Combofix log please help..

codeman0013 · 12-22-2007, 03:51 PM

Hey guys... I have a pc for a good friend who had a daughter who decided to start using morpheus and downloaded a lot of viruses so i have done a lot but it appears to still be replicating please help...

ComboFix 07-12-22.1 - Owner 2007-12-22 9:30:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J5R69IKQ\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\appatc~1
C:\Program Files\appatc~1\A?pPatch\
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\ljjhghe.dll
C:\WINDOWS\system32\winrnt32.dll
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
.
((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 )))))))))))))))))))))))))))))))
.
2007-12-20 23:09 . 2007-12-20 23:09 <DIR> d-------- C:\Program Files\MSBuild
2007-12-20 22:57 . 2007-12-21 17:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-20 22:51 . 2007-12-20 22:51 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-20 22:13 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-12-20 22:12 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-20 22:11 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-20 22:10 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-20 22:09 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-20 22:08 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-20 22:07 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-20 22:06 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-20 22:05 . 2004-08-04 00:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-20 22:04 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-20 22:03 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-20 22:02 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-20 22:01 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-20 22:00 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-20 21:59 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2007-12-20 21:58 . 2001-08-17 14:56 342,336 --a--c--- C:\WINDOWS\system32\dllcache\banshee.dll
2007-12-20 21:57 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2007-12-20 21:56 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2007-12-20 21:56 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2007-12-20 21:56 . 2004-08-03 22:31 36,224 --a--c--- C:\WINDOWS\system32\dllcache\an983.sys
2007-12-20 21:56 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2007-12-20 21:56 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2007-12-20 21:56 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2007-12-20 21:56 . 2001-08-17 12:11 16,969 --a--c--- C:\WINDOWS\system32\dllcache\amb8002.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,032 --a--c--- C:\WINDOWS\system32\dllcache\amsint.sys
2007-12-20 21:56 . 2001-08-17 13:47 6,272 --a--c--- C:\WINDOWS\system32\dllcache\apmbatt.sys
2007-12-20 21:56 . 2001-08-17 13:51 5,248 --a--c--- C:\WINDOWS\system32\dllcache\aliide.sys
2007-12-20 21:53 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-20 21:46 . 2007-12-20 21:46 <DIR> d-------- C:\VundoFix Backups
2007-12-20 12:25 . 2003-11-18 00:09 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-20 12:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-20 12:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-20 12:13 . 2007-12-20 12:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2007-12-20 03:31 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-20 03:18 . 2007-12-20 03:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-20 03:10 . 2007-12-20 03:10 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-20 03:10 . 2007-12-20 03:10 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-20 02:57 . 2007-12-20 02:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-20 02:09 . 2007-12-20 12:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-20 02:09 . 2007-12-20 02:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-19 22:19 . 2007-12-19 23:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-19 22:13 . 2006-11-13 00:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-12-19 22:13 . 2006-11-13 00:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-12-19 22:13 . 2006-11-13 00:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-12-19 19:49 . 2007-12-19 19:49 <DIR> d-------- C:\Program Files\CCleaner
2007-12-19 19:23 . 2007-12-22 08:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-19 19:23 . 2007-12-19 19:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-19 19:22 . 2007-12-19 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-19 19:22 . 2007-12-19 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-19 18:54 . 2007-12-20 12:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-19 18:43 . 2007-12-19 18:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TeamViewer
2007-12-19 18:42 . 2007-12-19 18:43 <DIR> d-------- C:\Program Files\TeamViewer3
2007-12-19 18:41 . 2007-12-19 18:41 <DIR> d-------- C:\Documents and Settings\Owner\temp
2007-12-19 17:40 . 2007-12-20 18:18 <DIR> d-------- C:\WINDOWS\system32\njprckha
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\VirDefs
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Support
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\SevInst
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\LiveUpdt
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Data
2007-12-14 22:25 . 2007-12-19 18:20 1,246,773 --a------ C:\Data1.cab
2007-12-14 22:25 . 2007-12-19 18:20 1,663 --a------ C:\Setup.wis
2007-12-14 22:19 . 2007-12-19 12:46 <DIR> d-------- C:\WINDOWS\system32\juvprpba
2007-12-14 22:18 . 2007-12-19 22:29 <DIR> d-------- C:\Program Files\Bqscjpok
2007-12-14 22:18 . 2007-12-19 22:29 <DIR> d-------- C:\Program Files\aryvobmf
2007-12-13 14:48 . 2007-12-13 14:48 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\TransRender
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Temporary
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Samsung
2007-12-13 02:53 . 2007-12-13 02:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-10 00:57 . 2007-12-10 00:58 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Move Networks
2007-12-04 13:55 . 2007-12-14 20:30 <DIR> d-------- C:\Program Files\Eypekskp
2007-12-03 21:45 . 2007-12-14 20:38 <DIR> d-------- C:\Program Files\Zcmvyoll
2007-12-03 00:58 . 2007-12-14 20:37 <DIR> d-------- C:\Program Files\Pqdoufwx
2007-12-03 00:58 . 2007-12-14 22:16 <DIR> d-------- C:\Program Files\lshklgle
2007-12-03 00:21 . 2007-12-03 00:21 <DIR> d-------- C:\Program Files\Drug Lord 2
2007-11-26 06:19 . 2007-11-26 06:19 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-22 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 23:31 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-20 23:46 --------- d-----w C:\Program Files\Morpheus
2007-12-20 18:13 --------- d-----w C:\Program Files\Google
2007-12-20 00:54 --------- d-----w C:\Program Files\Windows Defender
2007-12-20 00:53 --------- d-----w C:\Program Files\Symantec
2007-12-20 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-20 00:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-15 04:18 --------- d-----w C:\Program Files\Finale NotePad 2007
2007-12-13 08:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 04:14 --------- d-----w C:\Program Files\Trillian
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-23 00:52 --------- d-----w C:\Program Files\QuickTime
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))
.
----a-w 675,840 2006-02-07 19:36:23 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
----a-w 180,269 2006-08-22 13:45:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 155,648 2006-02-07 21:03:41 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 1,415,824 2005-05-31 07:04:00 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
----a-w 1,460,560 2007-08-31 22:46:28 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
----a-w 77,824 2002-07-30 17:35:04 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe
----a-w 777,424 2006-04-03 23:12:24 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 15,360 2004-08-04 06:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 06:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 106,496 2002-03-27 01:20:52 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 118,784 2003-11-18 06:11:00 C:\WINDOWS\system32\hkcmd.exe
----a-w 155,648 2002-03-27 01:28:56 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 155,648 2003-11-18 06:24:00 C:\WINDOWS\system32\igfxtray.exe
----a-w 196,608 2001-10-15 08:42:45 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpz tsb04.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7555906D-70F1-4FD6-8250-4FBE75252F58}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:15]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 00:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 00:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-19 19:22]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhghe]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fypsbqpy]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\fypsbqpy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odmtypcj]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\odmtypcj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkdglqlq]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\tkdglqlq.dll
S3 Dptiiserwia;Dptiiserwia;C:\WINDOWS\system32\driver s\bthpan.sys [2004-08-03 22:58]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscf lash.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2005-12-22 12:24]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2005-12-22 12:24]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2005-12-22 12:24]
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 09:46:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-12-22 9:48:54 - machine was rebooted
.
2007-12-20 23:44:33 --- E O F ---

