoti.dll
2008-04-15 12:20 . 2008-04-15 12:20 53,312 --a------ C:\WINDOWS\system32\wuociiag.dll
2008-04-14 16:05 . 2008-04-14 16:05 53,312 --a------ C:\WINDOWS\system32\hqippisp.dll
2008-04-14 16:02 . 2008-04-14 16:02 53,312 --a------ C:\WINDOWS\system32\guqcelmp.dll
2008-04-11 14:53 . 2008-04-15 19:37 101,127 --a------ C:\WINDOWS\BMefd81a7d.xml
2008-04-11 14:51 . 2008-04-11 14:51 53,312 --a------ C:\WINDOWS\system32\rvlrtfop.dll
2008-04-11 14:34 . 2008-04-11 14:34 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\gui4
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\NetMon
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\ace2
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\Temp\wdlw14
2008-04-11 14:23 . 2008-04-16 09:49 <DIR> d-------- C:\Temp
2008-04-11 10:39 . 2008-04-11 10:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-11 09:39 . 2008-04-15 13:30 <DIR> d-------- C:\VundoFix Backups
2008-04-10 14:08 . 2008-04-10 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-10 12:39 . 2008-04-10 12:40 147 --a------ C:\WINDOWS\wininit.ini
2008-04-10 11:41 . 2008-04-10 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 12:04 . 2008-04-15 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-08 11:54 . 2008-04-08 11:54 92,064 --a------ C:\Documents and Settings\Me\mqdmmdm.sys
2008-04-08 11:54 . 2008-04-08 11:54 79,328 --a------ C:\Documents and Settings\Me\mqdmserd.sys
2008-04-08 11:54 . 2008-04-08 11:54 66,656 --a------ C:\Documents and Settings\Me\mqdmbus.sys
2008-04-08 11:54 . 2008-04-08 11:54 9,232 --a------ C:\Documents and Settings\Me\mqdmmdfl.sys
2008-04-08 11:54 . 2008-04-08 11:54 6,208 --a------ C:\Documents and Settings\Me\mqdmcmnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 5,936 --a------ C:\Documents and Settings\Me\mqdmwhnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 4,048 --a------ C:\Documents and Settings\Me\mqdmcr.sys
2008-04-03 11:50 . 2008-04-03 11:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-29 20:30 . 2008-04-10 13:16 162 --a------ C:\WINDOWS\system32\pinf.sys
2008-03-29 18:00 . 2008-03-29 18:00 161,862 --a------ C:\WINDOWS\system32\Get Films Now.ico
2008-03-29 18:00 . 2008-03-29 18:00 36,864 --a------ C:\WINDOWS\system32\jRegistryKey.dll
2008-03-29 18:00 . 2008-04-10 10:47 321 --ahs---- C:\WINDOWS\system32\3974834510.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 10:05 --------- d-----w C:\Documents and Settings\Me\Application Data\SlimBrowser
2008-04-15 17:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 11:46 --------- d-----w C:\Program Files\SlimBrowser
2008-04-10 10:41 --------- d-----w C:\Program Files\CleanUp
2008-04-08 10:54 25,600 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-08 10:54 25,600 ----a-w C:\Documents and Settings\Me\usbsermptxp.sys
2008-04-08 10:54 22,768 ----a-w C:\Documents and Settings\Me\usbsermpt.sys
2008-03-15 11:48 --------- d-----w C:\Program Files\Last.fm
2008-03-04 19:32 105,984 ----a-w C:\WINDOWS\b152.exe
2008-03-02 14:26 73,728 ----a-w C:\WINDOWS\b153.exe
2008-02-28 17:48 --------- d-----w C:\Program Files\DesignPro
2008-02-09 17:05 24,992 ----a-w C:\Documents and Settings\Me\Application Data\GDIPFONTCACHEV1.DAT
2006-02-25 19:36 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_10.01.18.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 08:55:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-17 10:04:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-16 07:40:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-16 14:58:31 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-16 07:40:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-16 14:58:31 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-15 13:15 53312 --a------ C:\WINDOWS\System32\xxxqcoti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC7D898B-B23F-4F73-B8DD-AD2804D547C4}]
C:\WINDOWS\System32\wvusstrs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aror"="C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-10 14:13 249896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-12-08 15:49:19 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\wmfhotfix.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aror]
C:\WINDOWS\System32\SEMBLY~1\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefd81a7d]
C:\WINDOWS\System32\qjyelcrf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eceb29e1]
C:\WINDOWS\System32\mhwfyqfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qsb]
C:\Documents and Settings\Me\Application Data\?ppPatch\r?gsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxf]
C:\WINDOWS\system32\W?nSxS\n?pdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B2-29-94-4E-DW}]
--a------ 2008-02-14 15:42 49152 C:\WINDOWS\System32\gui4\cegmgr76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=3 (0x3)
"SSDPSRV"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 11:23:24
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\wmfhotfix.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\System32\wmfhotfix.dll
.
Completion time: 2008-04-17 11:26:48
ComboFix-quarantined-files.txt 2008-04-17 10:25:41
ComboFix2.txt 2008-04-16 09:02:36

