Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo.H - Malwarebytes found 9 infections


  • This topic is locked This topic is locked
23 replies to this topic

#1 Cjos

Cjos

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 April 2009 - 01:50 PM

As stated in topic, Malwarebytes has found 9 instances of this infection but is unable to remove them. I am running Windows XP SP3 and Norton AV 2009 (NAV does not even detect these infections) The System Restore feature is not working--only saves the most current restore point--all other points (automatic or self-created) get deleted each day. Other than System Restore not working and system crashes during some gaming my computer is running "ok" but I would like these infections gone. My local computer shop was unsuccessful in their attempt to rid me of these buggers and I am not sure what steps they took to try and remove them.


DDS (Ver_09-03-16.01) - NTFSx86
Run by CJN at 13:26:18.95 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1622 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\CJN\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: : {952965cb-9dd2-4498-9dac-6922658a9222} - c:\windows\system32\eyxzyji.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ResChanger2004] NONE
uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...0000d3.0000025b
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\cjn\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\documents and settings\cjn\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197506877921
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197506855890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: ecnnshsg - eyxzyji.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 pmdyfdvh;pmdyfdvh;c:\windows\system32\drivers\pmdyfdvh.sys [2001-8-23 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-28 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-28 482352]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [1998-11-27 6144]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-28 115560]
R2 yowojvnf;Terminal Server Device Redirector Helper;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-28 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.003\NAVENG.SYS [2009-4-6 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.003\NAVEX15.SYS [2009-4-6 876144]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2005-9-30 3712]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSXpx86.sys [2009-4-2 276344]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 gel90xne;gel90xne;\??\c:\docume~1\cjn\locals~1\temp\gel90xne.sys --> c:\docume~1\cjn\locals~1\temp\gel90xne.sys [?]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\sguard.sys --> c:\windows\system32\drivers\SGuard.sys [?]

=============== Created Last 30 ================

2009-04-05 23:46 <DIR> --d----- c:\docume~1\cjn\applic~1\zbuqgmoc
2009-04-05 11:23 <DIR> --d----- c:\program files\Trend Micro
2009-04-05 10:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 10:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 10:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-04 10:11 215,383 a------- c:\windows\system32\nvapps.xml
2009-04-04 10:11 453,152 a------- c:\windows\system32\nvudisp.exe
2009-04-04 10:11 19,054 a------- c:\windows\system32\nvdisp.nvu
2009-04-04 10:11 <DIR> --d----- c:\windows\nview
2009-04-04 10:10 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-28 11:17 <DIR> --d--r-- c:\program files\Norton Support
2009-03-28 09:25 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-28 09:25 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-28 09:25 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-28 09:25 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-28 09:25 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-28 09:25 <DIR> --d----- c:\program files\Symantec
2009-03-28 09:24 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-03-28 09:24 <DIR> --d----- c:\program files\Norton AntiVirus
2009-03-28 09:24 <DIR> --d----- c:\program files\NortonInstaller
2009-03-27 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-27 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-27 15:47 42 a------- c:\windows\system32\AK083E209605E394C.lie
2009-03-27 15:47 <DIR> --d----- c:\program files\Perfect Uninstaller
2009-03-26 21:58 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-26 12:02 <DIR> --d----- c:\windows\system32\KB905474
2009-03-26 11:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-26 11:57 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-26 11:57 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-26 11:57 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-26 11:57 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-26 11:57 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-26 11:57 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-26 11:57 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-26 11:08 <DIR> --d----- c:\windows\system32\scripting
2009-03-26 11:08 <DIR> --d----- c:\windows\l2schemas
2009-03-26 11:08 <DIR> --d----- c:\windows\system32\en
2009-03-25 15:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-24 10:33 <DIR> --d----- c:\docume~1\cjn\applic~1\Malwarebytes
2009-03-24 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-24 10:08 136,192 -------- c:\windows\system32\aaclient.dll
2009-03-22 15:36 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-22 15:35 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-22 15:35 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-22 15:35 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-22 15:35 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-22 15:34 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-03-22 15:34 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-22 15:34 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-03-22 15:34 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-03-22 15:34 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-03-22 15:33 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-03-22 15:29 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-22 15:29 27,496 a------- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-03-26 11:11 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2006-11-28 13:07 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:26:58.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:55 AM

Posted 06 April 2009 - 03:59 PM

Hello, Cjos

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Let's do this:

OTMoveIt

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    c:\documents and settings\cjn\application data\zbuqgmoc
    
    :reg
    [-HKEY_LOCAL_MACHINE\software\microsot\windows nt\currentversion\winlogon\notify\ecnnshsg]
    
    :services
    pmdyfdvh
    yowojvnf
    gel90xne
    
    :commands
    [EmptyTemp]
    [Reboot]
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.
ReScan

Please rescan with DDS and post DDS.txt


In your next reply, please post:
  • OTMI log
  • ESET log
  • DDS log

Edited by Jat90, 06 April 2009 - 04:01 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 Cjos

Cjos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 06 April 2009 - 08:14 PM

Jat90 -

I did what you asked but ran into the following problems:

1. I ran the OT program but when I tried to resize the results window to copy the text it ended up freezing and I needed to terminate the program via the task manager. I re-ran the scan at which time I was asked to re-boot. The log posted here is from the second scan.

