Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected system?


  • Please log in to reply
3 replies to this topic

#1 smgerg

smgerg

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 13 March 2009 - 09:31 AM

My computer was crashing and was running kinda slow. I scanned my computer with Piriform CCleaner and fixed a few problems. I also ran multiple virus and malware scans. No real threats showed up until I scanned it with Prevx CSI. It said that there was a high risk worm with the name "c:\windows\obibequbefovah.dll". It also said I had an infected entry: [Axuqali] with the name "\REGISTRY\Machine\Software\Microsoft\Windows\CurrentVersion\Run". Please help me get rid of whatever these are!!!

P.S. I just ran the CCleaner Startup tool, and it said that
rundll.exe "c:\Windows\obibequbefovah.dll" and rundll.exe "C:\Windows\ukogoxutuxu.dll" were starting up if that helps...



DDS (Ver_09-02-01.01) - NTFSx86
Run by shawn at 8:53:14.85 on Fri 03/13/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.151 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Prevx\prevx.exe
C:\Documents and Settings\shawn\My Documents\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell.com
mSearch Page =
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {EEE6C35B-6118-11DC-9C72-001320C79847} - No File
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [Axuqali] rundll32.exe "c:\windows\Obibequbefovah.dll",e
mRun: [Rxobataga] rundll32.exe "c:\windows\ukogoxutuxu.dll",e
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: stumbleupon.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - hxxps://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_premium.pl?1&4&04.00.09.13&premium&unknown&http://gstadmin.com/ViewPoint2/RAV4_Exterior_360/index.html?noreloadredir
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by144fd.bay144.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\ieakui32.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shawn\applic~1\mozilla\firefox\profiles\z2yx1x02.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - component: c:\documents and settings\shawn\application data\mozilla\firefox\profiles\z2yx1x02.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: XUL Cache: {E520DDE7-4736-48B2-8B7E-A1EE2CAE0C32} - c:\documents and settings\shawn\local settings\application data\{E520DDE7-4736-48B2-8B7E-A1EE2CAE0C32}

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-3 130424]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-3-13 22536]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-3-13 4150840]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-3 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-3 1095560]
S3 wsvad_driver;Daniusoft Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-9-17 20608]