nobbly niblets · 12-22-2007, 08:03 PM

If the Problems are replicating it might have memory resident malware.

Have you flushed the restore points and run the scans in safe mode?

codeman0013 · 12-22-2007, 08:07 PM

I have gotten rid of all of system restore and also ran the scans in safe mode. I'm thinking combofix might have finallly fixed the problem but i'm not sure i'm still hoping someone can look at this and show me if its ok before i tell them its ok...

**ceewi1** · 12-23-2007, 02:42 AM

ComboFix has mostly cleaned the Vundo infection that was causing the problems, a few deactivated leftovers still to remove, though:

Please download this file - Combofix to your desktop

Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

Folder::
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\juvprpba
C:\Program Files\Bqscjpok
C:\Program Files\aryvobmf
C:\Program Files\Eypekskp
C:\Program Files\Zcmvyoll
C:\Program Files\Pqdoufwx
C:\Program Files\lshklgle

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7555906D-70F1-4FD6-8250-4FBE75252F58}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhghe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fypsbqpy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odmtypcj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkdglqlq]

Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please also download the HijackThis installer from http://www.trendsecure.com/portal/en...HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.

Please post both the ComboFix log and the HijackThis log.

codeman0013 · 12-23-2007, 02:57 AM

UPDATED LOG AND HIJACKTHIS:

ComboFix 07-12-23.1 - Owner 2007-12-22 20:50:08.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.75 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\aryvobmf
C:\Program Files\Bqscjpok
C:\Program Files\Eypekskp
C:\Program Files\lshklgle
C:\Program Files\Pqdoufwx
C:\Program Files\Zcmvyoll
C:\WINDOWS\system32\juvprpba
C:\WINDOWS\system32\juvprpba\bg1.gif
C:\WINDOWS\system32\juvprpba\bgtop.gif
C:\WINDOWS\system32\juvprpba\bottom1.gif
C:\WINDOWS\system32\juvprpba\essentials.gif
C:\WINDOWS\system32\juvprpba\icon1.ico
C:\WINDOWS\system32\juvprpba\install1.gif
C:\WINDOWS\system32\juvprpba\left1.gif
C:\WINDOWS\system32\juvprpba\li.gif
C:\WINDOWS\system32\juvprpba\logo.gif
C:\WINDOWS\system32\juvprpba\main.htm
C:\WINDOWS\system32\juvprpba\mainframe.htm
C:\WINDOWS\system32\juvprpba\reinstall1.gif
C:\WINDOWS\system32\juvprpba\right1.gif
C:\WINDOWS\system32\juvprpba\s1.htm
C:\WINDOWS\system32\juvprpba\s2.htm
C:\WINDOWS\system32\juvprpba\s3.htm
C:\WINDOWS\system32\juvprpba\SMTop1.gif
C:\WINDOWS\system32\juvprpba\SMTop2.gif
C:\WINDOWS\system32\juvprpba\SMTop3.gif
C:\WINDOWS\system32\juvprpba\SMTop4.gif
C:\WINDOWS\system32\juvprpba\soft1_off.gif
C:\WINDOWS\system32\juvprpba\soft1_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft1_on.gif
C:\WINDOWS\system32\juvprpba\soft1_on_ext.gif
C:\WINDOWS\system32\juvprpba\soft2_off.gif
C:\WINDOWS\system32\juvprpba\soft2_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft2_on.gif
C:\WINDOWS\system32\juvprpba\soft2_on_ext.gif
C:\WINDOWS\system32\juvprpba\soft3_off.gif
C:\WINDOWS\system32\juvprpba\soft3_off_ext.gif
C:\WINDOWS\system32\juvprpba\soft3_on.gif
C:\WINDOWS\system32\juvprpba\soft3_on_ext.gif
C:\WINDOWS\system32\juvprpba\softbottom_off.gif
C:\WINDOWS\system32\juvprpba\softbottom_on.gif
C:\WINDOWS\system32\juvprpba\softleft_off.gif
C:\WINDOWS\system32\juvprpba\softleft_on.gif
C:\WINDOWS\system32\juvprpba\top1.gif
C:\WINDOWS\system32\juvprpba\top2.gif
C:\WINDOWS\system32\juvprpba\turnoff1.gif
C:\WINDOWS\system32\juvprpba\turnon1.gif
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\njprckha\bg1.gif
C:\WINDOWS\system32\njprckha\bgtop.gif
C:\WINDOWS\system32\njprckha\bottom1.gif
C:\WINDOWS\system32\njprckha\essentials.gif
C:\WINDOWS\system32\njprckha\icon1.ico
C:\WINDOWS\system32\njprckha\install1.gif
C:\WINDOWS\system32\njprckha\left1.gif
C:\WINDOWS\system32\njprckha\li.gif
C:\WINDOWS\system32\njprckha\logo.gif
C:\WINDOWS\system32\njprckha\main.htm
C:\WINDOWS\system32\njprckha\mainframe.htm
C:\WINDOWS\system32\njprckha\reinstall1.gif
C:\WINDOWS\system32\njprckha\right1.gif
C:\WINDOWS\system32\njprckha\s1.htm
C:\WINDOWS\system32\njprckha\s2.htm
C:\WINDOWS\system32\njprckha\s3.htm
C:\WINDOWS\system32\njprckha\SMTop1.gif
C:\WINDOWS\system32\njprckha\SMTop2.gif
C:\WINDOWS\system32\njprckha\SMTop3.gif
C:\WINDOWS\system32\njprckha\SMTop4.gif
C:\WINDOWS\system32\njprckha\soft1_off.gif
C:\WINDOWS\system32\njprckha\soft1_off_ext.gif
C:\WINDOWS\system32\njprckha\soft1_on.gif
C:\WINDOWS\system32\njprckha\soft1_on_ext.gif
C:\WINDOWS\system32\njprckha\soft2_off.gif
C:\WINDOWS\system32\njprckha\soft2_off_ext.gif
C:\WINDOWS\system32\njprckha\soft2_on.gif
C:\WINDOWS\system32\njprckha\soft2_on_ext.gif
C:\WINDOWS\system32\njprckha\soft3_off.gif
C:\WINDOWS\system32\njprckha\soft3_off_ext.gif
C:\WINDOWS\system32\njprckha\soft3_on.gif
C:\WINDOWS\system32\njprckha\soft3_on_ext.gif
C:\WINDOWS\system32\njprckha\softbottom_off.gif
C:\WINDOWS\system32\njprckha\softbottom_on.gif
C:\WINDOWS\system32\njprckha\softleft_off.gif
C:\WINDOWS\system32\njprckha\softleft_on.gif
C:\WINDOWS\system32\njprckha\top1.gif
C:\WINDOWS\system32\njprckha\top2.gif
C:\WINDOWS\system32\njprckha\turnoff1.gif
C:\WINDOWS\system32\njprckha\turnon1.gif
.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.
2007-12-20 23:09 . 2007-12-20 23:09 <DIR> d-------- C:\Program Files\MSBuild
2007-12-20 22:57 . 2007-12-21 17:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-20 22:51 . 2007-12-20 22:51 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-12-20 22:13 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2007-12-20 22:12 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2007-12-20 22:11 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2007-12-20 22:10 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2007-12-20 22:09 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2007-12-20 22:08 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2007-12-20 22:07 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2007-12-20 22:06 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2007-12-20 22:05 . 2004-08-04 00:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe
2007-12-20 22:04 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2007-12-20 22:03 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2007-12-20 22:02 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2007-12-20 22:01 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2007-12-20 22:00 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2007-12-20 21:59 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2007-12-20 21:58 . 2001-08-17 14:56 342,336 --a--c--- C:\WINDOWS\system32\dllcache\banshee.dll
2007-12-20 21:57 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2007-12-20 21:56 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys
2007-12-20 21:56 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys
2007-12-20 21:56 . 2004-08-03 22:31 36,224 --a--c--- C:\WINDOWS\system32\dllcache\an983.sys
2007-12-20 21:56 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys
2007-12-20 21:56 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys
2007-12-20 21:56 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax
2007-12-20 21:56 . 2001-08-17 12:11 16,969 --a--c--- C:\WINDOWS\system32\dllcache\amb8002.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys
2007-12-20 21:56 . 2001-08-17 13:52 12,032 --a--c--- C:\WINDOWS\system32\dllcache\amsint.sys
2007-12-20 21:56 . 2001-08-17 13:47 6,272 --a--c--- C:\WINDOWS\system32\dllcache\apmbatt.sys
2007-12-20 21:56 . 2001-08-17 13:51 5,248 --a--c--- C:\WINDOWS\system32\dllcache\aliide.sys
2007-12-20 21:53 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2007-12-20 21:46 . 2007-12-20 21:46 <DIR> d-------- C:\VundoFix Backups
2007-12-20 12:25 . 2003-11-18 00:09 155,648 --a------ C:\WINDOWS\system32\igfxres.dll
2007-12-20 12:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-20 12:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-20 12:13 . 2007-12-20 12:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2007-12-20 03:31 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2007-12-20 03:18 . 2007-12-20 03:18 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-12-20 03:10 . 2007-12-20 03:10 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-20 03:10 . 2007-12-20 03:10 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-20 02:57 . 2007-12-20 02:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-20 02:09 . 2007-12-20 12:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-20 02:09 . 2007-12-20 02:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-19 22:19 . 2007-12-19 23:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-12-19 22:13 . 2006-11-13 00:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2007-12-19 22:13 . 2006-11-13 00:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2007-12-19 22:13 . 2006-11-13 00:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2007-12-19 19:49 . 2007-12-19 19:49 <DIR> d-------- C:\Program Files\CCleaner
2007-12-19 19:23 . 2007-12-22 11:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-12-19 19:23 . 2007-12-19 19:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-19 19:22 . 2007-12-19 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-19 19:22 . 2007-12-19 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-12-19 18:54 . 2007-12-20 12:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-19 18:43 . 2007-12-19 18:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TeamViewer
2007-12-19 18:42 . 2007-12-19 18:43 <DIR> d-------- C:\Program Files\TeamViewer3
2007-12-19 18:41 . 2007-12-19 18:41 <DIR> d-------- C:\Documents and Settings\Owner\temp
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\VirDefs
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Support
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\SevInst
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\LiveUpdt
2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Data
2007-12-14 22:25 . 2007-12-19 18:20 1,246,773 --a------ C:\Data1.cab
2007-12-14 22:25 . 2007-12-19 18:20 1,663 --a------ C:\Setup.wis