Pre-Run: 11,008,286,720 bytes free
Post-Run: 11,000,782,848 bytes free

#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 18 April 2008 - 03:51 AM

I didn't shut down and restart between installing the recovery module and running ComboFix, since the instructions didn't say to do that - should I try this and then run ComboFix again?

Hmm, yes please Jo. :thumbsup:

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 18 April 2008 - 05:28 AM

Hi Charles,

No joy - I don't think the recovery console has installed properly. When I drop it onto the ComboFix icon, nothing happens after the ComboFix progress bar disappears. When I double click on the recovery console self extractor icon, a window pops up telling me I'll need 6 formatted floppy disks. This doesn't happen when I drop the self extractor icon onto the ComboFix icon. Am I meant to have used the recovery console program to create the setup boot disks? And am I meant to have used them to reboot my computer?

Jo

#9 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 18 April 2008 - 05:35 AM

Another thought - I've just looked again at the instructions for downloading the boot disks and it says when you use them to boot up the computer, you also need to use the XP CD-Rom. I don't have this - my ex set the computer up for me and I don't know how he did it but he used his XP CD. Am I right in thinking that this is going to be a problem?

Jo

#10 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 19 April 2008 - 03:08 PM

Okay, don't worry about it. Can I just have a new Combofix log, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#11 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 20 April 2008 - 11:22 AM

Here it is:

ComboFix 08-04-15.4 - Me 2008-04-20 15:00:12.5 - NTFSx86

Running from: C:\Documents and Settings\Me\My Documents\Ill Computer\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-17 13:06 . 2008-04-17 13:06 <DIR> d-------- C:\WINDOWS\sim Reader
2008-04-15 19:34 . 2008-04-15 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 19:33 . 2008-04-15 19:33 <DIR> d-------- C:\Deckard
2008-04-15 15:34 . 2008-04-15 15:34 45,056 --a------ C:\w0t5os.exe
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 15:11 . 2008-04-15 15:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-15 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-04-15 14:10 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-15 14:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-15 14:10 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-15 14:10 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 14:10 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-15 14:10 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 14:10 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-15 14:09 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-15 14:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 13:31 . 2008-04-15 13:31 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-15 13:15 . 2008-04-15 13:15 53,312 --a------ C:\WINDOWS\system32\xxxqcoti.dll
2008-04-15 12:20 . 2008-04-15 12:20 53,312 --a------ C:\WINDOWS\system32\wuociiag.dll
2008-04-14 16:05 . 2008-04-14 16:05 53,312 --a------ C:\WINDOWS\system32\hqippisp.dll
2008-04-14 16:02 . 2008-04-14 16:02 53,312 --a------ C:\WINDOWS\system32\guqcelmp.dll
2008-04-11 14:53 . 2008-04-15 19:37 101,127 --a------ C:\WINDOWS\BMefd81a7d.xml
2008-04-11 14:51 . 2008-04-11 14:51 53,312 --a------ C:\WINDOWS\system32\rvlrtfop.dll
2008-04-11 14:34 . 2008-04-11 14:34 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\gui4
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\NetMon
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\ace2
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\Temp\wdlw14
2008-04-11 14:23 . 2008-04-16 09:49 <DIR> d-------- C:\Temp
2008-04-11 10:39 . 2008-04-11 10:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-11 09:39 . 2008-04-15 13:30 <DIR> d-------- C:\VundoFix Backups
2008-04-10 14:08 . 2008-04-10 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-10 12:39 . 2008-04-10 12:40 147 --a------ C:\WINDOWS\wininit.ini
2008-04-10 11:41 . 2008-04-10 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 12:04 . 2008-04-15 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-08 11:54 . 2008-04-08 11:54 92,064 --a------ C:\Documents and Settings\Me\mqdmmdm.sys
2008-04-08 11:54 . 2008-04-08 11:54 79,328 --a------ C:\Documents and Settings\Me\mqdmserd.sys
2008-04-08 11:54 . 2008-04-08 11:54 66,656 --a------ C:\Documents and Settings\Me\mqdmbus.sys
2008-04-08 11:54 . 2008-04-08 11:54 9,232 --a------ C:\Documents and Settings\Me\mqdmmdfl.sys
2008-04-08 11:54 . 2008-04-08 11:54 6,208 --a------ C:\Documents and Settings\Me\mqdmcmnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 5,936 --a------ C:\Documents and Settings\Me\mqdmwhnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 4,048 --a------ C:\Documents and Settings\Me\mqdmcr.sys
2008-04-03 11:50 . 2008-04-03 11:50 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-29 20:30 . 2008-04-10 13:16 162 --a------ C:\WINDOWS\system32\pinf.sys
2008-03-29 18:00 . 2008-03-29 18:00 161,862 --a------ C:\WINDOWS\system32\Get Films Now.ico
2008-03-29 18:00 . 2008-03-29 18:00 36,864 --a------ C:\WINDOWS\system32\jRegistryKey.dll
2008-03-29 18:00 . 2008-04-10 10:47 321 --ahs---- C:\WINDOWS\system32\3974834510.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 11:22 --------- d-----w C:\Documents and Settings\Me\Application Data\SlimBrowser
2008-04-15 17:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 11:46 --------- d-----w C:\Program Files\SlimBrowser
2008-04-10 10:41 --------- d-----w C:\Program Files\CleanUp
2008-04-08 10:54 25,600 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-08 10:54 25,600 ----a-w C:\Documents and Settings\Me\usbsermptxp.sys
2008-04-08 10:54 22,768 ----a-w C:\Documents and Settings\Me\usbsermpt.sys
2008-03-15 11:48 --------- d-----w C:\Program Files\Last.fm
2008-03-04 19:32 105,984 ----a-w C:\WINDOWS\b152.exe
2008-03-02 14:26 73,728 ----a-w C:\WINDOWS\b153.exe
2008-02-28 17:48 --------- d-----w C:\Program Files\DesignPro
2008-02-09 17:05 24,992 ----a-w C:\Documents and Settings\Me\Application Data\GDIPFONTCACHEV1.DAT
2006-02-25 19:36 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_10.01.18.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 08:55:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-20 11:21:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-17 12:06:40 451,072 ----a-w C:\WINDOWS\sim Reader\uninstall.exe
- 2008-04-16 07:40:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-20 11:24:12 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-16 07:40:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-20 11:24:12 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-08-09 12:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-04-20 11:36:44 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
- 2007-07-18 13:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-04-20 11:36:44 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
- 2008-04-10 13:13:59 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-04-20 11:36:44 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2006-04-15 03:45:42 17,145 ----a-w C:\WINDOWS\system32\drivers\usbsf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-15 13:15 53312 --a------ C:\WINDOWS\System32\xxxqcoti.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC7D898B-B23F-4F73-B8DD-AD2804D547C4}]
C:\WINDOWS\System32\wvusstrs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aror"="C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 12:36 262401]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-12-08 15:49:19 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\wmfhotfix.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aror]
C:\WINDOWS\System32\SEMBLY~1\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefd81a7d]
C:\WINDOWS\System32\qjyelcrf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eceb29e1]
C:\WINDOWS\System32\mhwfyqfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qsb]
C:\Documents and Settings\Me\Application Data\?ppPatch\r?gsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxf]
C:\WINDOWS\system32\W?nSxS\n?pdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B2-29-94-4E-DW}]
--a------ 2008-02-14 15:42 49152 C:\WINDOWS\System32\gui4\cegmgr76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=3 (0x3)
"SSDPSRV"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-20 15:04:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\wmfhotfix.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\System32\wmfhotfix.dll
.
Completion time: 2008-04-20 15:08:12
ComboFix-quarantined-files.txt 2008-04-20 14:07:05
ComboFix2.txt 2008-04-18 10:23:32
ComboFix3.txt 2008-04-17 10:26:51
ComboFix4.txt 2008-04-16 09:02:36

Pre-Run: 10,918,944,768 bytes free
Post-Run: 10,911,166,464 bytes free

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 22 April 2008 - 02:39 PM

Please try following the instructions below:

Go to Microsoft's website => http://support.microsoft.com/kb/310994
At that page, scroll down and click on the appropriate download for your version of Windows XP (Home or Professional) and the service pack level that you have installed. When you click on the link to download the file, make sure you save it directly to your desktop.

