Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


various possible infections, Vundo, zfsearch, others

  • Please log in to reply
8 replies to this topic

#1 dogfrankgeorge


  • Members
  • 5 posts
  • Local time:11:08 PM

Posted 10 January 2009 - 03:57 AM

OK, so I am stumped. For a long time, I have been able to solve my own problems, and I've been able to keep my PC relatively healthy. I run frequent scans using AdAware, Spybot, MalwareBytes, and even the Microsoft Malicious Software Removal Tool, though that one has never found anything. I also run BlackICE, TeaTimer, AVG, and PeerGuardian. I also don't use IE, preferring Firefox.

That being said, I've been having some issues that I can't seem to get under control. The first thing that I noticed was that explorer.exe would die, then restart, then die, over and over again until I just killed the process in Task Manager and ran anything I needed through taskman itself.

The second problem is that my browser seems incredibly slow most of the time, even over my 8mb connection and with most extensions disabled.

The third problem. which has only happened once or twice, is that I get obviously fake pop-ups advertising a bogus spyware remover that causes IE to open after I close the pop-up.

The fourth problem is sometime I just noticed, and that is that when I go to google, the status message at the bottom reads waiting for zfsearch.com before is says wating for google.com.

Here's what I've done so far.

I've run Spybot and Adaware full scans. They both detect various iterations of Vundo, Virtumonde, Smitfraud, and the usual cookies and temp files business. Also, same results with Malwarebytes. When attempting to remove or quarantine the results, some variation of 'need to reboot to finish removal' is stated, and then the scan on reboot fails to remove everything. The aforementioned Micrsoft MSR Tool finds nothing, as always.

I ran SmitFraudFix, ViewPointKiller, VirtimundoBeGone, VundoFix, and FixVundo. None of it has worked, with some removers saying it found and removed the results, and others saying it found nothing. Also, when I ran the Symantec tool, svchost dies about halfway through, every time, and I get a forced reboot because of it, reminiscent of the old Nimda virus. Which I don't have. Here is the line from the attached logfile which probably referenced this problem. "1/10/2009 12:36:32 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Reboot the machine) after the unexpected termination of the DCOM Server Process Launcher service (which is I believe svchost), but this action failed with the following error: The remote procedure call failed and did not execute."

I think that is everything so far. I haven't run HJT yet, as I don't understand the results I see in other forum posts, and I;ve never had a problem fixing anything before. Now I am ready for some help.

Oh, and I am on XP SP3 Enterprise Edition. Full admin access.

Here are the results from the DDS tool:

DDS (Ver_09-01-07.01) - NTFSx86
Run by ghost at 3:35:44.23 on Sat 01/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1367 [GMT -5:00]

AV: AVG 7.5.519 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\firefox.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: {A76489B1-E517-43C7-BA95-9C5CF4776B27} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: CoTGT_BHO Class: {c333cf63-767f-4831-94ac-e683d962c63c} - c:\program files\tgtsoft\stylexp\TGT_BHO.dll
uRun: [STYLEXP] c:\program files\tgtsoft\stylexp\StyleXP.exe -Hide
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Easy Synchronization] c:\program files\logitech\easy synchronization\LogitechEasySync.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [BootSkin Startup Jobs] "c:\program files\stardock\wincustomize\bootskin\BootSkin.exe" /StartupJobs
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ghost\startm~1\programs\startup\shortc~1.lnk - c:\program files\ultramon\UltraMon.exe
StartupFolder: c:\docume~1\ghost\startm~1\programs\startup\stardo~1.lnk - c:\program files\stardock\objectdock\ObjectDock.exe
StartupFolder: c:\docume~1\ghost\startm~1\programs\startup\taskmgr.lnk - c:\windows\system32\taskmgr.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\blacki~1.lnk - c:\program files\iss\blackice\blackice.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoPrintSharing = 1 (0x1)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office12\REFIEBAR.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: geBrqpoo - geBrqpoo.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: wvuromj - wvuromj.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellExecuteHook class: {fe24cd78-7c63-465d-8787-4edf7fc79895} - c:\program files\logitech\easy synchronization\shellexecutehook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ghost\applic~1\mozilla\firefox\profiles\d8e9b1f5.default\
FF - prefs.js: browser.startup.homepage - file:///C:/Documents%20and%20Settings/ghost/My%20Documents/HomePages/homepage.html
FF - component: c:\documents and settings\ghost\application data\mozilla\firefox\profiles\d8e9b1f5.default\extensions\ubiquity@labs.mozilla.com\platform\winnt_x86-msvc\components\ubiquity.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {9D585F6A-5486-45D8-BAEA-ACA6BDE0962C} - c:\windows\system32\config\systemprofile\local settings\application data\{9d585f6a-5486-45d8-baea-aca6bde0962c}\