2007-12-13 14:48 . 2007-12-13 14:48 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\TransRender
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Temporary
2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Samsung
2007-12-13 02:53 . 2007-12-13 02:53 <DIR> d-------- C:\Program Files\Samsung
2007-12-10 00:57 . 2007-12-10 00:58 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Move Networks
2007-12-03 00:21 . 2007-12-03 00:21 <DIR> d-------- C:\Program Files\Drug Lord 2
2007-11-26 06:19 . 2007-11-26 06:19 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Viewpoint
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-22 20:14 --------- d-----w C:\Program Files\Gateway
2007-12-22 20:14 --------- d-----w C:\Program Files\Common Files\Adaptec Shared
2007-12-22 20:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-21 23:31 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-20 23:46 --------- d-----w C:\Program Files\Morpheus
2007-12-20 18:13 --------- d-----w C:\Program Files\Google
2007-12-20 00:54 --------- d-----w C:\Program Files\Windows Defender
2007-12-20 00:53 --------- d-----w C:\Program Files\Symantec
2007-12-20 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-15 04:18 --------- d-----w C:\Program Files\Finale NotePad 2007
2007-12-13 08:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 04:14 --------- d-----w C:\Program Files\Trillian
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-24 07:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 07:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 07:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 07:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-23 00:52 --------- d-----w C:\Program Files\QuickTime
2007-10-11 15:55 88,576 ----a-w C:\WINDOWS\system32\infocardapi.dll
2007-10-11 15:55 579,584 ----a-w C:\WINDOWS\system32\icardagt.exe
2007-10-11 15:55 11,776 ----a-w C:\WINDOWS\system32\icardres.dll
2007-10-09 19:03 779,800 ----a-w C:\WINDOWS\system32\PresentationNative_v0300.dll
2007-10-09 19:03 73,752 ----a-w C:\WINDOWS\system32\dxva2.dll
2007-10-09 19:03 493,080 ----a-w C:\WINDOWS\system32\evr.dll
2007-10-09 19:03 350,744 ----a-w C:\WINDOWS\system32\PresentationHost.exe
2007-10-09 19:03 33,304 ----a-w C:\WINDOWS\system32\PresentationHostProxy.dll
2007-10-09 19:03 161,304 ----a-w C:\WINDOWS\system32\UIAutomationCore.dll
2007-10-09 19:03 106,520 ----a-w C:\WINDOWS\system32\PresentationCFFRasterizerNativ e_v0300.dll
2007-10-09 19:03 1,986,072 ----a-w C:\WINDOWS\system32\milcore.dll
2007-10-09 18:58 16,896 ----a-w C:\WINDOWS\system32\tswpfwrp.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((( snapshot@2007-12-22_ 9.46.47.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-22 01:27:09 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
+ 2007-12-22 17:17:33 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\i ndex.dat
- 2007-12-22 01:27:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-22 17:17:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-22 01:27:09 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-22 17:17:33 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))) ))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:15]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 00:24]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 00:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-19 19:22]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG]
GWMDMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []
S3 Dptiiserwia;Dptiiserwia;C:\WINDOWS\system32\driver s\bthpan.sys [2004-08-03 22:58]
S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscf lash.sys []
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2005-12-22 12:24]
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2005-12-22 12:24]
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2005-12-22 12:24]
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 20:53:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-12-22 20:54:24
C:\ComboFix2.txt ... 2007-12-22 10:00
C:\ComboFix3.txt ... 2007-12-22 09:48
.
2007-12-20 23:44:33 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:08 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1139342246468
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1198122147968
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
--
End of file - 4187 bytes