2. I then attempted the Eset online scan. Everything was going fine but after 25 minutes into the scan I got a Windows Logon warning and the system shut down resulting with this message on a blue screen:

STOP: c000021a {FATAL SYSTEM ERROR}
The Windows Logon Process system process terminated unexpectedly with a of
0x 0000005 (0x 00000000 0x00000000)
system has been shut down

The only Eset log I found in the Eset directory is named "debuglog" not "log.txt" as stated in your directions

Here are the request logs:

========== FILES ==========
File/Folder c:\documents and settings\cjn\application data\zbuqgmoc not found.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsot\windows nt\currentversion\winlogon\notify\ecnnshsg\\ not found.
========== SERVICES/DRIVERS ==========

Unable to delete service\driver keypmdyfdvh.

Service\Driver yowojvnf deleted successfully.

Service\Driver gel90xne deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\CJN\Local Settings\Temporary Internet Files\Content.IE5\U1PK56C4\topic217303[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\CJN\Local Settings\Temporary Internet Files\Content.IE5\0OXGQPJD\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\CJN\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\CJN\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JETECD1.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2a0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_348.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04062009_190144

Files moved on Reboot...
C:\Documents and Settings\CJN\Local Settings\Temporary Internet Files\Content.IE5\U1PK56C4\topic217303[1].htm moved successfully.
C:\Documents and Settings\CJN\Local Settings\Temporary Internet Files\Content.IE5\0OXGQPJD\iframe[1].htm moved successfully.
C:\Documents and Settings\CJN\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat moved successfully.
File C:\WINDOWS\temp\JETECD1.tmp not found!
File C:\WINDOWS\temp\Perflib_Perfdata_2a0.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_348.dat not found!


# vers_standard_module=3990 (20090406)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)



DDS (Ver_09-03-16.01) - NTFSx86
Run by CJN at 19:55:50.29 on Mon 04/06/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1634 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\CJN\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: : {952965cb-9dd2-4498-9dac-6922658a9222} - c:\windows\system32\eyxzyji.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ResChanger2004] NONE
uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/P...0000d3.0000025b
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\cjn\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\documents and settings\cjn\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197506877921
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197506855890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: ecnnshsg - eyxzyji.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 pmdyfdvh;pmdyfdvh;c:\windows\system32\drivers\pmdyfdvh.sys [2001-8-23 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-28 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-28 482352]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [1998-11-27 6144]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-28 115560]
R2 yowojvnf;Symantec Network Filter Support;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-28 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.003\NAVENG.SYS [2009-4-6 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090406.003\NAVEX15.SYS [2009-4-6 876144]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2005-9-30 3712]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090331.007\IDSXpx86.sys [2009-4-2 276344]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\sguard.sys --> c:\windows\system32\drivers\SGuard.sys [?]

=============== Created Last 30 ================

2009-04-06 19:12 <DIR> --d----- c:\program files\EsetOnlineScanner
2009-04-06 18:56 <DIR> --d----- C:\_OTMoveIt
2009-04-05 11:23 <DIR> --d----- c:\program files\Trend Micro
2009-04-05 10:27 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-05 10:27 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 10:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-04 10:11 215,383 a------- c:\windows\system32\nvapps.xml
2009-04-04 10:11 453,152 a------- c:\windows\system32\nvudisp.exe
2009-04-04 10:11 19,054 a------- c:\windows\system32\nvdisp.nvu
2009-04-04 10:11 <DIR> --d----- c:\windows\nview
2009-04-04 10:10 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-28 11:17 <DIR> --d--r-- c:\program files\Norton Support
2009-03-28 09:25 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-28 09:25 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-28 09:25 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-28 09:25 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-28 09:25 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-28 09:25 <DIR> --d----- c:\program files\Symantec
2009-03-28 09:24 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-03-28 09:24 <DIR> --d----- c:\program files\Norton AntiVirus
2009-03-28 09:24 <DIR> --d----- c:\program files\NortonInstaller
2009-03-27 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-27 19:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-27 15:47 42 a------- c:\windows\system32\AK083E209605E394C.lie
2009-03-27 15:47 <DIR> --d----- c:\program files\Perfect Uninstaller
2009-03-26 21:58 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-03-26 12:02 <DIR> --d----- c:\windows\system32\KB905474
2009-03-26 11:58 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-26 11:57 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-03-26 11:57 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-26 11:57 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-26 11:57 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-26 11:57 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-26 11:57 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-26 11:57 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-26 11:08 <DIR> --d----- c:\windows\system32\scripting
2009-03-26 11:08 <DIR> --d----- c:\windows\l2schemas
2009-03-26 11:08 <DIR> --d----- c:\windows\system32\en
2009-03-25 15:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-24 10:33 <DIR> --d----- c:\docume~1\cjn\applic~1\Malwarebytes
2009-03-24 10:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-24 10:08 136,192 -------- c:\windows\system32\aaclient.dll
2009-03-22 15:36 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-22 15:35 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-22 15:35 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-22 15:35 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-22 15:35 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-22 15:34 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-03-22 15:34 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-22 15:34 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-03-22 15:34 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-03-22 15:34 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-03-22 15:33 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-03-22 15:29 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-22 15:29 27,496 a------- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-03-26 11:11 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2006-11-28 13:07 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 19:56:38.40 ===============