If you are unsure what version of Windows you have and what Service Pack is installed, you can follow these instructions to gain that information:

1) Click on the Start button.
2) Click on the Run menu option.
3) In the Open: field type the following: sysdm.cpl and then click on the OK button.
4) A screen will appear showing information about your installation.
Under the System: category you should see your Windows version and the installed Service Pack.

Once the Microsoft file has finished downloading, close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. This is shown in the following image:
Posted Image
Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 23 April 2008 - 12:00 PM

Hi,

This is what I did before, I think - I've done it again anyway. I get the same result: when I drag the recovery module icon and drop it onto Combofix, nothing actually happens save a little box popping up that says "ComboFix" and has a green status bar which fills up. Once the status bar has filled up, nothing further happens.

Jo

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 28 April 2008 - 03:15 AM

Sorry about the delay, I've been having a few problems with my internet as of late. Can I have a new Combofix log, please?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 Joanna_Mellor

Joanna_Mellor
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 04 May 2008 - 12:08 PM

Sorry about the delay my end too - I've been a bit snowed under.

New log:

ComboFix 08-05-01.3 - Me 2008-05-04 17:58:07.6 - NTFSx86

Running from: C:\Documents and Settings\Me\My Documents\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-04-17 13:06 . 2008-04-17 13:06 <DIR> d-------- C:\WINDOWS\sim Reader
2008-04-16 09:47 . 2008-05-04 17:57 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-15 19:34 . 2008-04-15 19:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 19:33 . 2008-04-15 19:33 <DIR> d-------- C:\Deckard
2008-04-15 15:34 . 2008-04-15 15:34 45,056 --a------ C:\w0t5os.exe
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 15:24 . 2008-04-15 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-15 15:11 . 2008-04-15 15:11 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-04-15 14:41 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-04-15 14:10 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-15 14:10 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-15 14:10 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-15 14:10 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-15 14:10 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-15 14:10 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-15 14:10 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-15 14:09 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-15 14:09 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-15 13:31 . 2008-04-15 13:31 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-15 13:15 . 2008-04-15 13:15 53,312 --a------ C:\WINDOWS\system32\xxxqcoti.dll
2008-04-15 12:20 . 2008-04-15 12:20 53,312 --a------ C:\WINDOWS\system32\wuociiag.dll
2008-04-14 16:05 . 2008-04-14 16:05 53,312 --a------ C:\WINDOWS\system32\hqippisp.dll
2008-04-14 16:02 . 2008-04-14 16:02 53,312 --a------ C:\WINDOWS\system32\guqcelmp.dll
2008-04-11 14:53 . 2008-04-15 19:37 101,127 --a------ C:\WINDOWS\BMefd81a7d.xml
2008-04-11 14:51 . 2008-04-11 14:51 53,312 --a------ C:\WINDOWS\system32\rvlrtfop.dll
2008-04-11 14:34 . 2008-04-11 14:34 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll._
2008-04-11 14:24 . 2008-04-11 14:24 687,592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\gui4
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\NetMon
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\bharebio01
2008-04-11 14:23 . 2008-04-11 15:22 <DIR> d-------- C:\WINDOWS\system32\ace2
2008-04-11 14:23 . 2008-04-11 14:23 <DIR> d-------- C:\Temp\wdlw14
2008-04-11 14:23 . 2008-04-16 09:49 <DIR> d-------- C:\Temp
2008-04-11 10:39 . 2008-04-11 10:49 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-11 10:39 . 2008-05-04 17:57 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-11 09:39 . 2008-04-15 13:30 <DIR> d-------- C:\VundoFix Backups
2008-04-10 14:08 . 2008-04-10 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-10 12:39 . 2008-04-10 12:40 147 --a------ C:\WINDOWS\wininit.ini
2008-04-10 11:41 . 2008-04-10 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-08 12:04 . 2008-04-15 18:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-04-08 11:54 . 2008-04-08 11:54 92,064 --a------ C:\Documents and Settings\Me\mqdmmdm.sys
2008-04-08 11:54 . 2008-04-08 11:54 79,328 --a------ C:\Documents and Settings\Me\mqdmserd.sys
2008-04-08 11:54 . 2008-04-08 11:54 66,656 --a------ C:\Documents and Settings\Me\mqdmbus.sys
2008-04-08 11:54 . 2008-04-08 11:54 9,232 --a------ C:\Documents and Settings\Me\mqdmmdfl.sys
2008-04-08 11:54 . 2008-04-08 11:54 6,208 --a------ C:\Documents and Settings\Me\mqdmcmnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 5,936 --a------ C:\Documents and Settings\Me\mqdmwhnt.sys
2008-04-08 11:54 . 2008-04-08 11:54 4,048 --a------ C:\Documents and Settings\Me\mqdmcr.sys
2008-04-04 18:10 . 2008-04-08 10:47 <DIR> d--hs---- C:\3974834510