============= SERVICES / DRIVERS ===============

R0 hptpro;hptpro;c:\windows\system32\drivers\hptpro.sys [2003-1-27 9809]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-6-14 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-6-14 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-6-14 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-6-14 10760]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 black;black;c:\windows\system32\drivers\blackdrv.sys [2007-1-2 229331]
R4 BlackICE;BlackICE;c:\program files\iss\blackice\blackd.exe [2007-1-23 1229430]
R4 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
S0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys --> c:\windows\system32\drivers\motodrv.sys [?]
S3 RapDrv;RapDrv;c:\windows\system32\drivers\RapDrv.sys [2007-1-23 104968]
S3 RapFile;RapFile;c:\windows\system32\drivers\RapFile.sys [2007-1-2 36644]
S3 RapNet;RapNet;c:\windows\system32\drivers\RapNet.sys [2007-1-2 24344]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-6-14 418816]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-6-14 49664]

============== File Associations ===============


=============== Created Last 30 ================

2009-01-09 22:24 2,590 a------- c:\windows\system32\tmp.reg
2009-01-09 21:07 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-09 20:51 52,224 a------- c:\windows\system32\wvUkJaaa.dll.vir
2008-12-28 16:46 <DIR> --d----- C:\VundoFix Backups
2008-12-28 16:00 <DIR> --d----- c:\docume~1\ghost\applic~1\Malwarebytes
2008-12-28 15:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-28 15:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 15:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 15:59 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2008-12-24 08:00 441 a------- c:\windows\system32\TDSSwupe.dat

==================== Find3M ====================

2008-12-01 04:35 97,947 a------- c:\windows\War3Unin.dat
2008-11-29 17:58 82,944 a------- c:\windows\system32\IEDFix.C.exe
2008-11-05 20:00 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-27 02:40 491,520 a------- c:\windows\system32\FMLogin.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-08-11 05:35 81,920 a------- c:\docume~1\ghost\applic~1\ezpinst.exe
2007-08-11 05:35 47,360 a------- c:\docume~1\ghost\applic~1\pcouffin.sys
2007-05-01 03:27 92,064 a------- c:\documents and settings\ghost\mqdmmdm.sys
2007-05-01 03:27 79,328 a------- c:\documents and settings\ghost\mqdmserd.sys
2007-05-01 03:27 66,656 a------- c:\documents and settings\ghost\mqdmbus.sys
2007-05-01 03:27 25,600 a------- c:\documents and settings\ghost\usbsermptxp.sys
2007-05-01 03:27 22,768 a------- c:\documents and settings\ghost\usbsermpt.sys
2007-05-01 03:27 9,232 a------- c:\documents and settings\ghost\mqdmmdfl.sys
2007-05-01 03:27 6,208 a------- c:\documents and settings\ghost\mqdmcmnt.sys
2007-05-01 03:27 5,936 a------- c:\documents and settings\ghost\mqdmwhnt.sys
2007-05-01 03:27 4,048 a------- c:\documents and settings\ghost\mqdmcr.sys
2006-06-25 23:11 119,808 a------- c:\program files\winmineXP.exe
2006-03-20 04:27 0 ac--h--- c:\program files\AppUpdate.log
2001-11-23 07:08 712,704 a------- c:\windows\inf\other\AUDIO3D.DLL
2007-07-30 03:56 8 ---shr-- c:\windows\system32\1F6981B75D.sys
2007-07-30 03:56 12,208 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-05 08:36 0 a--sh--- c:\windows\system32\taskkill.com
2008-07-13 06:10 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2008-07-13 06:10 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-07-13 06:10 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 3:36:39.31 ===============

Thanks for any help you can provide.