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:55 AM

Posted 07 April 2009 - 05:55 AM

Hello,

I still see some bad files remaining and a driver could not be deleted. We will use a more powerful tool.

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#5 Cjos

Cjos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 April 2009 - 11:29 AM

Jat90 - Here are the results of the ComboFix log: I also re-enabled Windows Firewall and NAV--hope that is ok?


ComboFix 09-04-04.01 - CJN 2009-04-07 11:14:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1576 [GMT -5:00]
Running from: c:\documents and settings\CJN\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\system32\eyxzyji.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_YOWOJVNF
-------\Service_yowojvnf


((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-07 02:46 . 2009-04-07 02:46 <DIR> d-------- c:\documents and settings\CJN\Application Data\zbuqgmoc
2009-04-06 19:12 . 2009-04-06 19:14 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-04-06 18:56 . 2009-04-06 18:56 <DIR> d-------- C:\_OTMoveIt
2009-04-05 11:23 . 2009-04-05 11:23 <DIR> d-------- c:\program files\Trend Micro
2009-04-05 10:27 . 2009-04-06 12:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 10:27 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 10:27 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 10:11 . 2009-04-04 10:11 <DIR> d-------- c:\windows\nview
2009-04-04 10:11 . 2009-03-27 10:03 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-04-04 10:11 . 2009-04-07 11:19 215,383 --a------ c:\windows\system32\nvapps.xml
2009-04-04 10:11 . 2009-03-27 10:03 19,054 --a------ c:\windows\system32\nvdisp.nvu
2009-04-04 10:10 . 2009-03-27 08:14 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-04-03 20:05 . 2009-04-03 20:05 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\zbuqgmoc
2009-03-28 11:17 . 2009-03-28 11:17 <DIR> dr------- c:\program files\Norton Support
2009-03-28 09:25 . 2009-03-28 09:25 <DIR> d-------- c:\program files\Symantec
2009-03-28 09:25 . 2009-03-28 09:25 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-28 09:25 . 2009-03-28 09:25 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-28 09:25 . 2009-03-28 09:25 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-28 09:25 . 2009-03-28 09:25 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-28 09:25 . 2009-03-28 09:25 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\NortonInstaller
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-27 19:44 . 2009-03-28 09:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-27 19:44 . 2009-03-28 09:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-27 15:47 . 2009-03-27 15:47 <DIR> d-------- c:\program files\Perfect Uninstaller
2009-03-27 15:47 . 2009-03-27 15:47 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2009-03-26 21:58 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-26 12:02 . 2009-03-26 12:02 <DIR> d-------- c:\windows\system32\KB905474
2009-03-26 12:02 . 2009-03-10 22:26 1,403,264 --a------ c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-26 12:02 . 2009-03-10 22:18 453,512 --a------ c:\windows\system32\KB905474\wgasetup.exe
2009-03-26 12:02 . 2009-02-09 18:51 12,490 --a------ c:\windows\system32\KB905474\wga_eula.txt
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\program files\MSBuild
2009-03-26 11:57 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-26 11:57 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-26 11:57 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-26 11:57 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-26 11:57 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-26 11:57 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-26 11:57 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\system32\scripting
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\system32\en
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\l2schemas
2009-03-25 15:12 . 2009-03-27 16:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-24 10:33 . 2009-03-24 10:33 <DIR> d-------- c:\documents and settings\CJN\Application Data\Malwarebytes
2009-03-24 10:32 . 2009-03-24 10:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-24 10:08 . 2008-04-13 19:11 136,192 --------- c:\windows\system32\aaclient.dll
2009-03-22 15:36 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-22 15:35 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-22 15:35 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-22 15:35 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-22 15:35 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-22 15:34 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-22 15:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-22 15:34 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-22 15:34 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-22 15:34 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-22 15:33 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-22 15:29 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-22 15:29 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 21:20 --------- d-----w c:\program files\Steam
2009-03-31 20:11 --------- d-----w c:\program files\CCleaner
2009-03-28 16:27 --------- d-----w c:\program files\Google
2009-03-28 16:11 --------- d-----w c:\program files\Ahead
2009-03-28 16:02 --------- d-----w c:\program files\iolo
2009-03-28 15:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 14:09 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-27 15:03 6,280,416 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-03-25 16:31 --------- d-----w c:\program files\Trellian
2009-03-13 23:13 --------- d-----w c:\program files\home plan software
2009-03-06 02:21 --------- d-----w c:\program files\DesignWorkshop Lite
2009-02-28 22:24 --------- d-----w c:\documents and settings\CJN\Application Data\FileZilla
2009-02-21 20:18 --------- d-----w c:\program files\FileZilla FTP Client
2009-02-16 17:28 --------- d-----w c:\documents and settings\CJN\Application Data\Alien Skin
2009-02-13 00:38 --------- d-----w c:\program files\Common Files\Macromedia
2009-02-13 00:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 00:37 --------- d-----w c:\program files\Macromedia
2009-02-11 23:13 --------- d-----w c:\program files\Evrsoft First Page 2006
2006-11-28 18:07 10,856 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{952965CB-9DD2-4498-9DAC-6922658A9222}]
2009-04-07 11:15 106496 --a------ c:\windows\system32\eyxzyji.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChanger2004"="NONE" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2008-12-19 634024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"nwiz"="nwiz.exe" [2009-03-27 c:\windows\system32\nwiz.exe]