=============== Created Last 30 ================

2009-03-13 08:36 22,536 a------- c:\windows\system32\drivers\pxscan.sys
2009-03-13 08:35 <DIR> --d----- c:\program files\Prevx
2009-03-13 08:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2009-03-13 08:11 <DIR> --d----- c:\program files\CCleaner
2009-03-13 08:03 <DIR> --d----- c:\docume~1\shawn\applic~1\Uniblue
2009-03-13 08:03 <DIR> --d----- c:\program files\Uniblue
2009-03-13 08:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-10 21:15 <DIR> --d----- c:\program files\Cobian Backup 9
2009-03-10 18:31 <DIR> --d----- c:\windows\system32\scripting
2009-03-10 18:31 <DIR> --d----- c:\windows\l2schemas
2009-03-10 18:31 <DIR> --d----- c:\windows\system32\en
2009-03-10 18:31 <DIR> --d----- c:\windows\system32\bits
2009-03-10 18:28 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-10 18:13 <DIR> --d----- c:\windows\EHome
2009-03-10 08:47 <DIR> --d----- c:\docume~1\shawn\applic~1\HouseCall 6.6
2009-03-09 20:31 102,664 -------- c:\windows\system32\drivers\tmcomm.sys
2009-03-09 20:26 <DIR> --d----- c:\documents and settings\shawn\.housecall6.6
2009-03-06 21:43 32,768 -------- c:\windows\system32\setupn.exe
2009-03-06 21:42 37,376 -------- c:\windows\system32\l2gpstore.dll
2009-03-06 21:41 15,423 -------- c:\windows\system32\drivers\ch7xxnt5.dll
2009-03-03 03:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-03 03:15 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-03 03:15 <DIR> --d----- c:\docume~1\shawn\applic~1\SUPERAntiSpyware.com
2009-03-03 02:32 159,600 -------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-03 02:31 130,424 -------- c:\windows\system32\drivers\PCTCore.sys
2009-03-03 02:31 73,840 -------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-03 02:31 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-03 02:31 64,392 -------- c:\windows\system32\drivers\pctplsg.sys
2009-03-03 02:31 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-03 02:31 <DIR> --d----- c:\docume~1\shawn\applic~1\PC Tools
2009-03-03 02:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-03 02:19 134,144 -------- c:\windows\ukogoxutuxu.dll
2009-03-03 02:10 <DIR> --d----- c:\program files\Norton Security Scan
2009-03-03 02:07 43,520 -------- c:\windows\Obibequbefovah.dll
2009-03-01 19:30 <DIR> --d----- c:\program files\GameSpy Arcade
2009-03-01 19:26 <DIR> --d----- c:\program files\Microsoft Games
2009-02-26 18:40 0 -------- c:\windows\win.ini
2009-02-26 18:38 <DIR> --d----- c:\windows\pss
2009-02-26 18:06 <DIR> --d----- c:\documents and settings\shawn\Tracing
2009-02-26 18:04 <DIR> --d----- c:\program files\Microsoft
2009-02-26 18:03 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-02-26 17:46 <DIR> --d----- c:\program files\common files\Windows Live
2009-02-26 13:32 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-26 13:32 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2009-02-26 13:32 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-26 13:32 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2009-02-26 04:08 32,218 -----r-- c:\windows\system32\HSFCI008.dll
2009-02-26 04:08 <DIR> --d----- c:\program files\CONEXANT
2009-02-26 04:08 1,042,816 -----r-- c:\windows\system32\drivers\HSF_DP.sys
2009-02-26 04:08 679,808 -----r-- c:\windows\system32\drivers\HSF_CNXT.sys
2009-02-26 04:08 197,120 -----r-- c:\windows\system32\drivers\HSFHWICH.sys
2009-02-26 04:08 90,112 -----r-- c:\windows\system32\mdmxsdk.dll
2009-02-26 04:08 11,043 -----r-- c:\windows\system32\drivers\mdmxsdk.sys
2009-02-26 04:07 23,392 -------- c:\windows\system32\nscompat.tlb
2009-02-26 04:07 16,832 -------- c:\windows\system32\amcompat.tlb
2009-02-26 01:54 9,446 -------- c:\windows\GnuHashes.ini
2009-02-26 01:46 <DIR> --dsh--- c:\windows\system32\LocalService32
2009-02-26 01:46 1,404 ---sh--- c:\windows\system32\GroupPolicy000.dat
2009-02-26 01:32 <DIR> --d----- c:\program files\Incomplete
2009-02-26 01:27 <DIR> --d----- c:\docume~1\shawn\applic~1\LimeWire
2009-02-25 22:16 410,984 -------- c:\windows\system32\deploytk.dll
2009-02-25 22:16 73,728 -------- c:\windows\system32\javacpl.cpl
2009-02-25 21:48 <DIR> --d----- c:\program files\Bonjour
2009-02-25 21:11 666 -------- c:\windows\VisualTooltip.ini
2009-02-25 17:35 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-24 17:25 54,689 -------- c:\windows\system32\VIPicon.ico
2009-02-24 17:25 138 -------- c:\windows\system32\VIPuninstall.bat
2009-02-24 17:25 8,231,936 -------- c:\windows\system32\wmploc.backup
2009-02-24 17:25 105,984 -------- c:\windows\system32\url.backup
2009-02-24 17:25 1,498,112 -------- c:\windows\system32\shdocvw.backup
2009-02-24 17:25 1,022,976 -------- c:\windows\system32\browseui.backup
2009-02-24 17:25 1,831,424 -------- c:\windows\system32\inetcpl.backup
2009-02-24 17:23 32,256 -------- c:\windows\system32\wupdmgr.backup
2009-02-24 17:22 8,460,288 -------- c:\windows\system32\shell32.backup
2009-02-24 17:21 187,904 -------- c:\windows\system32\main.backup
2009-02-24 17:20 220,672 -------- c:\windows\system32\logon.backup
2009-02-24 17:20 54,784 -------- c:\windows\system32\icmui.backup
2009-02-24 17:20 64,000 -------- c:\windows\system32\cleanmgr.backup
2009-02-24 17:20 563,912 -------- c:\windows\system32\wuapi.backup
2009-02-24 17:20 68,608 -------- c:\windows\system32\access.backup
2009-02-24 17:20 135,680 -------- c:\windows\system32\taskmgr.backup
2009-02-24 17:20 298,496 -------- c:\windows\system32\sysdm.backup
2009-02-24 17:20 657,920 -------- c:\windows\system32\rasdlg.backup
2009-02-24 17:20 163,840 -------- c:\windows\system32\credui.backup
2009-02-24 17:20 983,552 -------- c:\windows\system32\setupapi.backup
2009-02-24 17:20 343,040 -------- c:\windows\system32\cmdial32.backup
2009-02-24 17:20 10,752 -------- c:\windows\hh.backup
2009-02-24 17:15 65,536 -------- c:\windows\system32\vbalProgBar6.ocx
2009-02-24 17:15 96 -------- c:\windows\docs.ini
2009-02-24 17:14 <DIR> --d----- c:\windows\VIPv3