Attached Files

Edited by dogfrankgeorge, 10 January 2009 - 04:08 AM.

BC AdBot (Login to Remove)


#2 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 AM

Posted 10 January 2009 - 10:52 AM

Hello Dogfrankgeorge and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please download ComboFix from one of the locations below, and save it to your Desktop.


Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 dogfrankgeorge

  • Topic Starter

  • Members
  • 5 posts
  • Local time:11:08 PM

Posted 10 January 2009 - 01:09 PM

I followed your instructions. I should note the one issue; when I ran ComboFix, it told me that AVG resident scanning was enabled, and that I should turn it off. I did, and got the same error again. Couldn't find anywhere else to disable it, so I let ComboFix run. Didn't seem to effect anything. Here are the logfiles;

from GooredFix:

GooredFix v1.8 by jpshortstuff
Log created at 12:17 on 10/01/2009 running Option #2 (ghost)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

"{9D585F6A-5486-45D8-BAEA-ACA6BDE0962C}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{9D585F6A-5486-45D8-BAEA-ACA6BDE0962C}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{9D585F6A-5486-45D8-BAEA-ACA6BDE0962C}\
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Failed.
->Delete on reboot... Set.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


from ComboFix:

ComboFix 09-01-09.03 - ghost 2009-01-10 12:45:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1951 [GMT -5:00]
Running from: E:\Torrents\ComboFix.exe
AV: AVG 7.5.519 *On-access scanning enabled* (Outdated)

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\ghost\Local Settings\Temporary Internet Files\BMS3 Winnable Game Response.txt
C:\Documents and Settings\ghost\Local Settings\Temporary Internet Files\fbk.sts
C:\Program Files\outlook

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))