c:\documents and settings\CJN\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-24 344064]
PowerReg Scheduler.exe [2004-10-24 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-10-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-10-24 169472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5 Professional\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\FTP Commander\\Ftpcomm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\deathmatch classic\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\team fortress classic\\hl.exe"=
"c:\\Program Files\\GIANT Company Software\\Spam Inspector\\siMailProxyServer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\DriverGuide Toolkit\\drvgdtk2.exe"=
"c:\\Program Files\\CCP\\EVE\\eve.exe"=
"c:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8864:TCP"= 8864:TCP:TeamSpeak
"16288:TCP"= 16288:TCP:@xpsp2res.dll,-22009
"27027:TCP"= 27027:TCP:@xpsp2res.dll,-22009

R0 pmdyfdvh;pmdyfdvh;c:\windows\system32\drivers\pmdyfdvh.sys [2001-08-23 23424]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-28 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-28 482352]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [1998-11-27 6144]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-28 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-28 101936]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2005-09-30 3712]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-02 276344]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\SGuard.sys --> c:\windows\system32\drivers\SGuard.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\Norton AntiVirus - CJN - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.5.0.134\Navw32.exe [2009-03-28 09:25]

2009-04-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 11:19:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-963894560-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1659004503-963894560-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:84,7d,b4,88,9f,22,21,88,bb,53,14,ce,34,e9,72,94,93,0e,52,8d,c7,f1,9d,
14,72,74,b0,61,8b,b7,91,a1,48,09,96,83,6f,ca,44,6c,be,46,a4,5a,6d,7a,c2,5b,\
"??"=hex:a9,4f,8d,2f,67,d7,ef,5f,19,3c,8f,53,fc,98,ad,a1

[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.22.00]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_PMDYFDVH\0000\LogConf]
@DACL=(02 0000)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\WebUpdateSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\hpzipm12.exe
c:\program files\HP\hpcoretech\comp\hpdarc.exe
.
**************************************************************************
.
Completion time: 2009-04-07 11:23:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 16:23:15

Pre-Run: 32,214,384,640 bytes free
Post-Run: 32,510,365,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

252 --- E O F --- 2009-03-26 16:29:12

Edited by Cjos, 07 April 2009 - 11:41 AM.