**ceewi1** · 12-23-2007, 03:30 AM

Excellent, the logfiles appear to be clean.

Below I have included some ideas on how to prevent future infections, which you might want to pass on to your friend:

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

I notice you are running Spybot, which is good. You might want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs, and will work alongside Spybot to protect your system:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.

codeman0013 · 12-23-2007, 03:35 AM

Thanks for all of your help i figured after 3 days of beating my head against the wall i would ask the expert for his help! YOU ARE THE BEST!!!

Cody!

12-22-2007, 03:51 PM	#1 (permalink)
codeman0013 Diamond Member Join Date: Jul 2006 Location: Inside my network at work Age: 23 Posts: 1,493	Combofix log please help.. Hey guys... I have a pc for a good friend who had a daughter who decided to start using morpheus and downloaded a lot of viruses so i have done a lot but it appears to still be replicating please help... ComboFix 07-12-22.1 - Owner 2007-12-22 9:30:55.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -6:00] Running from: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\J5R69IKQ\ComboFix[1].exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\appatc~1 C:\Program Files\appatc~1\A?pPatch\ C:\Program Files\WinBudget C:\Program Files\WinBudget\bin\matrix.dat C:\WINDOWS\system32\jkhfd.dll C:\WINDOWS\system32\knnmp.ini C:\WINDOWS\system32\knnmp.ini2 C:\WINDOWS\system32\ljjhghe.dll C:\WINDOWS\system32\winrnt32.dll C:\WINDOWS\system32\ybeeg.ini C:\WINDOWS\system32\ybeeg.ini2 . ((((((((((((((((((((((((( Files Created from 2007-11-22 to 2007-12-22 ))))))))))))))))))))))))))))))) . 2007-12-20 23:09 . 2007-12-20 23:09 <DIR> d-------- C:\Program Files\MSBuild 2007-12-20 22:57 . 2007-12-21 17:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2007-12-20 22:51 . 2007-12-20 22:51 <DIR> d-------- C:\Program Files\Reference Assemblies 2007-12-20 22:13 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys 2007-12-20 22:12 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys 2007-12-20 22:11 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys 2007-12-20 22:10 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll 2007-12-20 22:09 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys 2007-12-20 22:08 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys 2007-12-20 22:07 . 2001-08-17 12:50 320,384 --a--c--- C:\WINDOWS\system32\dllcache\mgaum.sys 2007-12-20 22:06 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys 2007-12-20 22:05 . 2004-08-04 00:56 152,576 --a--c--- C:\WINDOWS\system32\dllcache\irftp.exe 2007-12-20 22:04 . 2004-08-04 00:56 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll 2007-12-20 22:03 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll 2007-12-20 22:02 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys 2007-12-20 22:01 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys 2007-12-20 22:00 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys 2007-12-20 21:59 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys 2007-12-20 21:58 . 2001-08-17 14:56 342,336 --a--c--- C:\WINDOWS\system32\dllcache\banshee.dll 2007-12-20 21:57 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll 2007-12-20 21:56 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys 2007-12-20 21:56 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys 2007-12-20 21:56 . 2004-08-03 22:31 36,224 --a--c--- C:\WINDOWS\system32\dllcache\an983.sys 2007-12-20 21:56 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys 2007-12-20 21:56 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys 2007-12-20 21:56 . 2001-08-17 22:37 24,576 --a--c--- C:\WINDOWS\system32\dllcache\agcgauge.ax 2007-12-20 21:56 . 2001-08-17 12:11 16,969 --a--c--- C:\WINDOWS\system32\dllcache\amb8002.sys 2007-12-20 21:56 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys 2007-12-20 21:56 . 2001-08-17 13:52 12,032 --a--c--- C:\WINDOWS\system32\dllcache\amsint.sys 2007-12-20 21:56 . 2001-08-17 13:47 6,272 --a--c--- C:\WINDOWS\system32\dllcache\apmbatt.sys 2007-12-20 21:56 . 2001-08-17 13:51 5,248 --a--c--- C:\WINDOWS\system32\dllcache\aliide.sys 2007-12-20 21:53 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll 2007-12-20 21:46 . 2007-12-20 21:46 <DIR> d-------- C:\VundoFix Backups 2007-12-20 12:25 . 2003-11-18 00:09 155,648 --a------ C:\WINDOWS\system32\igfxres.dll 2007-12-20 12:15 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll 2007-12-20 12:15 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui 2007-12-20 12:13 . 2007-12-20 12:13 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer 2007-12-20 03:31 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll 2007-12-20 03:18 . 2007-12-20 03:18 <DIR> d-------- C:\Program Files\MSXML 6.0 2007-12-20 03:10 . 2007-12-20 03:10 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb 2007-12-20 03:10 . 2007-12-20 03:10 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb 2007-12-20 02:57 . 2007-12-20 02:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2007-12-20 02:09 . 2007-12-20 12:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2007-12-20 02:09 . 2007-12-20 02:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-12-19 22:19 . 2007-12-19 23:03 <DIR> d-------- C:\WINDOWS\system32\URTTemp 2007-12-19 22:13 . 2006-11-13 00:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll 2007-12-19 22:13 . 2006-11-13 00:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll 2007-12-19 22:13 . 2006-11-13 00:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll 2007-12-19 19:49 . 2007-12-19 19:49 <DIR> d-------- C:\Program Files\CCleaner 2007-12-19 19:23 . 2007-12-22 08:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7 2007-12-19 19:23 . 2007-12-19 19:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-12-19 19:22 . 2007-12-19 19:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-12-19 19:22 . 2007-12-19 19:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-12-19 18:54 . 2007-12-20 12:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel 2007-12-19 18:43 . 2007-12-19 18:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\TeamViewer 2007-12-19 18:42 . 