2009-01-09 21:07 . 2009-01-09 21:07 73,216 --a------ C:\WINDOWS\system32\ffkuz.dll
2008-12-28 16:46 . 2008-12-28 16:46 <DIR> d-------- C:\VundoFix Backups
2008-12-28 16:00 . 2008-12-28 16:00 <DIR> d-------- C:\Documents and Settings\ghost\Application Data\Malwarebytes
2008-12-28 15:59 . 2009-01-10 05:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-28 15:59 . 2008-12-28 15:59 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-12-28 15:59 . 2009-01-04 18:38 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-12-28 15:59 . 2009-01-04 18:38 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-12-21 17:12 . 2008-12-21 17:12 <DIR> d-------- C:\Documents and Settings\ghost\Application Data\SecondLife
2008-12-13 00:12 . 2008-12-13 00:12 <DIR> d-------- C:\Documents and Settings\ghost\Application Data\Viewpoint
2008-12-11 01:20 . 2008-10-23 07:36 286,720 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-01-10 17:31 --------- d-----w C:\Program Files\PeerGuardian2
2009-01-10 14:17 --------- d-----w C:\Documents and Settings\ghost\Application Data\Azureus
2008-12-28 21:56 --------- d-----w C:\Documents and Settings\ghost\Application Data\AVG7
2008-12-28 18:22 --------- d-----w C:\Program Files\iPod Access for Windows
2008-12-14 13:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-12-11 13:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-12-06 11:49 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL OCP
2008-12-06 11:48 --------- d-----w C:\Program Files\AIM6
2008-12-06 11:48 --------- d-----w C:\Documents and Settings\ghost\Application Data\acccore
2008-12-06 11:47 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\acccore
2008-12-06 11:46 --------- d-----w C:\Program Files\Common Files\AOL
2008-12-06 11:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL
2008-12-06 11:45 --------- d-----w C:\Program Files\AIM95
2008-12-05 02:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-04 21:35 --------- d-----w C:\Program Files\Azureus
2008-11-30 13:34 --------- d-----w C:\Program Files\FrontMotion Login
2008-11-10 05:29 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Azureus
2007-08-11 10:35 81,920 ----a-w C:\Documents and Settings\ghost\Application Data\ezpinst.exe
2007-08-11 10:35 47,360 ----a-w C:\Documents and Settings\ghost\Application Data\pcouffin.sys
2007-05-01 08:27 92,064 ----a-w C:\Documents and Settings\ghost\mqdmmdm.sys
2007-05-01 08:27 9,232 ----a-w C:\Documents and Settings\ghost\mqdmmdfl.sys
2007-05-01 08:27 79,328 ----a-w C:\Documents and Settings\ghost\mqdmserd.sys
2007-05-01 08:27 66,656 ----a-w C:\Documents and Settings\ghost\mqdmbus.sys
2007-05-01 08:27 6,208 ----a-w C:\Documents and Settings\ghost\mqdmcmnt.sys
2007-05-01 08:27 5,936 ----a-w C:\Documents and Settings\ghost\mqdmwhnt.sys
2007-05-01 08:27 4,048 ----a-w C:\Documents and Settings\ghost\mqdmcr.sys
2007-05-01 08:27 25,600 ----a-w C:\Documents and Settings\ghost\usbsermptxp.sys
2007-05-01 08:27 22,768 ----a-w C:\Documents and Settings\ghost\usbsermpt.sys
2006-06-26 04:11 119,808 ----a-w C:\Program Files\winmineXP.exe
2006-03-20 09:27 0 -c-ha-w C:\Program Files\AppUpdate.log
2007-07-30 08:56 8 --sh--r C:\WINDOWS\system32\1F6981B75D.sys
2007-07-30 08:56 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

That's it... what do you make of that?

also, after running these fixers, I now have an unfamiliar process running: wscntfy.exe

Attached Files

Edited by dogfrankgeorge, 10 January 2009 - 01:11 PM.

#4 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 AM

Posted 10 January 2009 - 02:00 PM

Hello Dogfrankgeorge,

The ComboFix log you posted is incomplete.

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 dogfrankgeorge

  • Topic Starter

  • Members
  • 5 posts
  • Local time:11:08 PM

Posted 10 January 2009 - 02:30 PM

I thought it might be incomplete... the process hung when it got to the 'building logfile' stage, and then quit without warning after about 20 min. I will do as you said in the most recent reply and post the results. THanks.

#6 dogfrankgeorge

  • Topic Starter

  • Members
  • 5 posts
  • Local time:11:08 PM

Posted 10 January 2009 - 02:46 PM

I did as you said.

ComboFix hung after Stage 50. I have attached a screen cap of the program at that point. I have also attached the new DDS log files.

I should also note that after running your first set of instructions, browser performance seemed to improve a great deal. Hopefully that's due to the fix and not my imagination, or some other factor.


Attached Files

Edited by dogfrankgeorge, 10 January 2009 - 02:49 PM.

#7 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 AM

Posted 11 January 2009 - 06:27 AM

Hello Dogfrankgeorge,

Please delete your current ComboFix copy from your desktop,
and download the latest version.
That one should run to completion without any problems. :thumbsup:

Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 dogfrankgeorge

  • Topic Starter

  • Members
  • 5 posts
  • Local time:11:08 PM

Posted 11 January 2009 - 09:17 AM

Do you have a link for the most recent version? The links you posted above don't state which versions they are.


#9 Thunder


  • Members
  • 3,294 posts
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 AM

Posted 11 January 2009 - 12:38 PM

Hello Dogfrankgeorge,

If you re-download it, you'll automatically obtain the updated version. :thumbsup:

Whatever happens, make believe it was intended to ...
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
Stand Up & Be Counted --> Posted Image <-- And make a difference

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users