#6 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:55 AM

Posted 07 April 2009 - 12:22 PM

Hello,

Still a few things to do:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\LEGACY_PMDYFDVH]

Driver::
pmdyfdvh

File::
c:\windows\system32\eyxzyji.dll
c:\windows\system32\drivers\pmdyfdvh.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{952965CB-9DD2-4498-9DAC-6922658A9222}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Edited by Jat90, 07 April 2009 - 12:24 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#7 Cjos

Cjos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 April 2009 - 12:50 PM

Hello Again - Here is the latest ComboFix log:


ComboFix 09-04-04.01 - CJN 2009-04-07 12:37:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1615 [GMT -5:00]
Running from: c:\documents and settings\CJN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CJN\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\pmdyfdvh.sys
c:\windows\system32\eyxzyji.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\pmdyfdvh.sys
c:\windows\system32\eyxzyji.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PMDYFDVH
-------\Service_pmdyfdvh


((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-07 02:46 . 2009-04-07 02:46 <DIR> d-------- c:\documents and settings\CJN\Application Data\zbuqgmoc
2009-04-06 19:12 . 2009-04-06 19:14 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-04-06 18:56 . 2009-04-06 18:56 <DIR> d-------- C:\_OTMoveIt
2009-04-05 11:23 . 2009-04-05 11:23 <DIR> d-------- c:\program files\Trend Micro
2009-04-05 10:27 . 2009-04-06 12:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 10:27 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 10:27 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 10:11 . 2009-04-04 10:11 <DIR> d-------- c:\windows\nview
2009-04-04 10:11 . 2009-03-27 10:03 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-04-04 10:11 . 2009-04-07 12:42 215,383 --a------ c:\windows\system32\nvapps.xml
2009-04-04 10:11 . 2009-03-27 10:03 19,054 --a------ c:\windows\system32\nvdisp.nvu
2009-04-04 10:10 . 2009-03-27 08:14 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-04-03 20:05 . 2009-04-03 20:05 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\zbuqgmoc
2009-03-28 11:17 . 2009-03-28 11:17 <DIR> dr------- c:\program files\Norton Support
2009-03-28 09:25 . 2009-03-28 09:25 <DIR> d-------- c:\program files\Symantec
2009-03-28 09:25 . 2009-03-28 09:25 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-28 09:25 . 2009-03-28 09:25 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-28 09:25 . 2009-03-28 09:25 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-28 09:25 . 2009-03-28 09:25 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-28 09:25 . 2009-03-28 09:25 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\NortonInstaller
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-27 19:44 . 2009-03-28 09:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-27 19:44 . 2009-03-28 09:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-27 15:47 . 2009-03-27 15:47 <DIR> d-------- c:\program files\Perfect Uninstaller
2009-03-27 15:47 . 2009-03-27 15:47 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2009-03-26 21:58 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-26 12:02 . 2009-03-26 12:02 <DIR> d-------- c:\windows\system32\KB905474
2009-03-26 12:02 . 2009-03-10 22:26 1,403,264 --a------ c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-26 12:02 . 2009-03-10 22:18 453,512 --a------ c:\windows\system32\KB905474\wgasetup.exe
2009-03-26 12:02 . 2009-02-09 18:51 12,490 --a------ c:\windows\system32\KB905474\wga_eula.txt
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\program files\MSBuild
2009-03-26 11:57 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-26 11:57 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-26 11:57 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-26 11:57 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-26 11:57 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-26 11:57 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-26 11:57 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\system32\scripting
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\system32\en
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\l2schemas
2009-03-25 15:12 . 2009-03-27 16:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-24 10:33 . 2009-03-24 10:33 <DIR> d-------- c:\documents and settings\CJN\Application Data\Malwarebytes
2009-03-24 10:32 . 2009-03-24 10:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-24 10:08 . 2008-04-13 19:11 136,192 --------- c:\windows\system32\aaclient.dll
2009-03-22 15:36 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-22 15:35 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-22 15:35 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-22 15:35 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-22 15:35 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-22 15:34 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-22 15:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-22 15:34 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-22 15:34 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-22 15:34 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-22 15:33 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-22 15:29 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-22 15:29 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 17:37 23,424 ----a-w c:\windows\system32\drivers\mdartbld.sys
2009-04-04 21:20 --------- d-----w c:\program files\Steam
2009-03-31 20:11 --------- d-----w c:\program files\CCleaner
2009-03-28 16:27 --------- d-----w c:\program files\Google
2009-03-28 16:11 --------- d-----w c:\program files\Ahead
2009-03-28 16:02 --------- d-----w c:\program files\iolo
2009-03-28 15:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 14:09 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-27 15:03 6,280,416 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2009-03-25 16:31 --------- d-----w c:\program files\Trellian
2009-03-13 23:13 --------- d-----w c:\program files\home plan software
2009-03-06 02:21 --------- d-----w c:\program files\DesignWorkshop Lite
2009-02-28 22:24 --------- d-----w c:\documents and settings\CJN\Application Data\FileZilla
2009-02-21 20:18 --------- d-----w c:\program files\FileZilla FTP Client
2009-02-16 17:28 --------- d-----w c:\documents and settings\CJN\Application Data\Alien Skin
2009-02-13 00:38 --------- d-----w c:\program files\Common Files\Macromedia
2009-02-13 00:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 00:37 --------- d-----w c:\program files\Macromedia
2009-02-11 23:13 --------- d-----w c:\program files\Evrsoft First Page 2006
2006-11-28 18:07 10,856 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-07_11.22.18.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-07 17:42:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1d0.dat
- 2009-04-07 16:18:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
+ 2009-04-07 17:42:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChanger2004"="NONE" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2008-12-19 634024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"nwiz"="nwiz.exe" [2009-03-27 c:\windows\system32\nwiz.exe]