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 15:32 --------- d-----w C:\Documents and Settings\Me\Application Data\SlimBrowser
2008-04-15 17:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 11:46 --------- d-----w C:\Program Files\SlimBrowser
2008-04-10 10:41 --------- d-----w C:\Program Files\CleanUp
2008-04-08 10:54 25,600 ----a-w C:\WINDOWS\system32\drivers\usbsermptxp.sys
2008-04-08 10:54 25,600 ----a-w C:\Documents and Settings\Me\usbsermptxp.sys
2008-04-08 10:54 22,768 ----a-w C:\Documents and Settings\Me\usbsermpt.sys
2008-03-29 17:00 36,864 ----a-w C:\WINDOWS\system32\jRegistryKey.dll
2008-03-15 11:48 --------- d-----w C:\Program Files\Last.fm
2008-03-04 19:32 105,984 ----a-w C:\WINDOWS\b152.exe
2008-03-02 14:26 73,728 ----a-w C:\WINDOWS\b153.exe
2008-02-09 17:05 24,992 ----a-w C:\Documents and Settings\Me\Application Data\GDIPFONTCACHEV1.DAT
2006-02-25 19:36 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-16_10.01.18.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-16 08:55:23 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-04 14:12:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-17 12:06:40 451,072 ----a-w C:\WINDOWS\sim Reader\uninstall.exe
- 2008-04-16 07:40:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-04 14:14:34 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-16 07:40:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-04 14:14:34 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-04-16 08:48:02 266,240 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2008-05-04 16:57:45 266,240 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2007-08-09 12:04:11 40,768 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
+ 2008-04-20 11:36:44 41,792 ----a-w C:\WINDOWS\system32\drivers\avgntdd.sys
- 2007-07-18 13:22:19 21,312 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
+ 2008-04-20 11:36:44 22,336 ----a-w C:\WINDOWS\system32\drivers\avgntmgr.sys
- 2008-04-10 13:13:59 61,632 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2008-04-20 11:36:44 79,424 ----a-w C:\WINDOWS\system32\drivers\avipbb.sys
+ 2006-04-15 03:45:42 17,145 ----a-w C:\WINDOWS\system32\drivers\usbsf.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aror"="C:\WINDOWS\System32\SEMBLY~1\msdtc.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Documents and Settings\Me\Start Menu\Programs\CleanUp\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-20 12:36 262401]
"SsAAD.exe"="C:\PROGRA~1\SONICS~1\SsAAD.exe" [2005-01-24 19:58 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 03:41 13312]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-12-08 15:49:19 745472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\wmfhotfix.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Me\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aror]
C:\WINDOWS\System32\SEMBLY~1\msdtc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMefd81a7d]
C:\WINDOWS\System32\qjyelcrf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eceb29e1]
C:\WINDOWS\System32\mhwfyqfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qsb]
C:\Documents and Settings\Me\Application Data\?ppPatch\r?gsvr32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SNM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uxf]
C:\WINDOWS\system32\W?nSxS\n?pdb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMC_AutoUpdate]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{B2-29-94-4E-DW}]
--a------ 2008-02-14 15:42 49152 C:\WINDOWS\System32\gui4\cegmgr76.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SSScsiSV"=3 (0x3)
"SSDPSRV"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 18:02:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\wmfhotfix.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\System32\wmfhotfix.dll
.
Completion time: 2008-05-04 18:05:46
ComboFix-quarantined-files.txt 2008-05-04 17:04:39
ComboFix2.txt 2008-04-20 14:08:15
ComboFix3.txt 2008-04-18 10:23:32
ComboFix4.txt 2008-04-17 10:26:51
ComboFix5.txt 2008-04-16 09:02:36

Pre-Run: 10,259,759,104 bytes free
Post-Run: 10,252,234,752 bytes free

165




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users