==================== Find3M ====================

2009-03-12 03:09 96,384 a------- c:\windows\system32\drivers\sptd3549.sys
2009-03-10 18:35 77,899 -------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-06 15:54 2,343,424 -------- c:\windows\system32\TUKernel.exe
2009-03-03 20:02 4,456 -------- c:\windows\system32\d3d9caps.dat
2009-02-26 17:44 55,736 ----h--- c:\windows\system32\mlfcache.dat
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 19:52 49,504 -------- c:\windows\system32\sirenacm.dll
2006-08-08 21:27 5,895,389 -------- c:\program files\PartyPokerSetup.exe
2007-03-01 23:24 104 -c-shr-- c:\windows\system32\19C19C8F19.sys
2007-03-14 02:22 56 ---shr-- c:\windows\system32\5B3373922A.sys
2007-04-13 20:18 7,050 -c-sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 8:53:59.38 ===============

Attached File  Attach.txt   6.54KB   3 downloads

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:49 AM

Posted 14 March 2009 - 04:14 PM

Hello Smqerq and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 smgerg

smgerg
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 16 March 2009 - 06:26 PM

GooredFix v1.92 by jpshortstuff
Log created at 17:49 on 16/03/2009 running Option #2 (shawn)
Firefox version 3.0.7 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{E520DDE7-4736-48B2-8B7E-A1EE2CAE0C32}"="C:\Documents and Settings\shawn\Local Settings\Application Data\{E520DDE7-4736-48B2-8B7E-A1EE2CAE0C32}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\shawn\Local Settings\Application Data\{E520DDE7-4736-48B2-8B7E-A1EE2CAE0C32}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"






ComboFix 09-03-15.01 - shawn 2009-03-16 18:02:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.261 [GMT -5:00]
Running from: c:\documents and settings\shawn\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\shawn\Application Data\0200000026317ffe530C.manifest
c:\documents and settings\shawn\Application Data\0200000026317ffe530O.manifest
c:\documents and settings\shawn\Application Data\0200000026317ffe530P.manifest
c:\documents and settings\shawn\Application Data\0200000026317ffe530S.manifest
c:\recycler\ADAPT_Installer.exe
c:\windows\GnuHashes.ini
c:\windows\Obibequbefovah.dll
c:\windows\system32\GroupPolicy000.dat