c:\documents and settings\CJN\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-24 344064]
PowerReg Scheduler.exe [2004-10-24 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-10-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-10-24 169472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5 Professional\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\FTP Commander\\Ftpcomm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\deathmatch classic\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\team fortress classic\\hl.exe"=
"c:\\Program Files\\GIANT Company Software\\Spam Inspector\\siMailProxyServer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\DriverGuide Toolkit\\drvgdtk2.exe"=
"c:\\Program Files\\CCP\\EVE\\eve.exe"=
"c:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8864:TCP"= 8864:TCP:TeamSpeak
"16288:TCP"= 16288:TCP:@xpsp2res.dll,-22009
"27027:TCP"= 27027:TCP:@xpsp2res.dll,-22009

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-28 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-28 482352]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [1998-11-27 6144]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-28 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-28 101936]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2005-09-30 3712]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-02 276344]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\SGuard.sys --> c:\windows\system32\drivers\SGuard.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PMDYFDVH
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\Norton AntiVirus - CJN - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.5.0.134\Navw32.exe [2009-03-28 09:25]

2009-04-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 12:42:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-963894560-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1659004503-963894560-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:84,7d,b4,88,9f,22,21,88,bb,53,14,ce,34,e9,72,94,93,0e,52,8d,c7,f1,9d,
14,72,74,b0,61,8b,b7,91,a1,48,09,96,83,6f,ca,44,6c,be,46,a4,5a,6d,7a,c2,5b,\
"??"=hex:a9,4f,8d,2f,67,d7,ef,5f,19,3c,8f,53,fc,98,ad,a1

[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.22.00]
@DACL=(02 0000)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\WebUpdateSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\hpzipm12.exe
c:\program files\HP\hpcoretech\comp\hpdarc.exe
.
**************************************************************************
.
Completion time: 2009-04-07 12:45:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 17:45:42
ComboFix2.txt 2009-04-07 16:23:20

Pre-Run: 32,505,810,944 bytes free
Post-Run: 32,494,657,536 bytes free

255 --- E O F --- 2009-03-26 16:29:12

#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:55 AM

Posted 07 April 2009 - 12:56 PM

Hello,

We've got most of them. Just a couple of things remain:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\CJN\Application Data\zbuqgmoc

File::
c:\windows\system32\drivers\mdartbld.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 Cjos

Cjos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 April 2009 - 01:18 PM

Here you are--still getting that Access Violation at.... between steps 38 and 39

Here's the log:


ComboFix 09-04-04.01 - CJN 2009-04-07 13:10:02.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1618 [GMT -5:00]
Running from: c:\documents and settings\CJN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\CJN\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\mdartbld.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\CJN\Application Data\zbuqgmoc
c:\documents and settings\CJN\Application Data\zbuqgmoc\profiles.ini
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\cert8.db
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\compatibility.ini
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\compreg.dat
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\cookies.sqlite
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\formhistory.sqlite
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\key3.db
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\localstore.rdf
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\permissions.sqlite
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\places.sqlite-journal
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\places.sqlite
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\pluginreg.dat
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\prefs.js
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\secmod.db
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\webappsstore.sqlite
c:\documents and settings\CJN\Application Data\zbuqgmoc\Profiles\8rfiak0u.default\xpti.dat
c:\windows\system32\drivers\mdartbld.sys