2007-12-19 18:43 <DIR> d-------- C:\Program Files\TeamViewer3 2007-12-19 18:41 . 2007-12-19 18:41 <DIR> d-------- C:\Documents and Settings\Owner\temp 2007-12-19 17:40 . 2007-12-20 18:18 <DIR> d-------- C:\WINDOWS\system32\njprckha 2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\VirDefs 2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Support 2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\SevInst 2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\LiveUpdt 2007-12-14 22:25 . 2007-12-14 22:25 <DIR> d-------- C:\Data 2007-12-14 22:25 . 2007-12-19 18:20 1,246,773 --a------ C:\Data1.cab 2007-12-14 22:25 . 2007-12-19 18:20 1,663 --a------ C:\Setup.wis 2007-12-14 22:19 . 2007-12-19 12:46 <DIR> d-------- C:\WINDOWS\system32\juvprpba 2007-12-14 22:18 . 2007-12-19 22:29 <DIR> d-------- C:\Program Files\Bqscjpok 2007-12-14 22:18 . 2007-12-19 22:29 <DIR> d-------- C:\Program Files\aryvobmf 2007-12-13 14:48 . 2007-12-13 14:48 <DIR> d-------- C:\Program Files\MSXML 4.0 2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\TransRender 2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Temporary 2007-12-13 02:54 . 2007-12-13 02:54 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Samsung 2007-12-13 02:53 . 2007-12-13 02:53 <DIR> d-------- C:\Program Files\Samsung 2007-12-10 00:57 . 2007-12-10 00:58 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Move Networks 2007-12-04 13:55 . 2007-12-14 20:30 <DIR> d-------- C:\Program Files\Eypekskp 2007-12-03 21:45 . 2007-12-14 20:38 <DIR> d-------- C:\Program Files\Zcmvyoll 2007-12-03 00:58 . 2007-12-14 20:37 <DIR> d-------- C:\Program Files\Pqdoufwx 2007-12-03 00:58 . 2007-12-14 22:16 <DIR> d-------- C:\Program Files\lshklgle 2007-12-03 00:21 . 2007-12-03 00:21 <DIR> d-------- C:\Program Files\Drug Lord 2 2007-11-26 06:19 . 2007-11-26 06:19 <DIR> d-------- C:\Documents and Settings\Laura\Application Data\Viewpoint . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2007-12-22 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-21 23:31 --------- d-----w C:\Program Files\Common Files\Adobe 2007-12-20 23:46 --------- d-----w C:\Program Files\Morpheus 2007-12-20 18:13 --------- d-----w C:\Program Files\Google 2007-12-20 00:54 --------- d-----w C:\Program Files\Windows Defender 2007-12-20 00:53 --------- d-----w C:\Program Files\Symantec 2007-12-20 00:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint 2007-12-20 00:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-12-15 04:18 --------- d-----w C:\Program Files\Finale NotePad 2007 2007-12-13 08:53 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-11-16 04:14 --------- d-----w C:\Program Files\Trillian 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-10-23 00:52 --------- d-----w C:\Program Files\QuickTime 1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL 1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL 1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL 1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL 1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL 1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))) )))))))) . ----a-w 675,840 2006-02-07 19:36:23 C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\bak\DirectCD.exe ----a-w 180,269 2006-08-22 13:45:17 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe ----a-w 155,648 2006-02-07 21:03:41 C:\Program Files\QuickTime\bak\qttask.exe ----a-w 1,415,824 2005-05-31 07:04:00 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe ----a-w 1,460,560 2007-08-31 22:46:28 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe ----a-w 77,824 2002-07-30 17:35:04 C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\bak\vptray.exe ----a-w 777,424 2006-04-03 23:12:24 C:\Program Files\Windows Defender\bak\MSASCui.exe ----a-w 15,360 2004-08-04 06:56:50 C:\WINDOWS\system32\bak\ctfmon.exe ----a-w 15,360 2004-08-04 06:56:50 C:\WINDOWS\system32\ctfmon.exe ----a-w 106,496 2002-03-27 01:20:52 C:\WINDOWS\system32\bak\hkcmd.exe ----a-w 118,784 2003-11-18 06:11:00 C:\WINDOWS\system32\hkcmd.exe ----a-w 155,648 2002-03-27 01:28:56 C:\WINDOWS\system32\bak\igfxtray.exe ----a-w 155,648 2003-11-18 06:24:00 C:\WINDOWS\system32\igfxtray.exe ----a-w 196,608 2001-10-15 08:42:45 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpz tsb04.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7555906D-70F1-4FD6-8250-4FBE75252F58}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 08:15] "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-11-18 00:24] "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-11-18 00:11] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-19 19:22] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhghe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Last.fm Helper.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Last.fm Helper.lnk backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk backup=C:\WINDOWS\pss\Symantec Fax Starter Edition Port.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fypsbqpy] regsvr32 /u C:\Documents and Settings\All Users\Application Data\fypsbqpy.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GWMDMMSG] GWMDMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb0 4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odmtypcj] regsvr32 /u C:\Documents and Settings\All Users\Application Data\odmtypcj.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\bak\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkdglqlq] regsvr32 /u C:\Documents and Settings\All Users\Application Data\tkdglqlq.dll S3 Dptiiserwia;Dptiiserwia;C:\WINDOWS\system32\driver s\bthpan.sys [2004-08-03 22:58] S3 iscFlash;iscFlash;C:\WINDOWS\SYSTEM32\DRIVERS\iscf lash.sys [] S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys [2005-12-22 12:24] S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys [2005-12-22 12:24] S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys [2005-12-22 12:24] . ************************************************ ******************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-22 09:46:06 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ********************** . Completion time: 2007-12-22 9:48:54 - machine was rebooted . 2007-12-20 23:44:33 --- E O F ---