.
((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-14 01:18 . 2009-03-14 01:18 37,808 --a------ c:\windows\enuvoqulic.dll
2009-03-13 08:36 . 2009-03-13 08:36 22,536 --a------ c:\windows\system32\drivers\pxscan.sys
2009-03-13 08:35 . 2009-03-13 08:35 <DIR> d-------- c:\program files\Prevx
2009-03-13 08:35 . 2009-03-13 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-03-13 08:11 . 2009-03-13 08:11 <DIR> d-------- c:\program files\CCleaner
2009-03-13 08:03 . 2009-03-13 08:03 <DIR> d-------- c:\program files\Uniblue
2009-03-13 08:03 . 2009-03-13 08:03 <DIR> d-------- c:\documents and settings\shawn\Application Data\Uniblue
2009-03-13 08:02 . 2009-03-13 08:03 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-03-10 21:15 . 2009-03-10 21:16 <DIR> d-------- c:\program files\Cobian Backup 9
2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- c:\windows\system32\scripting
2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- c:\windows\system32\en
2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- c:\windows\system32\bits
2009-03-10 18:31 . 2009-03-10 18:31 <DIR> d-------- c:\windows\l2schemas
2009-03-10 18:28 . 2009-03-10 18:32 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-10 18:13 . 2009-03-10 18:13 <DIR> d-------- c:\windows\EHome
2009-03-10 08:47 . 2009-03-10 21:11 <DIR> d-------- c:\documents and settings\shawn\Application Data\HouseCall 6.6
2009-03-09 20:31 . 2009-03-09 20:26 102,664 --------- c:\windows\system32\drivers\tmcomm.sys
2009-03-09 20:26 . 2009-03-09 23:17 <DIR> d-------- c:\documents and settings\shawn\.housecall6.6
2009-03-06 21:43 . 2008-04-13 19:12 1,737,856 --------- c:\windows\system32\mtxparhd.dll
2009-03-06 21:42 . 2004-08-03 23:41 1,041,536 --------- c:\windows\system32\drivers\hsfdpsp2.sys
2009-03-06 21:41 . 2008-04-13 19:11 870,784 --------- c:\windows\system32\ati3d1ag.dll
2009-03-03 19:48 . 2009-03-03 19:48 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-03-03 03:16 . 2009-03-03 03:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-03 03:15 . 2009-03-03 03:15 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-03 03:15 . 2009-03-03 03:15 <DIR> d-------- c:\documents and settings\shawn\Application Data\SUPERAntiSpyware.com
2009-03-03 02:32 . 2008-12-11 09:38 159,600 --------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-03 02:31 . 2009-03-03 02:46 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-03 02:31 . 2009-03-03 02:46 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-03 02:31 . 2009-03-03 02:31 <DIR> d-------- c:\documents and settings\shawn\Application Data\PC Tools
2009-03-03 02:31 . 2009-03-03 02:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-03 02:31 . 2009-02-23 11:11 130,424 --------- c:\windows\system32\drivers\PCTCore.sys
2009-03-03 02:31 . 2008-12-18 13:16 73,840 --------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-03 02:31 . 2008-12-10 13:36 64,392 --------- c:\windows\system32\drivers\pctplsg.sys
2009-03-03 02:19 . 2009-03-03 02:19 134,144 --------- c:\windows\ukogoxutuxu.dll
2009-03-03 02:10 . 2009-03-13 15:00 <DIR> d-------- c:\program files\Norton Security Scan
2009-03-01 19:30 . 2009-03-01 19:30 <DIR> d-------- c:\program files\GameSpy Arcade
2009-03-01 19:26 . 2009-03-01 19:26 <DIR> d-------- c:\program files\Microsoft Games
2009-02-26 18:40 . 2009-02-26 18:40 0 --------- c:\windows\win.ini
2009-02-26 18:06 . 2009-02-26 18:54 <DIR> d-------- c:\documents and settings\shawn\Tracing
2009-02-26 18:04 . 2009-02-26 18:04 <DIR> d-------- c:\program files\Microsoft
2009-02-26 18:03 . 2009-02-26 18:03 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-02-26 17:46 . 2009-02-26 17:46 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-26 13:32 . 2008-12-12 12:01 3,067,904 --------- c:\windows\system32\dllcache\mshtml.dll
2009-02-26 13:32 . 2008-10-15 20:00 1,499,136 --------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-26 13:32 . 2008-10-15 20:00 666,112 --------- c:\windows\system32\dllcache\wininet.dll
2009-02-26 13:32 . 2008-10-15 20:00 619,520 --------- c:\windows\system32\dllcache\urlmon.dll
2009-02-26 04:08 . 2009-02-26 04:08 <DIR> d-------- c:\program files\CONEXANT
2009-02-26 04:08 . 2003-11-14 01:17 1,042,816 -r------- c:\windows\system32\drivers\HSF_DP.sys
2009-02-26 04:08 . 2003-11-14 01:18 679,808 -r------- c:\windows\system32\drivers\HSF_CNXT.sys
2009-02-26 04:08 . 2003-11-14 01:21 197,120 -r------- c:\windows\system32\drivers\HSFHWICH.sys
2009-02-26 04:08 . 2003-04-09 20:01 90,112 -r------- c:\windows\system32\mdmxsdk.dll
2009-02-26 04:08 . 2003-11-05 22:02 32,218 -r------- c:\windows\system32\HSFCI008.dll
2009-02-26 04:08 . 2003-04-09 19:48 11,043 -r------- c:\windows\system32\drivers\mdmxsdk.sys
2009-02-26 04:07 . 2009-02-26 04:07 23,392 --------- c:\windows\system32\nscompat.tlb
2009-02-26 04:07 . 2009-02-26 04:07 16,832 --------- c:\windows\system32\amcompat.tlb
2009-02-26 01:46 . 2009-03-10 15:51 <DIR> d--hs---- c:\windows\system32\LocalService32
2009-02-26 01:32 . 2009-02-26 17:16 <DIR> d-------- c:\program files\Incomplete
2009-02-26 01:27 . 2009-02-27 22:58 <DIR> d-------- c:\documents and settings\shawn\Application Data\LimeWire
2009-02-25 22:16 . 2009-02-25 22:16 410,984 --------- c:\windows\system32\deploytk.dll
2009-02-25 22:16 . 2009-02-25 22:16 73,728 --------- c:\windows\system32\javacpl.cpl