.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-06 19:12 . 2009-04-06 19:14 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-04-06 18:56 . 2009-04-06 18:56 <DIR> d-------- C:\_OTMoveIt
2009-04-05 11:23 . 2009-04-05 11:23 <DIR> d-------- c:\program files\Trend Micro
2009-04-05 10:27 . 2009-04-06 12:07 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 10:27 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 10:27 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 10:11 . 2009-04-04 10:11 <DIR> d-------- c:\windows\nview
2009-04-04 10:11 . 2009-03-27 10:03 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-04-04 10:11 . 2009-04-07 12:42 215,383 --a------ c:\windows\system32\nvapps.xml
2009-04-04 10:11 . 2009-03-27 10:03 19,054 --a------ c:\windows\system32\nvdisp.nvu
2009-04-04 10:10 . 2009-03-27 08:14 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-04-03 20:05 . 2009-04-03 20:05 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\zbuqgmoc
2009-03-28 11:17 . 2009-03-28 11:17 <DIR> dr------- c:\program files\Norton Support
2009-03-28 09:25 . 2009-03-28 09:25 <DIR> d-------- c:\program files\Symantec
2009-03-28 09:25 . 2009-03-28 09:25 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-28 09:25 . 2009-03-28 09:25 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-28 09:25 . 2009-03-28 09:25 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-28 09:25 . 2009-03-28 09:25 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-28 09:25 . 2009-03-28 09:25 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\NortonInstaller
2009-03-28 09:24 . 2009-03-28 09:24 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-27 19:44 . 2009-03-28 09:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-27 19:44 . 2009-03-28 09:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-27 15:47 . 2009-03-27 15:47 <DIR> d-------- c:\program files\Perfect Uninstaller
2009-03-27 15:47 . 2009-03-27 15:47 42 --a------ c:\windows\system32\AK083E209605E394C.lie
2009-03-26 21:58 . 2009-01-09 14:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-03-26 12:02 . 2009-03-26 12:02 <DIR> d-------- c:\windows\system32\KB905474
2009-03-26 12:02 . 2009-03-10 22:26 1,403,264 --a------ c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-03-26 12:02 . 2009-03-10 22:18 453,512 --a------ c:\windows\system32\KB905474\wgasetup.exe
2009-03-26 12:02 . 2009-02-09 18:51 12,490 --a------ c:\windows\system32\KB905474\wga_eula.txt
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-26 11:58 . 2009-03-26 11:58 <DIR> d-------- c:\program files\MSBuild
2009-03-26 11:57 . 2008-07-06 07:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-26 11:57 . 2008-07-06 07:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-26 11:57 . 2008-07-06 05:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-26 11:57 . 2008-07-06 07:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-26 11:57 . 2008-07-06 07:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-26 11:57 . 2008-07-06 07:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-26 11:57 . 2008-07-06 07:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\system32\scripting
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\system32\en
2009-03-26 11:08 . 2009-03-26 11:08 <DIR> d-------- c:\windows\l2schemas
2009-03-25 15:12 . 2009-03-27 16:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-24 10:33 . 2009-03-24 10:33 <DIR> d-------- c:\documents and settings\CJN\Application Data\Malwarebytes
2009-03-24 10:32 . 2009-03-24 10:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-24 10:08 . 2008-04-13 19:11 136,192 --------- c:\windows\system32\aaclient.dll
2009-03-22 15:36 . 2008-06-13 06:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-22 15:35 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-22 15:35 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-22 15:35 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-22 15:35 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-22 15:34 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-22 15:34 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-22 15:34 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-22 15:34 . 2008-05-01 09:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-22 15:34 . 2008-05-08 09:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2009-03-22 15:33 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-22 15:29 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-22 15:29 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 16:15 106,496 ----a-w c:\windows\system32\cnbrvre.dll
2009-04-04 21:20 --------- d-----w c:\program files\Steam
2009-03-31 20:11 --------- d-----w c:\program files\CCleaner
2009-03-28 16:27 --------- d-----w c:\program files\Google
2009-03-28 16:11 --------- d-----w c:\program files\Ahead
2009-03-28 16:02 --------- d-----w c:\program files\iolo
2009-03-28 15:00 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 14:09 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-28 14:09 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-25 16:31 --------- d-----w c:\program files\Trellian
2009-03-13 23:13 --------- d-----w c:\program files\home plan software
2009-03-06 02:21 --------- d-----w c:\program files\DesignWorkshop Lite
2009-02-28 22:24 --------- d-----w c:\documents and settings\CJN\Application Data\FileZilla
2009-02-21 20:18 --------- d-----w c:\program files\FileZilla FTP Client
2009-02-16 17:28 --------- d-----w c:\documents and settings\CJN\Application Data\Alien Skin
2009-02-13 00:38 --------- d-----w c:\program files\Common Files\Macromedia
2009-02-13 00:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 00:37 --------- d-----w c:\program files\Macromedia
2009-02-11 23:13 --------- d-----w c:\program files\Evrsoft First Page 2006
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2006-11-28 18:07 10,856 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-07_11.22.18.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-07 17:42:17 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1d0.dat
- 2009-04-07 16:18:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
+ 2009-04-07 17:42:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_224.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ResChanger2004"="NONE" [X]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\IEXPLORE.EXE" [2008-12-19 634024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"nwiz"="nwiz.exe" [2009-03-27 c:\windows\system32\nwiz.exe]

c:\documents and settings\CJN\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-07-24 344064]
PowerReg Scheduler.exe [2004-10-24 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-10-30 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 237568]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-10-24 169472]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 01000000
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic 5 Professional\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\FTP Commander\\Ftpcomm.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\deathmatch classic\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\team fortress classic\\hl.exe"=
"c:\\Program Files\\GIANT Company Software\\Spam Inspector\\siMailProxyServer.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\DriverGuide Toolkit\\drvgdtk2.exe"=
"c:\\Program Files\\CCP\\EVE\\eve.exe"=
"c:\\Program Files\\Adobe\\Acrobat 5.0\\Reader\\AcroRd32.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\cnerat@new.rr.com\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\MSPUB.EXE"=
"c:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8864:TCP"= 8864:TCP:TeamSpeak
"16288:TCP"= 16288:TCP:@xpsp2res.dll,-22009
"27027:TCP"= 27027:TCP:@xpsp2res.dll,-22009