12-23-2007, 02:42 AM	#4 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 21 Posts: 5,280	ComboFix has mostly cleaned the Vundo infection that was causing the problems, a few deactivated leftovers still to remove, though: Please download this file - Combofix to your desktop Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: Code: Folder:: C:\WINDOWS\system32\njprckha C:\WINDOWS\system32\juvprpba C:\Program Files\Bqscjpok C:\Program Files\aryvobmf C:\Program Files\Eypekskp C:\Program Files\Zcmvyoll C:\Program Files\Pqdoufwx C:\Program Files\lshklgle Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7555906D-70F1-4FD6-8250-4FBE75252F58}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjhghe] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fypsbqpy] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\odmtypcj] [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkdglqlq] Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop. Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running. Please also download the HijackThis installer from http://www.trendsecure.com/portal/en...HJTInstall.exe. Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis. Click Do a system scan and save a logfile When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post. Most of what it lists will be harmless or even essential, don't fix anything yet. Please post both the ComboFix log and the HijackThis log. __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

12-23-2007, 03:30 AM	#6 (permalink)
ceewi1 Moderator Join Date: Dec 2005 Location: Melbourne, Australia Age: 21 Posts: 5,280	Excellent, the logfiles appear to be clean. Below I have included some ideas on how to prevent future infections, which you might want to pass on to your friend: Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future. Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer. Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer. As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program. Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows. A tutorial on understanding and using firewalls may be found here. I notice you are running Spybot, which is good. You might want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs, and will work alongside Spybot to protect your system: SpywareBlaster A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here. SpywareGuard A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here. If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites. Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option. If you are interested, Firefox may be downloaded from here Opera is available here: http://www.opera.com/download/ Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. __________________ CPU: Core 2 Duo E6600 / MOBO: Gigabyte 965P-DS3 / GPU: Gigabyte HD4870 RAM: 2GB G.Skill F2-6400CL4D-2GBPK / HDD: 2TB Total HDD / PSU: Antec NeoPower 480W Cheap PSUs - 2% of system costs, responsible for 28% of system deaths As Sealed Stick was removed, lost or damaged, it shall be out of warranty validity. - The "Warranty void if removed" sticker on numerous CoolerMaster PSUs. Useful PSU Guides

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
C:\WINDOWS\system32\rxx6ot.sys (HJT log)	Livzz	Computer Security	4	10-22-2006 04:47 AM
getting rid of password to log onto windows	paul812	Computer Networking and Servers	0	12-21-2005 02:10 AM
log off event? question please !!!!	pablobaluba	Operating Systems	0	12-08-2005 03:10 PM
Can't log in!	Moronicus	Desktop Computers	4	11-08-2005 12:50 AM
Log in	winXP	Internet Discussion	4	07-21-2005 05:53 AM

12-22-2007, 08:03 PM	#2 (permalink)
nobbly niblets Bronze Member Join Date: Dec 2007 Posts: 42	If the Problems are replicating it might have memory resident malware. Have you flushed the restore points and run the scans in safe mode?

12-22-2007, 08:07 PM	#3 (permalink)
codeman0013 Diamond Member Join Date: Jul 2006 Location: Inside my network at work Age: 23 Posts: 1,493	I have gotten rid of all of system restore and also ran the scans in safe mode. I'm thinking combofix might have finallly fixed the problem but i'm not sure i'm still hoping someone can look at this and show me if its ok before i tell them its ok...

12-23-2007, 03:35 AM	#7 (permalink)
codeman0013 Diamond Member Join Date: Jul 2006 Location: Inside my network at work Age: 23 Posts: 1,493	Thanks for all of your help i figured after 3 days of beating my head against the wall i would ask the expert for his help! YOU ARE THE BEST!!! Cody!