2009-02-25 21:48 . 2009-02-25 21:48 <DIR> d-------- c:\program files\Bonjour
2009-02-25 21:11 . 2009-02-25 21:11 666 --------- c:\windows\VisualTooltip.ini
2009-02-25 17:35 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2009-02-24 17:25 . 2006-10-18 21:47 8,231,936 --------- c:\windows\system32\wmploc.backup
2009-02-24 17:25 . 2008-08-26 02:24 1,831,424 --------- c:\windows\system32\inetcpl.backup
2009-02-24 17:25 . 2007-06-15 03:12 1,498,112 --------- c:\windows\system32\shdocvw.backup
2009-02-24 17:25 . 2007-06-15 03:12 1,022,976 --------- c:\windows\system32\browseui.backup
2009-02-24 17:25 . 2008-08-26 02:24 105,984 --------- c:\windows\system32\url.backup
2009-02-24 17:25 . 2006-06-14 22:29 54,689 --------- c:\windows\system32\VIPicon.ico
2009-02-24 17:25 . 2006-08-02 16:01 138 --------- c:\windows\system32\VIPuninstall.bat
2009-02-24 17:23 . 2004-08-04 06:00 2,897,920 --------- c:\windows\system32\xpsp2res.backup
2009-02-24 17:22 . 2007-10-25 22:34 8,460,288 --------- c:\windows\system32\shell32.backup
2009-02-24 17:21 . 2008-08-27 03:24 3,593,216 --------- c:\windows\system32\mshtml.backup
2009-02-24 17:20 . 2004-08-04 06:00 983,552 --------- c:\windows\system32\setupapi.backup
2009-02-24 17:20 . 2004-08-04 06:00 657,920 --------- c:\windows\system32\rasdlg.backup
2009-02-24 17:20 . 2008-07-18 22:09 563,912 --------- c:\windows\system32\wuapi.backup
2009-02-24 17:20 . 2004-08-04 06:00 343,040 --------- c:\windows\system32\cmdial32.backup
2009-02-24 17:20 . 2004-08-04 06:00 298,496 --------- c:\windows\system32\sysdm.backup
2009-02-24 17:20 . 2004-08-04 06:00 220,672 --------- c:\windows\system32\logon.backup
2009-02-24 17:20 . 2004-08-04 06:00 163,840 --------- c:\windows\system32\credui.backup
2009-02-24 17:20 . 2004-08-04 06:00 135,680 --------- c:\windows\system32\taskmgr.backup
2009-02-24 17:20 . 2004-08-04 06:00 68,608 --------- c:\windows\system32\access.backup
2009-02-24 17:20 . 2004-08-04 06:00 64,000 --------- c:\windows\system32\cleanmgr.backup
2009-02-24 17:20 . 2004-08-04 06:00 54,784 --------- c:\windows\system32\icmui.backup
2009-02-24 17:20 . 2005-05-26 18:22 10,752 --------- c:\windows\hh.backup
2009-02-24 17:15 . 2003-06-22 13:31 65,536 --------- c:\windows\system32\vbalProgBar6.ocx
2009-02-24 17:15 . 2006-08-16 00:19 97 --------- c:\documents and settings\win.ini
2009-02-24 17:15 . 2006-08-16 00:21 96 --------- c:\windows\docs.ini
2009-02-24 17:14 . 2009-02-24 18:12 <DIR> d-------- c:\windows\VIPv3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 20:01 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-12 08:09 96,384 ----a-w c:\windows\system32\drivers\sptd3549.sys
2009-03-03 08:14 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-03 08:06 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 23:03 --------- d-----w c:\program files\Windows Live
2009-02-26 03:16 --------- d-----w c:\program files\Java
2009-02-26 02:52 --------- d-----w c:\documents and settings\shawn\Application Data\Apple Computer
2009-02-26 02:51 --------- d-----w c:\program files\Safari
2009-02-26 02:39 --------- d-----w c:\program files\Yahoo!
2009-02-26 02:34 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-26 02:17 --------- d-----w c:\program files\Common Files\Real
2009-02-26 02:16 --------- d-----w c:\program files\Dell
2009-02-26 02:09 --------- d-----w c:\documents and settings\shawn\Application Data\Move Networks
2009-02-26 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-26 00:40 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 00:40 --------- d-----w c:\program files\IrfanView
2009-02-26 00:03 --------- d-----w c:\program files\Common Files\Adobe
2009-02-26 00:01 --------- d-----w c:\documents and settings\shawn\Application Data\Lavasoft
2009-02-25 23:14 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-25 22:31 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-02-25 22:29 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-24 21:56 --------- d-----w c:\program files\TuneUp Utilities 2007
2006-08-09 02:27 5,895,389 ------w c:\program files\PartyPokerSetup.exe
2007-03-02 04:24 104 -csh--r c:\windows\system32\19C19C8F19.sys
2007-03-14 07:22 56 --sh--r c:\windows\system32\5B3373922A.sys
2007-04-14 01:18 7,050 -csh--w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"Rxobataga"="c:\windows\ukogoxutuxu.dll" [2009-03-03 134144]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\ieakui32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 17:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2008-10-01 18:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--------- 2009-02-25 22:16 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--------- 2009-02-17 12:43 1830128 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"MSKDetectorExe"=c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
"DMXLauncher"=c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-03 130424]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-03-13 22536]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2009-03-13 4150840]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-03 348752]
S3 wsvad_driver;Daniusoft Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2008-09-17 20608]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-03-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 06:51]