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-28 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-28 482352]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [1998-11-27 6144]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-28 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-28 101936]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2005-09-30 3712]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090331.007\IDSXpx86.sys [2009-04-02 276344]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\SGuard.sys --> c:\windows\system32\drivers\SGuard.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PMDYFDVH
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\Norton AntiVirus - CJN - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.5.0.134\Navw32.exe [2009-03-28 09:25]

2009-04-07 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 13:12:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1659004503-963894560-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1659004503-963894560-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:84,7d,b4,88,9f,22,21,88,bb,53,14,ce,34,e9,72,94,93,0e,52,8d,c7,f1,9d,
14,72,74,b0,61,8b,b7,91,a1,48,09,96,83,6f,ca,44,6c,be,46,a4,5a,6d,7a,c2,5b,\
"??"=hex:a9,4f,8d,2f,67,d7,ef,5f,19,3c,8f,53,fc,98,ad,a1

[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.22.00]
@DACL=(02 0000)
.
Completion time: 2009-04-07 13:13:59
ComboFix-quarantined-files.txt 2009-04-07 18:13:57
ComboFix2.txt 2009-04-07 17:45:46
ComboFix3.txt 2009-04-07 16:23:20

Pre-Run: 32,473,399,296 bytes free
Post-Run: 32,461,111,296 bytes free

252 --- E O F --- 2009-03-26 16:29:12

#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:55 AM

Posted 07 April 2009 - 01:22 PM

Looking Good :thumbup2:

How is your PC now? I just want to run an online scan to check we got all the malicious items.

ESET Online Scan

Please go to Eset website to perform an online scan. Please use Internet Explorer as it uses ActiveX.
  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Uncheck (untick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, you will find a log in C:\Program Files\esetonlinescanner\log.txt. Please post this log in your next reply.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 Cjos

Cjos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 April 2009 - 01:29 PM

Should I disable firewall and NAV before doing this scan? Just checking because last time my system crashed during the scan.

thanks

BTW, system is running much faster now :thumbup2:

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:55 AM

Posted 07 April 2009 - 01:31 PM

Good to hear :thumbup2:

Disabling your Protection should not be necessary.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 Cjos

Cjos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 April 2009 - 03:40 PM

Here is the log from Eset:


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3993 (20090407)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=394cdf69b907e84b9b1258efead3196f
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-04-07 08:36:49
# local_time=2009-04-07 03:36:49 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=654105
# found=5
# scan_time=6989
C:\Documents and Settings\CJN\Start Menu\Programs\Startup\PowerReg Scheduler.exe Win32/PowerReg application EAA861C8CD8CB16D9D0DB4FA09795782
C:\Qoobox\Quarantine\C\WINDOWS\system32\_eyxzyji_.dll.zip a variant of Win32/BHO.NNE trojan 7B4DE341AFE48E9754FCBC6EFF8CB29F
C:\Qoobox\Quarantine\C\WINDOWS\system32\_eyxzyji_.dll.zip ZIP eyxzyji.dll a variant of Win32/BHO.NNE trojan 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_pmdyfdvh_.sys.zip Win32/BHO.EXT trojan 742162F287870E09FA5B2BB805393720
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_pmdyfdvh_.sys.zip ZIP pmdyfdvh.sys Win32/BHO.EXT trojan 00000000000000000000000000000000

#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:55 AM

Posted 07 April 2009 - 03:51 PM

Hello,

Just one file that needs to be taken care of, the others are located in ComboFix's Quarantine folder.

Go to My Computer
Double click Local Disk (C:)
Go into Documents and Settings
Double click CJN
Go into Start Menu, then into Programs and finally into a folder called Startup
Locate PowerReg Scheduler.exe and delete the file.

Then Empty your Recycle Bin.

ReScan

Please rescan with DDS and post DDS.txt

Edited by Jat90, 07 April 2009 - 03:51 PM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 Cjos

Cjos
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:12:55 AM

Posted 07 April 2009 - 04:24 PM

Very Cool!

I'll be at work til later tonight--I'll have that DDS log posted for you to look at in the morning!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users