2008-11-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-13 c:\windows\Tasks\Norton Security Scan for shawn.job
- c:\program files\Norton Security Scan\Nss.exe [2009-03-11 20:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: stumbleupon.com
FF - ProfilePath - c:\documents and settings\shawn\Application Data\Mozilla\Firefox\Profiles\z2yx1x02.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?refresh=1
FF - component: c:\documents and settings\shawn\Application Data\Mozilla\Firefox\Profiles\z2yx1x02.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 18:07:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WLTRAY.EXE
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-03-16 18:11:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 23:11:49

Pre-Run: 25,226,903,552 bytes free
Post-Run: 25,535,352,832 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /TUTag=5R8QVY

273 --- E O F --- 2009-03-12 08:03:06

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:49 AM

Posted 17 March 2009 - 05:26 AM

Hello Smqerq,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/210827/infected-system/
Collect::
c:\windows\enuvoqulic.dll
c:\windows\ukogoxutuxu.dll
c:\windows\System32\ieakui32.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rxobataga"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Additionally, ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Please go to http://www.bleepingcomputer.com/submit-malware.php?channel=9
Then : [list]1. In the first window (Link to topic where this file was requested:) copy and paste this link :http://www.bleepingcomputer.com/forums/topic=210827
2. In the second window (Browse to the file you want to submit: ) browse to the C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip file
3. Click the Send file button :thumbup2:

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users